Context

The World Economic Forum has identified cybersecurity as one of the biggest threats in the coming years in their Global Risks Report 2023. At EthicsGrade, we could not agree more with this – cybersecurity represents a very important facet of our research of companies. The digitalization of most businesses and industries poses a systemic risk across all sectors. Cyber risks have, until recently, been an afterthought in the design of many technology systems. Ethics by design is an approach that focuses on planning for contingencies or less desirable outcomes of emerging technologies, such as cyber risks. This approach proactively safeguards companies against digital risks, such as cybersecurity, and therefore avoids reactive approaches to technological development which invites the potential for harmful outcomes.

Low Visibility and Investor Vulnerability of Cyber Risks

Often a key enabler for inaction is a lack of resources or in the case of AI risk, low visibility. Very few people have insight into the risks of AI, thereby increasing the difficulty of adequately addressing them. Investors are particularly vulnerable to cybersecurity risks as often cyber risks are liabilities that are not reported on balance sheets (ESG reports). It is imperative to factor in cyber risks while making investments, but due to the lack of quality data on digital ethics this is made unnecessarily and dangerously challenging. While many of the risks are insurable, there is the longer-term impact of reputational harm that is a business risk on future performance. The absence of data to model such risks means risk mitigation processes must work from the ground up, which is both complex and expensive.

The US Securities and Exchange Commission: Required Reporting

Increased regulation around an action or subject can suggest its importance and prioritization. Reporting requirements, such as the US Securities and Exchange Commission's (SEC) recently proposed cybersecurity rules that require companies to report ongoing attacks, are an important way to increase proactive considerations of cyber risks. The proposal signifies a drive toward greater transparency and disclosure. The benefits to investors outweigh the costs considering the information asymmetry that exists between the market and the companies around these digital risks. However, as the SEC and others, move forward with such initiatives, there is a need to ensure that reporting on attacks does not undermine or compromise efforts to counter them.

Ransomware Payments: An Unacknowledged Relationship

One scandal that few in the industry are talking about is ransomware payments. There is a clear inconsistency between policies that ensure companies do not have relationships with organized crime, and the fact that most organizations pay ransomware attackers to ensure their normal operations. This is an unacknowledged relationship, where the SEC could further intervene. Making ransomware payments illegal could potentially starve attackers out of this form of cyberattack only helping the SECs mission. It is surprising how this issue has yet to be addressed systematically by organizations like the SEC worldwide.

It is essential to note that the SEC’s proposed reporting requirements do not fully encapsulate the threats of cybersecurity. The SEC's role is to ensure that companies have a good minimum standard of corporate governance and that there is accurate, timely, and fully transparent disclosure to the market, which this new requirement fails to do. Beyond this, if companies want to play fast and loose with their IT systems, EthicsGrade can highlight the relative maturity between actors in their AI governance. By considering the corporate digital responsibility of companies investors will be better placed to model these risks, and market forces will drive better outcomes as they have in other aspects of ESG activities.

The EU Digital Operations Resilience Act: Required Safeguards

The EU's DORA regulation will work to ensure that a bank's use of cloud services has adequate resiliency around its financial services. This regulation is not directly cybersecurity-related but aims to reduce instances of ATMs being offline or online banking being unavailable, which is aligned with prioritizing cybersecurity. While the West has a tolerance for cyber vulnerability (i.e. data breaches) but not for lack of privacy (i.e., targeted ads, data profiling, etc.), China has the most extensive set of rules on cybersecurity and is a country where there is an enormous taboo against cyber vulnerabilities. A hybrid model where both privacy and cybersecurity are priorities feels like it is waiting to burst through. We are hopeful the SEC in the US and DORA in the EU will support this new resilience to cybersecurity vulnerability.

Conclusions

The cybersecurity threat is real and dangerous. As emphasized in the World Economic Forum’s Global Risk Report it is essential for companies to prioritize cybersecurity and transparency. Companies need to take a proactive approach to cybersecurity and can do so by investing in their IT infrastructure and ensuring that they have the necessary safeguards in place. The SEC's proposed cybersecurity rules and the EU’s DORA are a step in the right direction. Still, companies need to go beyond the minimum standard of corporate digital responsibility and work to create a new culture of cybersecurity. This culture of cybersecurity should be embedded in all aspects of the business, and companies should work towards minimizing the risks associated with cybersecurity, such as ransomware payments. The market will reward companies that take a proactive approach to cybersecurity, and companies that fail to prioritize cybersecurity will suffer reputational damage and financial losses.