Introduction
If you were asked to think about the impact of cyber incidents within business contexts, your first thoughts would likely (and naturally) be centred around the impacts on businesses themselves. You might think about the collapse of IT systems and operational shutdown, or in the case of cyberattacks you might think about commercial data being stolen, staff being locked out of systems, and companies taking sudden financial hits by agreeing to pay-off attackers for the sake of ease.
Your second thought might be regarding customer data, and the fact that this can be stolen and then sold on in the event of a cyberattack, or the fact that important customer data (e.g. health data) could be lost if systems fail and inadequate backups are in place. These are just two examples of why companies’ exposure to cyber-related risks, and their risk mitigation practices, is often considered as part of ESG integration.
But what about beyond this?
With businesses now underpinning our economies and infrastructure, the effects of cyber incidents can easily ripple-through to wider society. Cyber-related risks are not just business risks, and the potential impact of incidents on stakeholders extends beyond the loss of personal data.
Social Impacts of Cyber Incidents
When it comes to the social impacts of cyber incidents, you needn’t look too far from a business itself to identify a group of stakeholders that can be affected. If a company is forced to close, or even just take a major financial hit, employees can face cutbacks in benefits, or even job losses.
This is not just a hypothetical scenario. A 2024 report by Data Health Check suggested that 37% of cyberattacks resulted in job losses among companies surveyed, with the fallout from attacks making redundancies a financial necessity among some. More recently, the BBC reported how a weak employee password at KNP (a transport company operating from Northamptonshire) resulted in hackers gaining entry to the company’s systems, and that the company was forced to cease operations as a result, leading to 700 job losses.
Cyber incidents can also impact much wider groups of stakeholders, be it locally, nationally, or even internationally. In some cases, responsibility for providing certain goods has always fallen on businesses (take the humble cobbler or the local pub), but in our modern world, large private companies are now often responsible for the provision of highly complex critical infrastructure and services, and protecting a business’s ability to operate and provide these services is no longer just a case of locking the doors.
Supermarkets and the supply of food is a perfect example of this. Long-gone are the days of consumers relying on small, local businesses for their groceries, and now large numbers of people depend on supermarkets for their necessities. As such, any major disruptions to their operations can impact communities (especially in locations where choice is limited), and not just a company’s bottom line.
This was illustrated perfectly following the cyberattack faced by the Co-op earlier this year. As reported by the BBC here, disruption to the Co-op’s supply chains resulted in empty shelves in stores located in Scotland’s island communities. While perhaps not a life-or-death situation, it doesn’t take a leap of imagination to see how a similar situation could play out if, say, a supplier of vital medical supplies is rendered unable to operate and ship supplies to similar, isolated locations.
Role of Investors
As discussed, cyber-related risks are not just business risks - inadequate risk mitigation can result in stakeholders and society at large being impacted, and not just companies themselves. Surely, then, there are solid grounds to argue that responsible investors should aim to use their stewardship and market signalling powers to encourage improvements in cybersecurity measures.
But what criteria can investors use when assessing corporate cybersecurity measures?
Governance
The success of organisational systems and functions often depends on underpinning governance. The establishment of responsibility and clear accountability is vital for ensuring effective decision-making and preventing negligence, and this is true of cybersecurity controls as much as it is for other systems found within business settings.
When it comes to assessing cybersecurity governance, investors may wish to consider, for example, whether:
Oversight of cybersecurity efforts reaches Board-level. By reaching Board-level, management of cybersecurity is subject to the very highest level of oversight and accountability.
A dedicated cybersecurity committee/team is in place. In companies where cybersecurity-related risks are high, the establishment of a standalone function is not only justified, but can ensure that adequate resources (including time, money, and expertise) are directed towards the management of cyber risks.
Assessment and management of cyber-related risks are integrated within overall risk-management frameworks. This is to ensure cyber risks are not considered in a silo, and potential vulnerabilities deriving from other risks (e.g. HR risks such as inadequate training, and physical risks from geopolitical and climate events) are not overlooked.
Risk Assessment
Before risks can be managed, they must first be identified, and then assessed to determine if they are material. When evaluating how companies approach cyber risk assessment, investors may wish to determine if their assessment processes consider:
The type of cyber-related risks that are faced. Assessing the risk of cyberattacks is important (be they state-sponsored cyberattacks or actions of cybercriminals), but risks from other causes (such as system failure) should also be assessed. Cybersecurity is about more than fending off would-be hackers.
Where vulnerabilities are. Vulnerability to system failures, for example, may derive from inadequate capacity of hardware or a lack of technical expertise within the business, and vulnerability to cyberattacks may result from outdated security controls or a lack on encryption.
External stakeholders. Risk assessment can go beyond the consideration of business risks, and can also consider risks to others. By doing this, companies are more likely to address risks which could have otherwise been overlooked, such as risks not significant to the business but significant to stakeholders. They are also more likely to prioritise the management of risks with the potential to have the greatest impact on stakeholders, and those which may impact the most vulnerable stakeholders.
Controls and Technical Measures
Once material risks have been identified, companies must implement controls and procedures to adequately mitigate these. There are numerous measures and protocols that companies can deploy to do this, such as:
Information security management systems. As we previously outlined in relation to environmental management here, formal management systems are a valuable indicator when assessing company efforts to mitigate risks and impacts. The value of such systems derives from their formality, and the fact that companies can have their systems certified to external standards by independent third-parties. In terms of cyber, the ISO 27001 standard for information security management is a well-regarded, and widely adopted, example.
Penetration testing. When it comes to preparing for cyberattacks, an effective way of identifying actual vulnerabilities in systems, opposed to purely theoretical ones, is to run simulations. Penetration testing provides companies with the opportunity to see how a real cyberattack could play out, determine how easily its systems could be breached, where they could be breached, and how well any countermeasures work in practice.
Incident response plans. While companies can do as much as possible to mitigate cyber-related risks, there always remains some chance of incidents occurring, and planning for such eventualities is therefore advisable. By establishing clear protocols for when cyber incidents occur, companies are more likely to resolve any incidents quickly and effectively, and limit the impact of the incident on the business and its stakeholders.
Final Thoughts
As responsible investors, it is our responsibility to encourage companies to strive towards improvements in their practices for the benefit of stakeholders. We often think about this in regard to way they approach environmental impacts, or human rights in their supply chains, and as a result we can be blinded to other things. Numerous areas of corporate practice can have the potential to negatively impact on various stakeholders, especially when something goes wrong, and cybersecurity is no exception.