More than ever, companies and investors are focusing their attention on the impact of environmental, social and governance (ESG) factors in the development of their business strategy and operations. They recognise the significant reputational risks that arise from failing to appropriately consider such risks. Information technology has become a critical function, particularly since the rise of Covid-19, which has been both an enabler for businesses to operate but also a target for cybercriminals. Companies that are compromised by these cybercriminals are often faced with tough questions from their shareholders asking why they did not invest in appropriate cybersecurity measures. Similarly, future investment in companies must pass initial and ongoing ESG due diligence to ensure companies are managing these heightened risks more effectively than ever.
CyberSolace assists companies to better understand their ESG risks (as well as the opportunities that are also prevalent) to help them devise and implement a successful business strategy and report periodically to their stakeholders on how they effectively manage cyber risks as part of their overall ESG risk management approach. We have more than 30 years of collective experience working with companies, investors, asset managers (traditional and alternatives) and other stakeholders to help design, implement, manage and report on ESG and cyber related risks. We have extensive experience working with Boards, Management and teams both in person and in more “virtual” environments to deliver timely, on budget projects that meet your specific expectations.
Our ESG / Cybersecurity Integrated Services
- ESG / Cyber Strategy – Whether you are a start-up or an established, global organisation, we help companies protect their brand and reputation by supporting them in the assessment of ESG and cyber risks on their business strategy. We work alongside you to identify pragmatic and tangible enhancements to business and operational facets by managing ESG and cyber risks and developing strategies to leverage ESG/cyber opportunities. We develop a comprehensive journey and priority map to manage, mitigate and report on ESG / cyber risks and capitalise on ESG opportunities in relation to the business products / services.
- ESG / Cyber Risk and Regulatory Advisory – The Financial Conduct Authority (FCA) and Prudential Regulatory Authority (PRA) have also signalled their intent to make ESG and operational resilience a core component to regulated financial firms internal assessment of capital adequacy (ICAAP). We support firms to navigate the regulatory landscape both in the UK and at the EU (e.g. Sustainable Related Financial Disclosure (SRFD) framework) level in relation to ESG and cyber related issues. CyberSolace can assist you with practical insights and hands on support to help address your requirements.
- ESG / Cyber Risk Scenario Analysis – The demand for ESG scenario analysis is quickly increasing as listed companies and large UK pension schemes begin the process of reporting on the Taskforce for Climate Related Financial Disclosures (TCFD). We typically support companies as ESG / cyber Subject Matter Experts (SMEs) during the scenario development and challenge process to ensure that firm’s assessment of its climate change, ESG and cyber related risks is robust, comprehensive and more likely to withstand regulatory and/or investor scrutiny.
- ESG Reporting & Disclosure – Disclosure of ESG risks and opportunities is quickly becoming a requirement for investors and regulators; however, companies struggle to identify and report on the impact of their products and services. We help our clients develop and implement pragmatic, proportionate reporting frameworks, which have regard to international frameworks such as SASB, TCFD, GRI, IMP, GIIN Iris+ and UNGC’s Sustainable Development Goals (SDGs).
Crypto-Currency Crime Investigations
CyberSolace is able to help organisations with investigations that link real-world entities to crypto-currency activity. Using a state of the art proprietary platform we can trace crypto-currency addresses, transactions, or service names to understand who controls funds, and create graphs showing activity covering numerous mainstream crypto-currencies.
Over the last few years adoption of crypto-currencies has shown a steady increase across the globe with no sign of the trend waning on the horizon. Large corporates as well as retailers have begun adopting crypto-currencies as an alternative means for payment for goods and services. By example PwC Luxembourg, Starbucks, Microsoft, Expedia and the Swiss city of Zug, amongst many others, have all begun on that journey.
Nonetheless, crypto-currency’s decentralised, semi-anonymous nature makes it a uniquely appealing option for criminals, and their embrace of the technology has somewhat helped shape part of its reputation. But contrary to popular belief, unlike cash and other traditional forms of value transfer, most crypto-currencies are inherently transparent. Especially in the case of currencies that are based on a public-ledger model, such as bitcoin, every transaction is recorded and publicly visible.
Identify Criminal Activity Through Blockchain Tracing
With the right tools, we can see how much of all crypto-currency activity is associated with crime, ransomware and extortion activity, and share insights with law enforcement and the industry to stop bad actors from abusing the system and, in many cases, taking advantage of vulnerable people.
In the specific cases of ransomware attacks, CyberSolace can provide the necessary analysis to support specialised law firms issue injunctions on crypto-exchanges that are inadvertently or otherwise involved in the transfer of ransom payments for criminal groups. Ultimately offering a chance for the victims to block or even retrieve the ransom payments instigated by cyber-criminals.
Planning & Scenario Rehearsals
In our current times and the foreseeable future cyber incidents and breaches are an everyday potentiality for all businesses across all industry sectors. No company is immune to cyber incidents or the havoc they can cause when they occur. Be it ransomware, unauthorised remote access, extortion, cyber fraud, or denial of service – a cyber incident can be detrimental for a business if it is not prepared for it. This is why CyberSolace offers its cyber-incident-response rehearsing service to help organisations prepare for incidents in advance in order to lessen their impact on the business when they hit. Rehearsals are tailored to the unique business context of the client as well as aligned with current cyber-threats.
CyberSolace has also developed an innovative approach to help clients select the best response candidates at their disposal. We do not automatically revert to IT teams but instead we apply Occupational Psychology methods to identify the right individuals in an organisation that would be best suited to operate as incident-responders.
We always involve a multidisciplinary segment of staff from across the business covering senior leadership, IT, legal, corporate communications and business operations to represent a realistic backdrop of stakeholders who would typically be required in a real-life situation.
Cyber incident response rehearsals are a very effective method in helping organisations appraise and bolster their preparedness as well as build their confidence and efficacy when managing real life responses to serious incidents.
However, threat actors are constantly evolving, and technology is invariably susceptible to a stream of newly discovered vulnerabilities. That, coupled with the scale of the targeting and difficulty of monitoring all possible attack methods, means some attacks will get through. If the worst happens, you can call upon us to investigate an incident and help you with the containment, eradication and return to normal business operation. We apply industry best practices in our response strategies and also customise it the context of the client’s business and priorities.
In last resort situations we also help our clients conduct ransom negotiations with perpetrators in a way which minimises the unpredictability, loss and confusion which ensues in such scenarios.
Cybersecurity Pulse Check
Technical Penetration Testing:
Penetration testing is a vital proactive step an organisation can take to uncover weaknesses and holes in its technology infrastructure before the adversaries do. Penetration Testing evaluate the security of the technology infrastructure by simulating an attack from a malicious or dangerous source.
In CyberSolace we believe in a holistic approach to security penetration testing which covers testing of the technical infrastructure and applications, the physical premises, the networks, and equally importantly, the people in the organisation through their levels of awareness.
We can provide CREST and/or CHECK accredited security testing services that would help management focus its resources on what matters and prioritise improvement actions in accordance with the qualified risk.
Cybersecurity Risk Assessment:
Risk assessments help you understand the scale and nature of the cyber threat that you face and the valuable business assets that stand to be compromised. It will ultimately help you focus your priorities and channel your investment to what really matters in order to mitigate the risks proportionately.
Cybersecurity Gap / Maturity Assessments:
We adopt a holistic approach to security and typically our assessments cover multiple facets, comprising People, Process, Technology and Organisation. Yet we mindfully maintain a close attention to external influencing factors such as regulations, standards and emerging business technology and operating models.
We can utilise a number of known industry standards and frameworks to measure, audit or gap-assess your security posture and give you an objective view of how well your security practices measure up or if there are any urgent concerns that need to be addressed. Examples of some of the standards and governance frameworks we can utilise are: ISO 27001, GDPR, UK Government Cyber Essentials Framework and NIST Cyber Security Framework.
Because you cannot protect or improve what you do not know
But we also recognise that not all companies are the same or operate under identical regulations. Thus we can easily tailor an assessment framework that is specific to your business context and is more aligned to your company culture in order to ensure the final outcome is as meaningful as possible to your management.