I spent more than fifteen years building energy renewable businesses before launching DeNexus, and more than three years now at DeNexus developing cyber risk quantification solutions for Critical Infrastructures and industrial corporations.
During that time, ESG (Environmental, Social, Governance) as a concept has gained real momentum in the investment community since its initial advocacy in 2004. Mark Harris in his recent Economist article cites $35 trillion of assets under management held within the very largest investment firms, “...are monitored through one ESG lens or another”. ESG seeks to drive behaviours in the global economy to embrace more than just P&L considerations in the conduct of business, in an attempt to align the contribution of business with practices to address the global issue of climate change. It does this by establishing mechanisms to measure and judge business performance, partly in terms of positive and negative impacts upon the Environment, Social Order and constructs and the expectations for governance in the exercising of duties of officers in the conduct of business.
The lever of influence is financial valuation and returns: using quantification metrics to rate organizations’ performance in ways that allow the investment community to value enterprises and assets reflecting this broader view of value. Simply, get a good ESG score and the valuation of assets can increase, while the opposite also applies.
Now ESG is laboring under perception and reality challenges of effectiveness and probity, which harms the case to help push back against the significant and voluble climate change denial lobby. Several globally recognised investment houses are being investigated for Greenwashing; not being straight with their clients and investors. Notwithstanding the undoubted growing pains of ESG-investing, it is clear that achieving Global Net Carbon Zero Ambitions by 2050 or sooner is heavily dependent upon behaviors changing in Board Rooms, and the great motivator in that environment is financial imperative and reward.
ESG, in whatever way it evolves, as it must, remains a critical plank in changing behaviors and mobilizing business to be part of the climate change solution.
There is a second critical dependency if we are to have any chance of achieving global net zero carbon ambitions and that is effective digital transformation embracing and enabling green technologies like those seen in the renewable energy sector in day-to-day business operations. Digital transformation, accelerating as the global economy emerges from the tragedy of the Covid-19 pandemic, is central to the enablement of new, innovative value propositions that are responding to the changed demand expectations for long-term, ethically derived product and services. Renewable energy is at the heart of delivering on this expectation and implicit promise.
Effective execution of Digital transformation in turn is predicated on tackling another one of the great issues of our time, cyber risk. There can be no successful digital transformation without cyber surety: cyber surety being a combination of sensible expectations of good enough cyber security outcomes and essential levels of cyber resilience. Figure 1 illustrates these dependencies.
Figure 1: Dependencies at play in achieving Net Carbon Zero Ambitions
Now there is a significant positive in this story despite the headlines, and that is the very positive contribution to elevating the overall cyber defense posture of the global economy consequent upon digital transformation, and that takes the form of cloud service adoption. Much of the digital transformation under way increasingly is enabled through adoption of cloud services. There is a great variety of such services but the cyber security capabilities at large in the cloud services world, by-and-large, exceed that resident in all but the largest and most sophisticated enterprises. This is a good news story.
However, there are two sides to every coin and in this case the flip-side is that the cyber risk landscape becomes more complex as more and more business interruption risk is devolved from the risk owner to 3rd party digital service providers creating significant concentration of business interruption risk; what the insurance industry refers to as systemic accumulation risk.
Why does this matter?
It matters because digitalization of the global economy needs risk capital to be available to underwrite the many, new and innovative business models that are at the heart of digital transformation. There is a paradox at play here: at a time where the global economy is going digital, Insurance, Reinsurance and Insurance Linked Securities (ILS) investors have less and less confidence that they know enough about the digital risk in new and more complex digital landscape and in turn, have less and less confidence to put capital at risk.
The paradox then is that at a time when demand for cyber risk capital is increasing, there is less and less available to lubricate the digital economy. On the surface this is too often seen to be about attrition losses of insurers to ransomware as an example. However, in reality, it is about the challenge of balancing attrition losses with making capital available when those concentrated, systemic accumulation risks are not well understood.
This circle of dependencies has to close and it does so in the context of confidence. All the constituencies involved in the transformation enabling achievement of net carbon zero ambitions need confidence within their value chains, of the probity and surety of the products services and information upon which they depend. Cyber risk fundamentally undermines confidence with trust being the base commodity at risk: restoring confidence is a multi-threaded challenge.
Figure 2: Reflecting on the anatomy of Confidence
Bringing this to life in the real world describes the direct link of cyber surety with ESG outcomes, the viability of operating licenses and ultimately ESG-derived valuations of enterprises. If a mining company sees an attack on operational technology in industrial control systems, perhaps disruption of control of sluice gates on a tailings lake leading to tailings release; a port operator seeing manipulation of tank farm product distribution manifolds seeing discharge of petroleum products into the ocean; a renewable energy provider seeing supply disruption to a Critical National Infrastructure facility with significant regulatory fines and disruption to critical services. Each of these challenges, when viewed through an ESG lens clearly represent material, catastrophic events with implications for Environmental impact, Social impact and Governance impact all at a scale to call into question the viability of the operating licenses pertinent to the activity involved.
Cyber and ESG are inextricably linked; cyber surety is inextricably linked to confidence in digital transformation; digital transformation is inextricably linked to ability to achieve net zero carbon ambitions; net zero carbon ambitions are dependent upon changed behaviours driven by financial imperative and rewards associated with ESG and long-term ethical investing.
Central to re-establishing cyber confidence is the ability to provide visibility, knowledge and surety as insight into the effectiveness of cyber outcomes. Visibility of everything touching critical networks and services; knowledge of the probity of how technologies are configured and deployed and the surety of control frameworks to which organizations commit are being applied faithfully and effectively in order to ensure effectiveness of security outcomes. Second generation cyber risk quantification platforms, like DeNexus DeRISK platform, provide core capabilities around which confidence can be rebuilt.
These 2nd generation platforms, provide an ability to quantify the impact of cyber vulnerabilities in the context of Values at Risk in financial terms of critical risk scenarios; an ability to prioritize risk intervention investments when compared to other critical risks in the portfolio, i.e., make meaningful comparisons across the entire risk spectrum for example, is it more effective in reduction of residual risks to mitigate a cyber vulnerability or to address credit risk; an ability to quantify Business Interruption impact to critical processes enabled by 3rd party digital services and so on.
The ability to quantify cyber derived Values at Risk provides insight for operational decisions that ultimately enable enterprises to provide confidence to the communities they serve. To their employees, their regulators, their insurers, their investors and their customers, giving confidence that they are doing the right thing for their constituents and in support of net carbon zero ambitions.
Ultimately, ESG driving change through financial imperative and reward, coupled with digital transformation constitute the key levers to enable achievement of global net carbon zero ambitions. Neither of these dependencies can be delivered in the effective manner needed without cyber surety. Cyber risk quantification is the critical starting point to establish confidence necessary to lubricate a global economy that must digitally transform, with a net carbon zero focus.
Find out more about Second generation risk platform DeRISK here.