ESG Compliance, a Drop in Ransomware Attacks, and a Chad’s on a Spa Day 🤖

Good morning.

There were a few interesting pieces of news on ESG compliance and regulations that are worth keeping an eye on. Many of these rules are yet to come into force, but companies should start thinking about how they will meet these requirements (and who will take the lead). Also, there’s some positive news on the ransomware front.

Unfortunately, the metrics didn’t update properly today. I’ve sent Chad (the robot who manages the data) off for a spa day while I fix things, and I apologize that there aren’t any numbers today.

Coverage and Analysis

ESG Round Up

Two ESG-related items caught my eye over the last week.

EU Anti-Greenwashing Legislation

The EU is introducing legislation to counter greenwashing – misleading environmental claims – in response to concerns that companies are being dishonest about their environmental credentials. One analysis by the European Commission found that over 50% of claims contained “vague, misleading or unfounded information” (or as we used to call them, ‘lies’), illustrating how widespread the problem is. 

EU countries would have to ensure environmental claims are proven against a science-based methodology, such as a “product environmental footprint” framework that tracks environmental impacts across 16 categories including the air and climate change.

“By fighting greenwashing, the proposal will ensure a level playing field for businesses when marketing their greenness,” said the draft, which could still change before it is published.

It would be up to EU countries to put in place appropriate systems (and fines) to bring the eventual rules into force but this would clarify decision-making for consumers who would be more assured of the veracity of any green claims made by a company. Companies will have an additional compliance burden for any claims they make but should be able to reap a ‘green dividend’ from consumers who want to favor firms taking steps to address climate change. See Reuters for more.

Companies Aren’t Ready for ESG Reporting Regulations

An FT piece this weekend (from the print edition, so no link, I’m afraid) notes that although companies are facing climate reporting requirements around the world, many seem far from ready. A move from voluntary to mandatory reporting raises the reporting requirements and level of detail required. This is outside the expertise of many of the heads of ESG who will be subject matter experts in that domain, not compliance and audit. The Big Four accounting firms are pushing companies to bring ESG reporting into their existing audit and reporting frameworks which does offer some advantages: all major firms have an experienced team who can ensure that reports are compiled and submitted in line with the appropriate guidelines. 

However, being a crack financial auditor doesn’t necessarily lend itself to evaluating the efficacy of a DEI policy or qualitative returns to the community of a social-impact program. Therefore there still needs to be a mix of expertise to ensure that the regulatory and practical aspects of these programs are met. Otherwise, the ‘tick box’ aspect of ESG may be in great shape while the initiatives themselves are ostensibly worthless.

Eventually, a new class of specialist ESG auditors who bring a mix of technical and regulatory expertise to bear will emerge. 

However, I still believe that the best way forward for ESG is to break it up as the individual elements are all too mature now to remain part of a single portfolio. This would bring much-needed clarity to these essential elements of business and also avoid the kinds of dissonance we see where Exxon can have a better ESG rating than Tesla. (Your feelings towards Elon Musk should not be the empirical basis for evaluating a company.)

Nevertheless, it’s a good time to think about your ESG programs, look at the kinds of regulations that may be coming your way, and think about how you’ll meet the reporting requirements. The decision on ownership should be given careful thought as, once someone owns a portfolio, it is difficult to get them to give it up.

Ransomware Payments Were Down in 2022

A recent report from Chainalysis noted that ransomware payments were down significantly in 2022. They estimate that 2022 ransomware payments were $456.8 million, compared to $765.6 million in 2021. They note that there is often a delay in tracking down all payments and that the 2022 number could rise but the overall trend was mistakenly down.

Importantly, the report notes that the number of attacks has not decreased: instead, companies are less willing to pay ransoms. A number of factors may be influencing this change but chief among them is likely to be the increased pressure from law enforcement not to pay, insurance companies tightening up on the instances where they will pay for cyber attack damage, and better contingencies in many firms, making it easier to recover from an attack. 

The report also explained that the majority of ransomware attacks seem to be ‘ransomware as a service’ where a small group develops and controls the ransomware strains, which are then used by a network of criminals to carry out the attacks, paying a fee for the use of the strain. The “gig economy, but for ransomware” as the report calls it, makes the sector seem much larger than it actually is.

The fluidity with which affiliates move between ransomware brands makes the sector appear larger than it really is. “The number of core individuals involved in ransomware is incredibly small versus perception, maybe a couple hundred,” said Bill Siegel, CEO and co-founder of ransomware incident response firm Coveware. “It’s the same criminals, they’re just repainting their get-away cars.” Siegel indicated this activity has increased of late, and that affiliates are now much more likely to switch strains frequently rather than stick with one for an extended period of time.

Interestingly, this is not dissimilar to how Anonymous, the hacking collective, operated at its peak. A handful of highly adept, technical coders built and directed the tools, which were then deployed by hundreds of ‘script kiddies’.

The report focuses on the trends in how attacks are conducted but does include some tips and reminders of what firms should be doing to make themselves less vulnerable to these types of attacks.

Of course, the best-case scenario is for organizations not to fall victim to ransomware attacks in the first place. To that end, Liska recommends organizations run recurring tabletop exercises, in which all relevant teams — cybersecurity, networking, IT, server administration, backup teams, PR, finance, etc. — meet with leadership to establish how the organization can keep itself secure, identify vulnerabilities, and understand who’s responsible for all aspects of security. “Having a realistic picture of where your organization stands and what its weaknesses and strengths are will better prepare everyone in the event your organization is hit with a ransomware attack, and it also makes leadership aware of where it needs to invest to better secure the network, ahead of an attack,” said Liska. (Allan Liska, the Ransomware Sommelier)

Read the full report here

As a side note, the crypto market fluctuated very significantly in 2022, so I’m curious if this had an effect on the dollar amount payouts for that period. For example, a 1BTC ransom demand made in January 2022 was the equivalent of around $38,000. This would have paid out $47K if paid in March but only $20K in June.

A chart from the Chainalysis reported I annotated with the number of Bitcoin equivalents

The report doesn’t seem to mention these fluctuations and may have accounted for these differences, but it will be interesting to see if the downward trend continues into 2023 as the crypto market recovers.

Election Watch

26 January: Tokelau, General Fono29 January: Liechtenstein, Constitutional referendumCampaigning has begin for Tunisia’s second round of the 2022 legislative elections. (Voting is scheduled for January 29)Turkey’s elections have been brought forward to May 14.

Palate cleanser

Bye Chad. See you tomorrow.

Again, my apologies that there aren’t any metrics today.

I need your feedback – please share your thoughts.

What do you think? Leave a Reply