Of all risks facing organizations today, those related to cybersecurity and the environment carry the most financially material implications. Yet, few enterprise leaders have explicitly connected cyber-risk and climate risk.
Granted, the relationship between concepts such as hacking and carbon emissions may not be immediately obvious. In both cases, however, related incidents are increasingly severe, prevalent, costly and unavoidable. Companies that fail to integrate cyber and environmental imperatives into their governance strategies aren't just compounding their risks today; they will be less resilient in the years to come.
To effectively connect cyber-risk and climate risk strategies, start with the following five steps.
1. Educate to illustrate common connections and risks
Make the overlap between cyber and environmental risks clear across both business and technical leadership. This requires connecting dots within the organization's security culture, as well as offering dedicated education and training.
The key shift in mindset is in understanding that both cyber and climate threats underlie all business functions and operations, and organizations cannot effectively address them as independent vertical units. The most tangible illustration of this interconnected risk is in modern infrastructure. Any business that relies on data centers, buildings, vehicles or HVAC systems must contend with security and climate-related risks.
For example, the 2021 breach of a Florida water treatment facility happened because of outdated software and a weak password. Thankfully, the timely containment of the attack prevented major disruption. But such attacks on critical infrastructure could result in environmental catastrophe, with the potential for public health crises and financial, governmental and economic upheaval. Consider also the Colonial Pipeline breach, which caused major fuel shortages along the U.S. East Coast in 2021. If attackers had directly compromised the pipeline's operational systems, the incident could potentially have resulted in oil spills and environmental pollution.
Another evolving risk factor that leaders often overlook has to do with insurance. Thanks to ever more frequent and expensive cyber- and climate-related incidents, insurance companies are already narrowing their scope of coverage. Existing cyber policies may or may not include conditions such as property damage, bodily injury or pollution. And environmental policies may or may not include coverage for triggers such as insider threats -- disabling leakage alarms or deploying untreated sewage into the local environment, for example.
2. Understand how digital transformation informs both cyber and environmental risk mitigation
The rise of software, sensors and network connectivity has triggered a broad sea change in how businesses think about technology, data and strategy. This shift means new business opportunities, but digitization of everything also represents a massive expansion of the cyberthreat landscape.
Historically, in its more analog and mechanical forms, infrastructure has not been inherently vulnerable to cyber attacks. But today, every connected device, machine and workstation, and each partner system, public network and third-party cloud creates new vulnerabilities -- not only for the immediate system, but also for all interconnected systems. Attacks on digital infrastructure can now have cascading effects, with possible implications for public health and safety.
The increasing reliance on digitization to mitigate environmental risk thus further increases cyber-risk. For example, today's businesses and governments lean heavily on technology, rather than policy or market controls, to reduce carbon emissions. And as extreme heat and weather events become more prevalent, more and more companies are using air and noise monitors, wearable devices, drones and alert systems to detect problems and protect workers.
3. Unite shared objectives and governance needs
The shared objectives for connecting cyber and environmental risk mitigation span the business and its employees and stakeholders, as well as broader communities and governments. The examples outlined above illustrate ways in which both cyber-risk and climate risk can affect employees, customers and partners.
Bad actors, meanwhile, will increasingly target devices and infrastructure as a way to magnify impact and deploy multipronged attacks. Attacking the grid or causing an outage, leak or other disruption undermines public trust and successfully diverts resources and attention from other pressing needs. In this way, geopolitical tensions -- which often center on energy resources and may even involve hacktivism -- can easily become the business of businesses.
Thus, the enterprise needs comprehensive cybersecurity regulations, both for environmental infrastructure as well as general IT and operational technology (OT) business infrastructure. To date, this has been a vexing challenge for the cybersecurity industry, as policymakers and businesses have struggled to define right-sized governance. It is difficult to strike the balance between shared standards that are widely applicable versus those that are specific enough to be useful, accounting for the needs of individual businesses and their wide range of technologies. It is noteworthy that a similar dynamic is playing out in the realm of environmental, social and governance (ESG) efforts, with a proliferation of frameworks and a lack of overall consensus.
Several voluntary frameworks do exist to support organizations' cybersecurity and environmental governance, however. Now it's time to update their best practices to incorporate shared risks.
4. Update existing best practices to account for both cyber-risk and climate risk
While standards remain fragmented, companies can take several steps to address both risk vectors simultaneously. These include, for example, the following:
- Prioritize data and information capture to enable better reporting and measuring.
- Perform regular risk assessments and incorporate third-party audits, with accountability to both internal and external stakeholders.
- Frame cyber-risk and climate risk mitigation capabilities as competitive differentiators. Consider both areas during tool and vendor assessments before any new investments or implementations.
- Develop and enforce policies and procedures for risk mitigation and ongoing dynamic threat evaluation.
- Plan for incidents and equip employees for emergency situations.
- Consider the entire digital ecosystem, taking risk inventories across all IT/OT assets, supply chains, partner networks and distributed network designs. Share information and engage in collaborative mitigation.
Several groups are emerging to support efforts at the intersection of cyber-risk and climate risk. Some, such as the International Society of Automation and the Cybersecurity and Infrastructure Security Agency, offer resources across multiple business contexts. Others, including a growing array of consultants, industry consortia, and security and ESG software vendors, focus on the intersection of cyber-risk and climate risk in specific sectors. One such group, for example, is the Water Information Sharing and Analysis Center.
5. Beyond ESG, think governance as strategy
Putting good governance at the core of business operations and investment decisions makes strategic sense -- the key commonality of cyber-risk and climate risk management. ESG is the current buzzy term for how companies take stock of their big-picture obligations, commitments and accountability. But good governance is not just a trendy reporting exercise.
Rather, the essence of good governance is about steering the company to deliver on mission objectives with market integrity: competing profitably while also acknowledging and addressing uncertainties, complexities and the potential for harm. And it has never been clearer that connecting cyber-risks and environmental risks to enhance good governance is essential for achieving optimal, long-term business resilience.