In a digital world cyber is an Environmental, Social and Governance (ESG) risk

In an increasingly digital world managing cyber and information risk is part of being a sustainable and responsible organisation.

We live in a digital world and cyber resilience is a top concern for society. It is increasingly being thought of as an ESG (Environment, Social and Governance) issue. This is positive because cyber risk and resilience will be under greater scrutiny from internal and external stakeholders.

The organisations that truly understand their cyber strengths and weaknesses are better placed to manage the risk, and maximise the benefit from traditional insurance or a captive.

We live in a time where the physical and digital worlds cannot be separated, and technology is ever-present in our work and personal lives. An outage at a web services company can stop vacuum cleaners and doorbells from working¹. The governance of cities anywhere in the world can be disrupted². A recent ITV investigation³ claimed vital public services in the UK are at risk of disruption and data loss due to lack of investment in cyber protections.

The volume of data we create is growing and is predicted to grow exponentially⁴. Most data is stored by organisations, and increasingly it will be created by devices connected to the internet. How we make use of data is also changing. Advanced analytic tools such as machine learning open new ways to use data that were previously impossible.

This trend will continue and create opportunities and risks for us all. Organisations that care about using technology and data in a responsible and sustainable way should be treating cyber and data as an ESG issue.

What is ESG?

ESG reporting exists to measure the non-financial elements of an organisation’s performance. Cyber is relevant to ESG because consumers and businesses increasingly expect goods and services to be available on demand when they need them.

They also expect their data to be protected. As part of Zurich’s ESG framework we consider trust in a digital society to be a key pillar of being a sustainable, responsible, and impactful organisation.

Cyber is an ESG issue in part because we all rely on physical and digital infrastructure, and data, to support the movement of critical goods and services.

Agri-food, healthcare, energy and financial networks all rely on physical and digital infrastructure. Everyone in society has an interest in this infrastructure being managed effectively and sustainably to reduce the likelihood or impact of disruptions. Infrastructure can only be sustainable if it is resilient to risk. There is no sustainability without resilience. 

Managing cyber risk

Cyber security is a growing ESG risk⁵ as the frequency and impact of cyber risk events increases. However, many organisations do not yet include cyber resilience as part of their ESG reporting.

Too often organisations still lack basic cyber hygiene. In part this is because cyber risk is seen as an IT department problem, regular and systematic risk assessments are not done, and top management don’t oversee it properly. The scrutiny of ESG reporting will help to change that.

Cyber insurance is also important, but it is just one element of an effective cyber resilience framework. Good practice in this area also includes:

• Having a named senior executive lead for cyber risk and resilience
• Board and top management oversight of the cyber risk assessment and control framework, and the status of key risk controls
• Agreeing a clear statement of data ethics to govern how data is and is not used in the organisation
• A clear statement of the organisation’s cyber risk posture, including data ethics and protection
• An information security policy
• Regular executive level reporting on the number, type, and impact of cyber risk events
• Training and awareness raising activity among employees
• Reporting on cyber and information risk as part of the ESG framework
• Focus on proactive cyber resilience not just cyber security
• A cyber insurance programme that supports the specific risks of the organisation

The role of captive insurance

A captive can also be considered a positive factor in an organisation’s ESG reporting. It demonstrates a clear commitment to risk management as it provides a centralised framework and strategic lens to longer-term risk concerns.

The captive can also work with its parent to analyse and understand the unique risks it faces, and fund risk improvements through surpluses. Once risks have been identified and analysed the captive can insure the risks that can’t be eliminated or managed. The outcome is a fit-for-purpose insurance program that is tailored to provide cover that responds in a meaningful way to the specific risks of the parent organisation.

If reinsurance is required, typically reinsurers are much more open to providing cover where the organisation can demonstrate a thorough understanding of its cyber risk.

Captive regulators will also expect the captive to fully understand the risks it is taking on, as large exposures may materially impact the ability of a captive to meet its obligations to the parent across its whole insurance portfolio.

By giving due consideration to these concerns, a captive will ensure that it is fulfilling not only its own ESG obligations, but also contributing to the parent’s wider ESG reporting and strategy, safeguarding the trust that is given to it by its customers and wider society.

Summary

Managing cyber and data sustainably will become an ESG issue for more organisations. The digital and physical worlds rely on each other, and digital disruptions have real world effects on people, places, and the planet. The organisations that take advantage of the opportunities in the digital world must be sustainable and resilient. Too many organisations still lack basic cyber hygiene. To retain the confidence of internal and external stakeholders in the digital world organisations must have a robust cyber resilience framework, including risk transfer.

How can Zurich Resilience Solutions help?

For further information contact zrs.enquiries@uk.zurich.com, or find out more about Zurich Resilience Solutions or Captive Services. 

You may also enjoy

• Cyber Resilience
• How senior leaders can manage the cyber risks facing themselves and their organisations  
• Watch our webinar on Operational Technology Cyber Risk

•  

• ¹ AWS: Amazon web outage breaks vacuums and doorbells - BBC News

• ² https://www.nytimes.com/2018/03/27/us/cyberattack-atlanta-ransomware.html

  ³ https://www.itv.com/news/2022-07-04/uk-councils-and-hospitals-at-risk-of-cyber-hackers-itv-news-reveals

  ⁴ https://www.statista.com/chart/17727/global-data-creation-forecasts/

  ⁵ https://www.spglobal.com/en/research-insights/featured/esg-monthly-may-2021-cyber-security

• Share this article by email