Governments around the world have awakened to the dangers of unregulated activities that can damage the environment and society at large. The modern world faces environmental challenges on an unprecedented scale. Deforestation, pollution, climate change, water scarcity, waste management and loss of biodiversity are some of the more visible results of environmental abuse. The hidden costs include irreversible damage to nature, food chain contamination, illness (e.g., cancer, arsenic poisoning, chronic obstructive pulmonary disease [COPD]), increasingly catastrophic natural disasters and death.
Environmental, social and corporate governance (ESG) arose from a need for a strategic framework leaders could use to measure and address the environmental impact of an organization’s activities. Measurements can range from carbon footprints, waste output and sustainability to social impact, inclusivity, diversity, and the growth of communities in which an organization operates. Sustainability can include cybersecurity and cyberresilience, as unstable organizations have a ripple effect on the economy.
In recent years, cybersecurity has been mentioned more in public welfare discussions because of the tremendous impact that cyberattacks can have on the environment, society, and the governance of large organizations. Large-scale cyberattacks are threats to the economy; therefore, critical infrastructure organizations must pay attention to their cybersecurity posture. Cybersecurity is a critical element of ESG and can be used to measure the maturity of the governance of an organization; thus, cybersecurity must be added to the ESG reporting framework. Resilience depends on data, technology and long-term sustainability policies.
Cybercrime as an ESG Crime
In a connected, digitized world, societies are more affected by events that take place in distant locales. This holds true for cyberattacks that incapacitate critical infrastructures and have a ripple effect on multiple industries.
Organized cybersecurity crime groups, nation-states and hacker activists (hacktivists) were catapulted into the limelight in the last decade due to high-profile attacks. For example, the Solar Winds and Colonial Pipeline attacks marked the beginning of a significant increase in ransomware-related cybersecurity crimes that were discovered in 2020 and 2021.1 Since then, there have been several alleged cybersecurity attacks on energy companies in Europe, possibly motivated by the Russian invasion of Ukraine and an ongoing energy crisis in the region.2 One example is the Viasat attack, which affected its customer, Enercon, disrupting approximately 5,000 wind turbines.3
Hackers have increasingly targeted healthcare data and institutions, which can impact the quality of care in surrounding communities. Public service institutions such as the UK National Health Services (NHS) were the target of the WannaCry ransomware attack. The attack stopped critical medical services, endangering the lives of millions of patients.4
In addition, identity fraud, ransomware attacks and email and Internet fraud are often at the intersection of financial crime and cybercrime.
Cybersecurity crimes are not victimless crimes. As recent UN and Interpol actions show, such crimes seriously threaten the security, political stability, economy, natural resources and cultural heritage of many countries and regions.5 Governments also lose tax revenues and revenue on other valuable resources at the hands of cybercriminals. Cybercrime can destroy the natural resources on which national economies and livelihoods depend while undermining conservation and sustainable rural development efforts. According to data published by the US Federal Bureau of Investigation (FBI), losses stemming from cybercrime exceeded US$6.9 billion in 2021.6
The Footprint of Environmental Crime
Both ESG crimes and cybercrimes have a significant effect that is often global in nature.
Such transnational crimes require a coordinated response from local law enforcement, IT teams and practitioners, regulatory bodies and the criminal justice system. There is also a need for financial intelligence units and auditors to recognize the proceeds of environmental and social crimes as the product of money laundering. It is now widely recognized that environmental crime is a predicate of money laundering and terrorist financing. Europe has adopted the Sixth Anti-Money Laundering Directive (6AMLD), which lists environmental crime as one of 22 predicate offenses.7
The US Financial Action Task Force (FATF) estimates that approximately US$110 to $281 billion are generated every year from environmental crimes.8 These funds find their way into the larger financial system, destabilizing economies and affecting underdeveloped and developing countries. For this reason, the Basel Committee has added environmental crime data to its set of indicators of money laundering and terrorist financing risk in the Basel AML Index 2022, the 11th edition of the index.9 The index is derived from the Global Organized Crime Index10 and assures data quality with a well-documented methodology. Environmental crime now shares the same weight as human and narcotics trafficking. Cash, prepaid cards and cryptocurrencies are believed to be used to finance environmental and social crimes.11
Cybercriminals think ESG crimes yield more returns with less risk because penalties are low and regulation is inconsistent with applicable laws. But with ESG frameworks being standardized and adopted across large organizations, there is hope that the cost for criminals will increase and deter them from committing these acts. To gain public trust, risk, governance and cybersecurity policies need to be implemented.
Privacy and security are basic consumer expectations of a socially responsible business; thus, they are key pillars of ESG.
Governing ESG Cyberrisk
Socially conscious investing, ethical consumerism and regulatory mandates are signaling to enterprises that they must play a more responsible role in society. This is even more relevant for giants such as Amazon, Google, Microsoft and Netflix, whose annual revenues are more than the gross domestic product (GDP) of some small countries. Cyberrisk is not just technological risk. It has a broader impact on society because identity theft, social engineering and geopolitically motivated attacks can gravely injure the financial health of the most vulnerable sections of society. In addition, if there is a data breach or a decline in value of the intangible assets of key players, it can prove disastrous and may lead to job losses and propagate uncertainty. Often, citizens can be forced to share their data through fraud and identify theft, or data can be compromised with insider assistance.
As enterprises are implementing digital transformation, it is essential that data privacy and security are prioritized appropriately. Privacy and security are basic consumer expectations of a socially responsible business; thus, they are key pillars of ESG. Proper governance of cybersecurity risk through ESG or another mechanism, such as the US National Institute of Standards and Technology (NIST) Framework, the International Organization for Standardization (ISO) standard ISO 27000 series, COBIT®, or the Center for Internet Security (CIS) Controls, can prevent disasters.
NIST CSF
The NIST cybersecurity framework (CSF) helps create cyberresilience and strengthens cybersecurity within organizations of any size. The five-step process, sometimes called the five pillars of NIST, are identify, protect, detect, respond and recover.12
Each of these five steps has their own standards, guidelines and best practices to follow. Together they make a powerful framework that identifies critical functions in an organization and helps strengthen security governance so that when there is a cyberattack or a data breach, critical functions remain protected and customers are not harmed. In this manner, the NIST framework serves ESG goals by providing steps to build a socially responsible, cyberresilient enterprise.
COBIT
COBIT is a framework that stitches together business risk with technical issues and control requirements.13 It is a governance framework that can be used to place technical controls on ESG risk such as cybersecurity and business resilience. Two key notes to consider when implementing ESG through COBIT include:14
- ESG is everyone’s responsibility, including governments, investors, IT professionals, social activists, regulators and auditors.
- The COBIT framework can be used to translate ESG goals as part of stakeholder needs into an actionable strategy.
ESG Metrics and Reporting
While frameworks can be the model on which the enterprise ESG strategy is implemented, it is essential to measure the effectiveness of the framework implementation through metrics and measurement. Multiple data sources are necessary to track ESG metrics such as carbon footprint, workforce diversity and supplier sustainability.
The Nasdaq ESG Reporting Guide launched in 2017 is a comprehensive reporting guide that any organization can adopt. It has 33 core ESG metrics divided into three sections: environmental, social and governance.15
Cybersecurity is essential to achieving sustainability goals and needs to be a part of ESG frameworks that are being built.
The guide can be used to evaluate the long-term strategic value of adopting the ESG framework, thanks to its focus on financial impact and economic principles rather than on ethics, because numbers can be measured and acted on by leaders. Cybersecurity may be added as part of the governance pillar to help organizations plan their long-term cybersecurity risk management strategy.16
In addition, Microsoft proposes technology as the fourth pillar of ESG, focusing on using technology to solve ESG challenges. It proposes using data and analytics to look for material risk and improvement opportunities—the theory being that preemptive work in identifying and mitigating cybersecurity risk and cyberresilience planning can help with technology risk in an enterprise.17
Conclusion
In an interconnected world, sustainability of organizations ensures economic stability and progress for humanity. ESG is a standard of values against which investors and organizations can assess their performance on sustainability goals. Cybersecurity is essential to achieving sustainability goals and needs to be a part of ESG frameworks that are being built. IT practitioners and auditors can help enterprises attain their ESG goals as well as safeguard them from cyberrisk by engaging early to solve challenges, creating the right standards and policies, and ensuring an environment conducive to good governance.
Endnotes
1 Baker, P.; “The SolarWinds Hack Timeline: Who Knew What, and When?” CSO, 4 June 2021, http://www.csoonline.com/article/3613571/the-solarwinds-hack-timeline-who-knew-what-and-when.html
2 National Cyber Security Centre, “Russia Behind Cyber Attack With Europe-Wide Impact an Hour Before Ukraine Invasion,” United Kingdom, 10 May 2022, http://www.ncsc.gov.uk/news/russia-behind-cyber-attack-with-europe-wide-impact-hour-before-ukraine-invasion
3 Vallance, C.; “UK Blames Russia for Satellite Internet Hack at Start of War,” BBC, 10 May 2022, http://www.bbc.com/news/technology-61396331/
4 Collier, R.; “NHS Ransomware Attack Spreads Worldwide,” Canadian Medical Association Journal (CMAJ), vol. 189, iss. 22, 5 June 2017, http://www.ncbi.nlm.nih.gov/pmc/articles/PMC5461132/
5 INTERPOL, “Forestry Crime,” http://www.interpol.int/en/Crimes/Environmental-crime/Forestry-crime
6 US Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3), Federal Bureau of Investigation Internet Crime Report 2021, USA, http://www.ic3.gov/
7 Directorate-General for Financial Stability, Financial Services and Capital Markets Union, “Anti-Money Laundering and Countering the Financing of Terrorism Legislative Package,” European Commission, 20 July 2021, http://finance.ec.europa.eu/publications/anti-money-laundering-and-countering-financing-terrorism-legislative-package_en
8 Financial Action Task Force (FATF), “Environmental Crime,” http://www.fatf-gafi.org/en/publications/Environmentalcrime/Environmental-crime.html
9 Basel Institute on Governance, Basel AML Index 2022: 11th Public Edition, Switzerland, 2022, http://index.baselgovernance.org/
10 Global Organized Crime Index, http://ocindex.net/
11 Boguslavska, K.; “Environmental Crime Data Added to Money Laundering Risk Indicators in Basel AML Index,” Basel Institute on Governance, 27 July 2022, http://baselgovernance.org/blog/environmental-crime-data-added-money-laundering-risk-indicators-basel-aml-index
12 National Institute of Standards and Technology (NIST), NIST Cybersecurity Framework, V1.1, USA, April 2018, http://www.nist.gov/cyberframework/framework
13 ISACA, COBIT®, USA, 2019, http://1q3y.39680a.com/resources/cobit
14 ISACA, “Tech Pros Gain Environmental, Social and Governance Good Practices in New ISACA Primer,” 10 February 2021, http://1q3y.39680a.com/about-us/newsroom/press-releases/2022/tech-pros-gain-environmental-social-and-governance-good-practices-in-new-isaca-primer
15 Nasdaq, ESG Reporting Guide 2.0: A Support Resource for Companies, USA, May 2019, http://www.nasdaq.com/docs/2019/11/26/2019-ESG-Reporting-Guide.pdf
16 Ibid.
17 Sekol, M.; “Technology’s Dual Intersection With ESG: Technology as an ESG Pillar,” Microsoft, 28 March 2022, http://techcommunity.microsoft.com/t5/green-tech-blog/technology-s-dual-intersection-with-esg-technology-as-an-esg/ba-p/3268024
RIMA BOSE
Is vice president of trust, safety and compliance at JP Morgan Chase. With more than 15 years of experience working with organizations such as Oracle, IBM and JP Morgan, she endeavors to bring ideas to life through technology.