Is cyber resilience the new ESG?
Andrea Bonime-Blanc and Maya Bundt say there is currently no way of gauging the cyber resilience of organisations, suppliers or service providers, as there is currently no information available. This has to change.
What is the dark side of digitalisation? Cyber risk
What do you need to combat cyber risk? Cyber resilience
How do you know who is cyber resilient? You don’t
The current global coronavirus situation is showing us with great clarity how important cyber resilience is in times of crisis. However, when people need to make decisions like 'do I want to invest in that stock?', 'do I want to select this company as a supplier?' or 'do I want to buy that service?' they have no way of gauging the cyber resilience of those entities since there is no information available. More details can be found in our white paper Cyber Resilience “ESG” Reporting: Transparency Imperative or Security Nightmare? (see below for link).
Our definition of cyber-resilience is as follows:
"Cyber resilience is an organisation's ability to sustainably maintain, build and deliver intended business outcomes despite adverse cyber events. Organisational practices to achieve and maintain cyber resilience must be comprehensive and customised to the whole organisation (for example, including the supply chain). They need to include a formal and properly resourced information security programme, team and governance that are effectively integrated with the organisation’s risk, crisis, business continuity, and education programmes."
Creating transparency on the cyber resilience of companies is important, and we are not alone in thinking this. When we conducted interviews with over 20 executives from a variety of different industries we found majority agreement among this very diverse group on the following:
Cyber resilience is a key factor that enables sustainable earnings
Currently, there is not enough transparency about cyber resilience of companies
Reporting on cyber resilience would be beneficial for both the interested public as well as for the company itself
The first two points do not really come as a surprise, since they confirm our original hypotheses that cyber resilience is incredibly important in today's digitalised and hyperconnected world, and that transparency is lacking.
But we need to elaborate on the point about cyber resilience reporting being potentially beneficial to the company itself. Are the main benefits most likely for external stakeholders?
The answer is more complex. There are several factors contributing to the notion that cyber resilience is beneficial to the company (or any other type of organisation for that matter). First, management would be able show the outside world that they are prepared, that they follow best practices and take the topic seriously – this could be a source of trust for stakeholders and ultimately lead to value creation and a competitive advantage.
Additionally, developing a common language for internal stakeholders to talk about cyber risk and resilience would allow for the creation of a more resilient and robust cyber security culture and lay down a better foundation for informed cyber decision-making.
We believe you can compare the situation to what happened with environmental, social and governance (ESG) reporting over the past 20 years. Reporting on ESG issues has become a 'must have' for companies, not only as a source of information for their stakeholders, but also as an opportunity for companies to build out their reputation as a mindful and risk-aware entity.
The important point here is: stakeholders expect to get the transparency on ESG issues and risks to take informed decisions. We can expect the same to catch on sooner rather than later on cyber resilience.
Some raise the notion of ‘too much transparency’, which is also an absolutely vital topic.
While we believe that cyber resilience reporting would help in the overall maturity in this field – something that is beneficial to business, society and national security – we need to sound a note of caution.
Clearly cyber security is a delicate area as the world is moving fast and furiously, with new threat actors, attack vectors and vulnerabilities popping up every day everywhere. Reporting on cyber resilience needs to be done with great care and with a lot of thought to avoid companies disclosing their vulnerabilities, so that well-informed attackers can misuse this information.
The next step would be to develop a set of well-thought through, meaningful metrics that do not endanger the reporting company.
We must also not forget the fact that such an agreed upon framework would also be necessary to eliminate confusion as well as prevent those that are merely cyber-adequate from ‘cyber-washing’, to coin a term.
We can summarise the pros and cons of cyber resilience reporting as follows:
We believe that in this age of serious – and even existential – risk, thoughtfully implemented cyber resilience reporting would be an important addition to combating corporate cyber fragility and improving overall resilience. It might also have tangential benefits in other aspects of life, society, nationally and internationally, as people and entities think about cyber resilience not as a remote topic, but as second nature to surviving in our complex world.
In the not too distant future, any cyber resilience questions we may have about a company will likely be answered with: “Look it up in our annual report!”
The White Paper on Cyber Resilience ‘ESG’ Reporting by Maya Bundt, Head Cyber & Digital Solutions, and Andrea Bonime-Blanc, Founder and CEO of GEC Risk Advisory, can be downloaded here
Andrea Bonime-Blanc, 22/06/2020