THE board plays a critical role in overseeing an organisation’s risk strategy. Among these, cyber and ESG (environmental, social and governance) risks represent two of the most prevalent trends in the modern risk landscape. While digitalisation and sustainability are catalysts for business transformation, they also carry threats to the organisation that the board should heed.
Cyber risk on the rise
Cyber risk is a looming threat among external frauds.
Data breaches in Singapore quadrupled in the past two years, according to Surfshark’s Global Data Breach analytics. The Ministry of Education was the target of a hacking case that reportedly affected 127 schools in Singapore. And in a recent incident, a local legal firm hit by a cyberattack allegedly paid S$1.89 million in Bitcoin as ransom.
According to PwC’s Global Economic Crime and Fraud Survey 2022, close to 70 per cent of fraud reported by companies in the past 24 months were committed by external perpetrators or external parties colluding with employees. These include organised criminal groups, hackers, customers, suppliers, agents and intermediaries. Traditional process controls are insufficient against these external perpetrators.
Along the supply chain, there are inherent risks when dealing with third parties in every day-to-day business, and the board must ensure that its company conducts thorough risk-based due diligence and effective monitoring.
Cybercrime ranks among the top three threats across industries. It is the number one concern in the government and public sector, health industries, technology, media and telecommunications, and industrial manufacturing sectors. The cyberthreat environment is also becoming more complex, with an increasing number of organised threat actors using new and more sophisticated tactics.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
Cyberattacks can occur through user accounts, e-mail, text or phone calls, where scammers target companies through their employees. Cyberattackers can also gain unauthorised access through cloud systems and the software supply chain, resulting in data breaches or ransomware.
Emerging ESG reporting fraud
At the same time, a growing focus on companies’ ESG responsibilities raises the potential threat internal fraud risk – and ESG-related reporting fraud.
Grant Thornton introduced non-financial reporting as an additional category to the Association of Certified Fraud Examiners’ existing Fraud Tree categories consisting of corruption, asset misappropriation and financial statement fraud to arrive at its ESG Fraud Taxonomy.
While the level of reported ESG fraud remains low (6 per cent in South-east Asia), the pressure on companies to meet sustainability targets is transferred to employees or third parties engaged in ESG reporting. The board plays a critical role in ensuring that these pressures do not distort accuracy in ESG reporting.
There is a fine line between greenwashing and ESG fraud. This line is crossed when companies or individuals manipulate information or ESG metrics to meet their performance goals, or to be seen as sustainability-driven.
Regulators around the world are cracking down on greenwashing. In the UK, the Competition and Markets Authority is investigating major fashion brands over vague green claims. The Australian Competition & Consumer Commission lists sustainability communication among its priorities, and the US Federal Trade Commission is updating its guidelines on sustainable claims.
In the Global CEO Survey 2024 by PwC, 78 per cent of respondents say their companies have innovated new, climate-friendly products, services or technologies – or have plans to do so. Sustainability goals are important for long-term economic success, and it is important that the communication of such goals and data are subject to assurance.
Starting this year, companies listed on the Singapore Exchange are required to conduct an internal review on their sustainability reporting process in accordance with the International Standards for the Professional Practice of Internal Auditing.
The Singapore Board of Directors Survey 2022 observed that less than half (41 per cent) of respondents subject their sustainability reporting process to internal review by internal audit, and only 20 per cent conduct independent external assurance on their sustainability reports.
What can boards do
Managing cyber risk is complex and technical, demanding companies to consistently bolster their technical capabilities and implement robust cybersecurity controls. It can be daunting for board members who are often not experts in the area. Nonetheless, it is crucial for boards to consider cyber risks in the company’s business strategy and actively oversee the company’s cyber resilience.
Best practices and references to international benchmarks can help in assessing a company’s risk profile and developing a risk strategy framework.
The growing regulatory requirements for sustainability further intensify the pressure on the board to stay up to date with the new disclosure requirements and focus on governance surrounding ESG risks. Boards must develop appropriate governance structures to support effective oversight of ESG matters. And directors should exercise professional scepticism by challenging management on the reliability of data sources and avoiding greenwashing or false representation of the company’s ESG reporting.
In summary, the board must remain agile in responding to fresh threats by adopting new measures and leveraging technology to prevent, detect and deter cyber risks and ESG fraud. Aligning the board’s mix of skills, knowledge, experience with the company’s strategic directions and such emerging risks are essential for enhancing board effectiveness.
The writer is a member of the Advocacy and Reports Committee at the Singapore Institute of Directors.
