Climate change, products and services with a low or neutral carbon footprint, responsible use of natural resources, anti-corruption, relations with communities and a focus on diversity and inclusion are some of the topics that are at the forefront of discussions around the ESG, and under the interest of investors and boards of directors of major companies. But there is another front that is gaining importance and, as it should be, a priority at the heart of this agenda: cybersecurity.
Himself World Economic Forum Cyber action is clearly an environmental, social and governance issue, and he states that companies need to start looking at this topic as part of the ESG. According to the organization’s disclosure in March of this year, “Internet risks are the organizations with the most immediate and financially material sustainability risks they face today. Those who do not implement good cybersecurity governance using appropriate tools and metrics will be less resilient and less sustainable.”
In January 2022, the same forum published its first report on the topic, “Global Cyber Security Outlook,” which reinforces the need to align cybersecurity and business. But the truth is that we are still on a journey: one of the findings of the report is the mismatch between the domains responsible for managing risk and the cyber region. While nearly 92% of entrepreneurs say cyber resilience is part of their enterprise risk management strategies, only 55% of cybersecurity leaders agree. “Different” perceptions may actually be a reflection of conflicting priorities and policy incoherence in organizations.
It is important to look at the tactical and strategic position of the cybersecurity area and the leadership in the corporate organizational structure. The good news is that we have seen, more and more, discussions about the position of information security and cybernetics in companies, considering a scope beyond information technology (IT) with more emphasis on business risk.
The point is that prioritizing security and investing in protection, detection and response measures must be a reality. A survey conducted by Ernst & Young last year (“How Covid-19 affects future investment in security and privacy”) that heard more than 130 companies around the world found that unlawful attacks on corporate technology systems increased nearly 300% during the Covid-19 pandemic. And this must continue, if management is inadequate. After all, in parallel with the search for innovation and increased digitization by companies – which leads to many positive changes – there is also greater exposure to risks and threats.
There is no point in evolving with technology and innovation if the culture of cybersecurity does not go hand in hand: Cyber risk must be integrated into the corporate ESG agenda, critical goals, and be part of the agenda in corporate boards. If neglected, it can have profound effects on the business. We are not just talking about information technology (IT), about influencing the immediate interests of organizations, with impacts on financial results, in exposing business secrets and reputation with clients – which, in and of itself, would be sufficient to be a priority.
But also how they can assimilate into society in a broader way, whether it’s because of data leaks, or even to affect a country’s basic infrastructure. That’s what happened about a year ago with Colonial Pipeline, a pipeline company responsible for about 45% of fuel transportation on the US East Coast, all of which ceased operations due to a cyberattack. The “accident” that prompted the US government to declare a state of emergency and, in effect, extrapolated the financial and operational impact of the company itself. One direct result was higher gasoline prices and long lines at many stations on the East Coast of the United States.
It is necessary to understand that, today, there is no business continuity, and there is no ESG without data protection and information security. Cybersecurity is more than just a competitive differentiating factor, it is a fact and a necessity in the corporate world as well as for society.
* Fernando Madureira is Head of Information and Cyber Security (CISO) at Cosan . Group