Cyber Security in ESG


As expectations for transparent environmental, social and governance (ESG) reporting continue to increase across all sectors, and stakeholders expect to see better management of carbon emissions, diversity, human rights, corruption and bribery, we’re now seeing cyber security quickly rising to the top of the material topic list. In fact, in a recent survey, cyber security was ranked by 67% of respondents as their top concern and is becoming one of the most financially material ESG risks that an organisation may face.

Cyber-attacks and data breaches, such as those recently experienced by Optus and Medibank, are increasing in frequency and severity. As the volume of attacks and breaches increase, the financial impact has also heightened. A cyber-crime is reported to the Australian Cyber Security Centre every seven minutes, with an average loss for medium businesses of $88,407 per attack.

But cyber-crimes inflict more than financial loss – they cause reputational damage, loss of data and significant business disruption. In fact, for many small organisations, a cyber security incident could be terminal once trust of its customers is lost.

ReGen has identified cyber security as such a critical issue that it has entered into a strategic partnership with Centium, which has a strong record of helping organisations identify and manage their cyber security risks. We believe that this partnership represents great opportunities for our clients through access to Centium’s experience and expertise.

Cyber security should not be mistaken as a new term for IT or digital, it is about identifying and managing the risks to the confidentiality, integrity and availability of your data, information and systems. These are business risks that require proactive governance from the business and should form an integral part of ESG strategy.

Cyber security risks are considered throughout ReGen’s sustainability and ESG services, and are included as an integral part of our ESG maturity assessments, materiality assessments, strategies and reporting.

Many organisations are now disclosing cybersecurity as a material risk in their sustainability reports and annual reports with detailed narrative on their mitigation techniques. This also means adjusting their financial investment forecasts and budget accordingly.

ReGen’s ESG maturity assessment plays a key role in enabling organisations to align operations with international frameworks and standards, enhance stakeholder trust and confidence, mitigate risks (including cyber security), and unlock opportunities for long-term value creation.

Organisations demonstrating more advanced ESG maturity in the realm of cyber security point to formalised governance and defined roles such as data owner, data steward and data custodian (often the IT department). The data owner is aware of both the risks and threats that exist and the controls that are in place to reduce these to an acceptable level (risk appetite).

In the near future we expect insurance premiums to be determined by the levels of maturity a business has in place to manage its cyber security risks and for those with little in place higher premiums will be sure to follow. Models such as the Factor Analysis in Information Risk (FAIR) deliver both qualitative and quantitative analysis of risks and provide an excellent basis for engaging business executives in the meaningful evaluation of the risks and effectiveness of controls.

We believe that Cyber Security is an important component of ESG, and we are running a special three-part series to explore this critical topic. In upcoming parts of this series we will explore the key first steps in being more secure, applicable benchmarks and standards, where to start and where are the free resources. We will close the series with an examination of the supply chain and being a trusted supplier to win and maintain business.

 *Expert guidance from Scott Thomson, Centium and Colin Davies, ReGen Strategic 


Subscribe to Our Newsletter

Subscribe to receive more articles like this, plus our state political newsletter, The Source.