Why does the E.U.’s latest update to its’ existing sustainability regulations impact in cyber security and risk management terms?
On 25 July 2024, the Directive on corporate sustainability due diligence (Directive 2024/1760) entered into force, with the objective being in promoting in-scope entities behaviour in a sustainable and responsible manner across their operations and throughout their global value chains. An amended version has had an effective date of 17th October 2024.
The rules seek to ensure that organisations identify and address adverse human rights and environmental impacts of their actions both within and external to the European domain.
Scope
The regulation does not apply universally, but rather, to large EU limited liability companies & partnerships:
+/- 6,000 companies – >1000 employees and >EUR 450 million turnover (net) worldwide.
It also however, applies to large non–EU companies:
+/- 900 companies – > EUR 450 million turnover (net) in EU.
Micro companies and SMEs are not covered by the proposed rules, but they are included where SMEs could be indirectly affected as business partners within value chains.
Compliance Costs
The costs of establishing and operating the due diligence process fall to the entity, including the transition costs, which is on top of the expenditure and investment required for adaptation of operations and value chains in order to meet the due diligence obligation, where this is also required.
Double Materiality Concept
One difference to other and earlier sustainability regulation is the double materiality concept, which is a requirement to “report both on the impacts of the activities of the undertaking on people and the environment [impact materiality], plus on how sustainability matters affect the undertaking [financial materiality].
Financial materiality refers to sustainability-related matters that could present financial risks, or opportunities for an undertaking. ESRS 1, Section 3.5, states that “[a] sustainability matter is material from a financial perspective, if it triggers, or could reasonably be expected to trigger, material financial effects on the undertaking.”
It is here that cyber resilience and technology risk controls come into play in the same manner as for financial statement line items (FSLI’s).
Where there is any question over the validity and accuracy of the quantitative measures expressed by an entity in its’ non-financial reporting requirements under the new regulation, then external auditors will not be in a position to sign off the organisation’s accounts with reasonable assurance.
Audit Requirements
The European Sustainability Reporting Standards introduce an extensive set of sustainability disclosures for in-scope companies and since the double materiality assessment required under these standards considers both financial effects and impacts, then there must be robust data and documentation, with sufficient transparency of their approach in determining input values. Further, as with financial reporting, the process utilised has to be repeatable for subsequent years.
SEC Equivalence
Whilst this is an EU regulation that applies to organisations external to the EU geography, as per GDPR, NIS2, PSD2, etc, there is a provision within the regulation where the Securities and Exchange Commission’s (SEC’s) climate-related disclosure rules are equivalent, or greater than the EU regulatory provisions.
However, the SEC’s regulations are on hold while court challenges are heard. Having said that, companies need to prepare for the possibility that some, or all parts of the rules, will indeed come into effect.
Additionally, there are a growing number of US states, as well as other countries that are requiring similar disclosures, which can include quantitative and qualitative measures of operational impacts as well as a defined measure of progress toward sustainability goals to be made within non-financial reporting rules for accounts filed.
The Broader Impact of Non-Compliance
Why compliance is so important is that beyond financial penalties and the potential imprisonment of management in France, failing to comply with CSRD can have broader implications, including, but not limited to:
Reputational damage leading to loss of trust among investors, customers, and other stakeholders.
Operational disruptions resulting from the penalties imposed, thereby impacting free cashflow and overall capital availability for investment
Additionally, the increased associated scrutiny may disrupt business operations, again diverting resources away from core activities, in order to remediate compliance issues.
External auditors will also seek to examine financial records in far greater detail, along with operational process audits, thereby raising audit costs substantially, which for the in-scope corporate size will be in terms of millions of dollars/euros/etc.
Competitive disadvantage may also result from non-compliance, where competitors may be viewed as being more transparent and committed to sustainability, as well as having lower future non-compliance risks for capital markets and investors.
Software Tools for Compliance
At present, another challenge for organisations is the lack of off-the-shelf products to ease the transition into a compliant entity.
Whilst for Sarbanes Oxley (SOX) SAP, a major player for these in-scope organisations, has SOX compliance modules in-built, as well as there being a number of different third-party vendors offering add-on applications for SAP to assist SOX compliance (Zluri, Lumos, Okta, Saviynt, amongst others), there is an absence of a similar product at this time. As such, many companies have had to develop their own proprietary applications to suit their individual operations.
Targets for Ecoterrorists & Environmental Groups
It may also be the case that increased regulations for sustainability objectives may provide certain groups with the motivation they need to utilise cyber attacks to seek out data to prove non-compliance, manipulate records to ensure audits reveal non-compliance, or undermine and AI/LLM models utilised in the assessment and quantification process by a target organisation.
There has been a shift in tactics by environmental groups; away from direct action and towards cyber-warfare, utilising the dark web to employ those with the requisite skills to exfiltrate, corrupt, or destroy data.
Further, within the existing cyber threat environment, data has highlighted that cyber attacks are higher in countries and US states that have more onerous and punitive data privacy laws that for those that do not. The same pattern may well repeat itself here, where mal-actors believe (rightly or not), that financial penalties, the risk of management imprisonment, greater regulatory oversight and audit examination, will offer the same financial payout as with prior ransomware attacks.
On this, we will need to wait.
