Doug Clare is managing director and head of cyber strategy at ISS Corporate Solutions, an advisory, data and software solution company for managing ESG programs
Having spent many years developing AI-based risk management solutions, I’ve attended dozens of third-party risk management conferences. These generally focus on tools and practices to help CISOs and other C-suite executives address growing and increasingly sophisticated threats related to data protection and cybersecurity. Third-party risk management, or TPRM, has become a discipline unto itself, with its own nomenclature, industry groups, corporate titles and professional certifications. And it has been largely built around the need for organizations to understand, measure and mitigate cyber risk and the often-devastating impacts of data breaches along their entire supply chain.
This year, however, I noticed a conspicuous change in focus: suddenly, everyone from the keynote speakers to executives meeting in private suites were talking about ESG (environmental, social and governance) matters, which are increasingly top-of-mind for investors and board members. For data-intensive businesses, cyber risk exposure has long been seen as an obvious governance matter. Now, however, the link between cyber risk, governance and all of ESG is becoming a board-level concern across virtually all sectors of the economy.
This is particularly apparent in the case of global supply chains: Businesses need to make sure that their partners manage cyber risk effectively, just as they want to ensure that their vendors are financially sound, that they uphold child labor laws and that they operate in an environmentally responsible manner.
When data breaches happen – regardless of whether the business or one of its suppliers is at fault – the reputational risk and follow-on impacts to market cap and shareholder value can be significant. And third-party breach risk is substantial. According to a study by Ponemon Institute as reported in VentureBeat last September, 54% of surveyed organizations reported being breached via a third party weakness or failure in the preceding 12 months.
The operational, reputational and legal risks associated with other ESG categories are substantial, as well. Regulators have taken notice and are starting to compel companies to pay attention to a host of additional third-party risks. By way of example, the German Supply Chain Due Diligence Act (LkSG) of 2023 requires businesses with 3,000 or more employees operating in Germany to monitor themselves and their suppliers, regardless of geography, to comply with certain international ESG standards regarding human rights. The consequences for non-compliance are significant: financial penalties, exclusion from public contracts, reputational damage and loss of investor trust.
Adding to national government demands for private-sector accountability, the EU Corporate Sustainability Reporting Directive (CSRD), which went into effect earlier this year, requires companies operating in the European Community to report on the impact of corporate activities on the environment and society.
None of these developments diminish the focus on cyber. The New York Superintendent of Financial Services, Linda A. Lacewell, has stated that “Cyberattacks threaten not just individual companies but also the stability of the financial industry as a whole.” A 2022 amendment to the New York Department of Financial Services Cybersecurity Regulation mandates a wide range of actions concerning third-party risk assessment, with penalties for non-compliance. The Securities & Exchange Commission now requires companies to include corporate board members’ cybersecurity credentials in their public disclosure filings. Research based on data from the Wall Street Journal and several others suggests that only 9% of Fortune 500 companies have directors with the necessary cybersecurity expertise.
"Cyberattacks threaten not just individual companies but also the stability of the financial industry as a whole."
During the COVID pandemic, shortages of vaccines, building materials and even toilet paper made all of us acutely aware of the intricacies of global supply chains. Now, given increasing government requirements to measure, report and manage ESG risks, businesses throughout the world are facing a similar realization. This, in turn, is fueling demand for technologies that evaluate an organization’s cybersecurity competence in a standardized, comprehensible way. Like it or not, ESG risks – including cyber risks – increasingly have a regulatory risk component as well. Companies need to understand the full complement of exposures not only to manage them, but also to comply with mounting requirements to disclose their efforts to regulators, investors, partners and other stakeholders.
The takeaway is that the discipline of third-party risk management is about to go through some changes. New metrics and new tools will be needed. Best practices in TPRM that have been largely driven by the need to assess and manage cyber risks are rapidly being stretched and adapted to address a broader framework of interrelated ESG and ESG compliance risks. Corporate boards would do well to take an active interest in this transformation, lest they get caught playing catch-up.