When asked if cybersecurity is an ESG issue, few executives say yes, according to Allison Pan, a senior vice president within Marsh McLennan’s Emerging Risks Group. However, that doesn’t mean they don’t treat it as such in practice. Executives might bring up the impact of cyber on equity, skills, and talent—all of which clearly fall under ESG, she says.
For example, more equitable hiring may mitigate the risk of creating software that discriminates against certain populations or communities or is prone to costly errors. Organizations like the World Economic Forum recommend hiring from a wide range of backgrounds to boost an organization’s cyber defenses, and companies are following this advice. “Many [companies] are thinking about cyber as an ESG issue already,” says Pan. “They just don’t know it yet.”
So why the disconnect? A large part of the issue is language, says Pan. ESG has become a catchall that means different things to different people. At the same time, however, some executives think it’s synonymous with environmental sustainability alone, she says. As a result, connecting cyber to ESG feels like an unnecessary leap.
Yet ESG covers a lot more than just sustainability. Many key ESG frameworks—CDP, the Climate Disclosure Standards Board, the Global Reporting Initiative, and the Science Based Targets initiative, to name a few—identify and measure risk factors that don’t appear on a standard balance sheet but nonetheless could impact a company’s core business and market cap.
“How well can you sustain your business in the face of danger? Cybersecurity is core to that,” she says.
Thus, explicitly linking cybersecurity to ESG isn’t a matter of semantics. “Cybersecurity is a crucial part of any ESG strategy,” insists Shaun McAlmont, CEO of cybersecurity training firm NINJIO. Organizations use ESG ratings to make decisions and get resources, he says. Without incorporating cyber into ESG scores, they could be leaving resources on the table that they need to build better cyber strategies.