Last week, a malicious ransomware attacked more than 200,000 computers in 150 countries, affecting a range of victims including hospitals in the United Kingdom, Telefonica, a major telecommunications company in Spain, and airline company in Latin America and thousands of personal computers. Hackers demanded $300 worth of bitcoins as ransom for every computer, and reports indicate that approximately $50,000 worth of bitcoins have already been paid as ransom. The spread of #WannaCry was halted temporary late last week, by accident, but the perpetrators has reportedly issued a new version without a kill switch.
Needless to say, #WannaCry continues to hold many computers hostage.
The ESG Angle
Cybersecurity is an ESG topic because it reflects a number of issues that investors should care about. One is governance. In the age of technology, governance of information systems and data privacy is of key importance to any company. The failure to effectively set up an effective information security management system reflects management’s failure to anticipate cybersecurity risks and impacts on its operations, customers and employees.
Another issue is data privacy. The UN Declaration on Human Rights considers privacy as a basic human right and Article 12 states:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
The UN Declaration was promulgated in 1948, long before the Internet age. However, this principle is now increasingly adapted for data privacy. Article 8 of the European Convention on Human Rights states:
Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
The failure to protect personal data can thus, be taken as an infringement of a human right.
The third is human safety and wellbeing. The infection of hospital computers endangered the lives of patients in the UK health system. As more basic and critical services become tethered to the cloud, the failure to manage cyber risks can become a life or death situation.
The Business Impact
#WannaCry caused significant operational disruptions in the companies affected as the ransomware continues to spread. The operational costs of trying to mitigate the impact on the business, the corrective and remedial actions that need to be taken, and the cost of implementing a more robust and up-to-date information security system in the wake of the attack are not going to be negligible.
The cost to a company’s reputation cannot be quantified. Loss of trust in a company’s ability to manage customer data, once destroyed, is difficult to regain.
All these is to say that companies simply cannot afford to be complacent with information security. Doing good business these days does not only mean selling stuff to customers, it also means keeping information systems safe so that customers and employees remain confident in the company’s ability to manage what they have entrusted it with.