WHY CYBER SECURITY MATTERS IN ESG INVESTING

The strengthening of the cybersecurity infrastructure needs to begin with companies acknowledging that reliance on competent resources, both internal and external, is no longer an option but a necessity

The thriving buzzword in the investment space right now is ESG. ESG - which stands for Environmental, Social and Governance (standards) has become an indispensable yardstick that is used by investors - small and big - to identify profitable business ventures. Sustainability has for time immemorial been a key determiner of investment decisions, and ESG will now be at the vanguard of such decisions, especially in the listed space. As a fitting testament to the way in which a capitalist economy works - and more particularly of companies which have their inception in the coming together of persons to carry on businesses for gain - ESG is a lever that has been readily adopted by the corporate world while, ironically, meeting resistance from democratically elected governments across the world which struggle or disregard ESG in their policy decisions. While the actions of nation-states can be attributed to economic, social and political impediments to the adoption of good ESG practices, adoption of good ESG practices is critical to the survival of companies, and the investment world can be punishing for those who are averse or slow to open up to the adoption of ESG parameters. Having said this, nation-states are aware of the practical difficulties in implementing ESG practices at a national level and have wisely counterbalanced such constraints with efforts to encourage corporate entities to proactively implement ESG practices and reporting.

India too has seen a rapid adoption of ESG metrics with even start-ups being sensitized to commonly adopted ESG standards at a very early stage by their venture capital and private equity investors. The regulators in India too have done a commendable job in bringing about more awareness of ESG standards and ensuring the disclosure of ESG standards which are used by companies, to help investors gauge the effectiveness of the adopted practices. As a prime example, the Securities Exchange Board of India(SEBI) had through its amendment of the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015 (LODR Regulations) vide notification dated May 5,2021 (which was subsequently publicized through its circular dated May 10, 2021)replaced the requirement to include a business responsibility report (BRR) with a business responsibility and sustainability report (BRSR)in a company's annual report. The requirement to include BRSR in the annual report in the format stipulated by SEBI from the financial year 2022-23 has become mandatory for the top 1000 listed companies based on market capitalization. SEBI in its May 10, 2021 circular stated that the objective of the BRSR is to standardize disclosures on ESG parameters and seek "disclosures from listed entities on their performance against the nine principles of the National Guidelines on Responsible Business Conduct issued by the Ministry of Corporate Affairs, Government of India, to help investors with their investment decisions." The aforementioned circular also stated that the BRSR will help investors move away from their focus solely on the financials of a company and venture into looking at its social and environmental initiatives.

While adoption of good ESG practices by companies is a welcome move, overemphasis on the E&S-aspect and the relegation of the G-aspect to that of a trifle does not bode well for corporate India. In particular, the importance assigned by companies to the cybersecurity piece of corporate governance is disheartening. Thankfully, SEBI has taken a propitious move of making reporting of cybersecurity related measures undertaken by the top 1000 listed entities an essential indicator (requiring mandatory disclosure) in the BRSR, and this will bring about more transparency in the cybersecurity practices which have been put in place by entities mandated to include BRSR in their annual report. The importance of BRSR cannot be overstated; this is evident from a consultation paper of SEBI suggesting that the investment policy of Asset Management Companies should contain a clause that from October 1, 2022 their ESG Funds can invest only in companies which make BRSR disclosures.

One cannot, for the time being, expect cybersecurity to occupy center stage in the ESG regime, primarily on account of the alarming climate situation and the appallingly slow rate of social mobility of certain disadvantaged sections of the society. Nevertheless, digital security ought not to be given the go-by, and why is that so? The answer lies in the increased instances of cyber attacks, with one study estimating ransom ware attacks (one of the many kinds of cyber attacks) to have affected 37% of businesses around the world and financially eroded the wealth of these businesses by twenty billion US dollars in the last calendar year, i.e., 2021. As per a report published by Accenture plc, the number of cyber attacks that a company faced in 2021 increased by 31% as compared with 2020. The picture is even grimmer for India with close to 76% of businesses in the country becoming victims of ransom ware attacks in 2021 making cybercriminals wealthier by an average of five hundred thousand US dollars from each cyber attack. As per another recent study, three out of four small and medium-sized businesses in India suffered a cyber attack between September 2020 and September 2021, i.e., a whopping 75% of all small and medium-sized businesses in India. The loss of 62% of the affected entities was over thirty-five million Indian rupees and for 13% of the affected entities the loss was over seventy million Indian rupees. The number of cyber incidents increased 194% from 2019 to 2020 as per data tracked by the Indian Computer Emergency Response Team. In other words, the picture looks grim in India, with the country seeing the second highest number of cyber attacks in the world.

With the underlying objective of ESG standards being the creation of value for investors, it becomes most critical for investors to be made aware of all incidents that affect an entity. Considering that loss from cyber attacks will equal if not surpass the loss caused by natural calamities, ignoring cybersecurity will only deplete the value of an entity.

When it comes to listed entities in India, the LODR Regulations stipulates the formation of a Risk Management Committee. One of the roles of the Risk Management Committee is to formulate a risk management policy which shall identify risks including cyber risks and, moreover, the board of directors of a company shall define the roles and responsibilities of the Risk Management Committee which shall specifically cover cybersecurity. While the specific inclusion of cybersecurity as a responsibility of the Risk Management Committee under the LODR Regulations is a much-needed recognition by the securities regulator in India, the move has hardly scratched the surface of the measures needed to deal with the impending colossal cyber cataclysm.

In the United States of America, the U.S. Securities and Exchange Commission (SEC) has recognized the need for listed entities to enhance the disclosure requirements in relation to cybersecurity incidents and cybersecurity risk management and governance practices to help investors make informed investment decisions and has in this regard issued on March 9, 2022 a new set of proposed rules for cybersecurity risk management, strategy, governance and incident disclosure.

To combat the cybersecurity threat posed to corporate India, the change must be spurred by policy change introduced by government regulators. In this regard, the Indian regulators may consider taking a leaf from the SEC in terms of cybercrime regulation and reporting. The role played by regulators in prioritizing cybersecurity is integral to its adoption as the steps taken independently by listed entities without necessary regulatory supervision might not aid in standardizing the reporting requirements. It is our humble view that SEBI may consider making it mandatory for all listed entities to: (i) include BRSR in its annual report; (ii) have in place a stand-alone cyber threat response plan; (iii) adhere to minimum compliance and disclosure norms on cybersecurity by prescribing the same in the BRSR format; (iv) mandate the reporting of cyber incidents to the stock exchanges by the way of a specific inclusion in Schedule III of the LODR Regulations.

As for the voluntary steps which need to be undertaken by companies, the role of the C-suite cannot be overemphasized, in particular, that of the board of directors. The governance of a company is vested with its board of directors, and the decision of the board of directors on matters involving security of its digital assets will have ramifications impacting the company, its employees, customers and shareholders, the financial system and, in all likelihood, the world at large. Strengthening the bulwark against cyber attacks is essential and, as a matter of implementing good governance practices, it should be discussed on a regular basis in the board meetings of companies. In fact, the SEC has suggested, through its proposed amendments issued on March 9, 2022, to make it mandatory for listed entities to disclose the expertise of the board of directors in cybersecurity matters with the hope that such a disclosure requirement would push companies to induct members with requisite expertise in tackling cyber threats. The move to make disclosures on the competency of the board of a company in the cyberspace will serve as a harbinger for regulators around the world to introduce similar disclosure requirements in their country.

While it would be ideal for regulatory measures in connection with cybersecurity to be applied to both listed and unlisted companies, such actions would be seen as an act of regulatory overreach. Therefore, the strengthening of the cybersecurity infrastructure needs to begin with the companies acknowledging that reliance on competent resources, both internal and external, is no longer an option but a necessity. Companies also need to voluntarily constitute committees which exclusively deal with cyber threats and precautionary measures to be adopted to thwart cyber attacks, and the boards of directors need to discuss cyber threats and security measures regularly in their meetings. Therefore, self-regulation should be the governing-principle for currently unregulated entities, whereby they strive to adopt the highest standards in assessing and dealing with cyber attacks.

While it is important for companies to strengthen their cybersecurity as a measure of good corporate governance, it is all the more important for cybercriminals that companies don't. A specific mandate by the regulators to include cybersecurity as one of the core-ESG standards will prod companies to look into the best practices in protecting their digital assets. The SEBI has set the ball rolling by suggesting that ESG mutual funds can invest only in companies which make BRSR disclosures. While the pressing need is to prescribe ESG standards, as a matter of urgency, a voluntary implementation of the best governance practices combined with rules mandating investment only into companies which make their ESG practices transparent will go a long way in increasing the value of sustainable businesses, and, in ESG, cybersecurity ought to take as much precedence as other burning issues in making the decision to become a shareholder of a company.

Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.