Of all the risks organizations face today, those related to cybersecurity and the environment have the most financial impact. Yet few business leaders have explicitly linked cyber risk and climate risk.
Admittedly, the relationship between concepts like hacking and carbon emissions may not be immediately obvious. In both cases, however, the associated incidents are becoming increasingly serious, frequent, costly and unavoidable. Today, companies that fail to integrate cyber and environmental requirements into their governance strategies not only increase their risks; They will be less resilient in the years to come.
Start with the following five steps to effectively connect cyber risk and climate risk strategies.
1. Educate to illustrate common contexts and risks
Clarify the intersection between cyber and environmental risks in both business and technical leadership. This requires linking points within the organization’s safety culture, as well as providing dedicated education and training.
The key shift in mindset is to understand that both cyber and climate threats underlie all business functions and operations and companies cannot effectively address them as independent vertical entities. The most tangible illustration of this interconnected risk is modern infrastructure. Any business that relies on data centers, buildings, vehicles, or HVAC systems must address security and climate-related risks.
For example, a water treatment plant in Florida was breached in 2021 due to outdated software and a weak password. Fortunately, the timely containment of the attack prevented major disruption. But such attacks on critical infrastructure could lead to environmental disasters, with the potential for public health crises and financial, governmental, and economic upheaval. Also consider the rupture of the Colonial Pipeline, which led to significant fuel shortages along the US East Coast in 2021. If attackers had directly compromised the pipeline’s operating systems, the incident could potentially have resulted in oil spills and environmental pollution.
Another evolving risk factor that executives often overlook has to do with insurance. Thanks to increasingly frequent and expensive cyber and Climate-related incidents are already limiting the scope of coverage for insurance companies. Existing cyber policies may or may not include conditions such as property damage, personal injury, or pollution. And environmental policies may or may not include coverage for triggers like insider threats — for example, disabling leak alarms or dumping untreated wastewater into the local environment.
In a survey of 2,650 risk management professionals by insurer Allianz, cyber incidents, natural disasters and climate change are among the top business risks.
2. Understand how digital transformation impacts both cyber and environmental risk mitigation
The rise of software, sensors and network connectivity has fundamentally changed the way companies think about technology, data and strategy. This shift means new business opportunities, but the digitization of everything also means a massive expansion of the cyber threat landscape.
In the past, infrastructure in its more analog and mechanical forms was not inherently vulnerable to cyberattacks. But today, every connected device, machine and workstation, partner system, public network, and third-party cloud creates new vulnerabilities—not just for the immediate system, but for all interconnected systems as well. Attacks on digital infrastructure can now have cascading effects with potential public health and safety implications.
The increasing reliance on digitalization to mitigate environmental risks thus further increases cyber risk. For example, today’s companies and governments rely heavily on technology rather than politics or market controls to reduce carbon emissions. And as extreme heat and weather events become more common, more companies are using air and noise monitors, wearable devices, drones and warning systems to spot problems and protect workers.
3. Unify common goals and governance requirements
The common goals for linking cyber and environmental risks include the company and its employees and stakeholders, as well as broader communities and governments. The examples outlined above illustrate how both cyber risk and climate risk can impact employees, customers and partners.
Criminals, meanwhile, will increasingly target devices and infrastructure to amplify impact and launch multi-pronged attacks. Attacking the grid or causing a power outage, leak or other disruption undermines public confidence and successfully diverts resources and attention from other pressing needs. In this way, geopolitical tensions — which often focus on energy resources and can even involve hacktivism — can easily become a corporate matter.
Both cyber and climate threats underlie all business functions and operations, and organizations cannot address them effectively as independent vertical entities.
Therefore, companies need comprehensive cybersecurity regulations, both for the surrounding infrastructure and for the general IT and operational technology (OT) business infrastructure. To date, this has been a vexing challenge for the cybersecurity industry as politicians and companies have struggled to define governance at the right scale. It is difficult to find the balance between common standards that are universally applicable and ones that are specific enough to be useful and take into account the needs of individual companies and their wide range of technologies. It is notable that similar dynamics are playing out in the area of environmental, social and governance (ESG) efforts, with a proliferation of frameworks and a lack of common consensus.
However, several voluntary frameworks exist to support organizations’ cybersecurity and environmental governance. Now is the time to update their best practices to include common risks.
4. Update existing best practices to address both cyber and climate risks
While standards remain fragmented, organizations can take multiple steps to address both risk vectors simultaneously. These include, for example, the following:
Prioritize data and information collection for better reporting and measurement.
Conduct regular risk assessments and incorporate third-party audits, with accountability to internal and external stakeholders.
Design cyber and climate risk mitigation capabilities as a competitive differentiator. Consider both areas when evaluating tools and vendors before making any new investments or implementations.
Development and enforcement of policies and procedures for risk mitigation and ongoing dynamic threat assessment.
Plan for incidents and equip employees for emergencies.
Consider the entire digital ecosystem and conduct risk inventories across all IT/OT assets, supply chain, partner networks and distributed network designs. Share information and get involved in collective mitigation.
Several groups are emerging to support efforts at the intersection of cyber risk and climate risk. Some, like the International Society of Automation and the Cybersecurity and Infrastructure Security Agency, offer resources for multiple business contexts. Others, including a growing number of advisors, industry consortia, and security and ESG software providers, are focusing on the intersection of cyber and climate risks in specific sectors. One such group is the Water Information Sharing and Analysis Center.
5. Beyond ESG, think of governance as a strategy
It makes strategic sense to put responsible corporate governance at the heart of business operations and investment decisions – the key commonality between cyber risk and climate risk management. ESG is the currently much-discussed term for how companies take stock of their commitments, commitments and responsibilities at large. But good governance isn’t just a trendy reporting exercise.
Rather, good corporate governance is about directing the company to meet its mission objectives with market integrity: compete profitably while acknowledging and addressing uncertainties, complexities and the potential for harm. And it has never been clearer that linking cyber and environmental risks to improving good governance is essential to achieve optimal, long-term business resilience.
