Get Started
ESG and cybersecurity go better together

Article | July 17, 2023

ESG and cybersecurity go better together

Companies don't normally think cybersecurity is connected to increasing diversity or reducing climate impact. They should.

Executives have heard the message loud and clear: taking environmental, social, and governance (ESG) matters seriously creates value for businesses. That’s why ESG is a top priority for many of their most important stakeholders, including regulators, shareholders, customers, and employees. The pandemic, climate crisis, social upheaval, and geopolitical unrest of the past few years have only underscored its importance.

Most executives polled rank cybersecurity as one of their top concerns, according to a recent survey from ServiceNow and research partner ThoughtLab – even as other issues, such as workforce diversity and the environmental impact of operations, compete for their attention. About half are currently working to improve data privacy and security, and six out of 10 plan to do so in the years to come. Regulatory bodies like the U.S. Securities and Exchange Commission are turning up the heat, mandating that organizations work harder to prevent—and to disclose—cyber events like data breaches.

Companies plan to increase investment in both ESG and cybersecurity, according to research from PwC, which also showed that cybersecurity is a top concern in the boardroom as well as the C-suite. To make real progress while saving time and money, executives should treat cybersecurity as an ESG issue, insists Drexel University adjunct law professor Leeza Garber, who also teaches a course on internet law, privacy, and security at the University of Pennsylvania’s Wharton School.

“There’s a clear relationship between the two,” she says. “Cyber and ESG issues can cause massive disruptions. But they can also be selling points for clients. We need to see a change in how companies handle them, and that’s going to require training, money, and openness.”

When asked if cybersecurity is an ESG issue, few executives say yes, according to Allison Pan, a senior vice president within Marsh McLennan’s Emerging Risks Group. However, that doesn’t mean they don’t treat it as such in practice. Executives might bring up the impact of cyber on equity, skills, and talent—all of which clearly fall under ESG, she says.

For example, more equitable hiring may mitigate the risk of creating software that discriminates against certain populations or communities or is prone to costly errors. Organizations like the World Economic Forum recommend hiring from a wide range of backgrounds to boost an organization’s cyber defenses, and companies are following this advice. “Many [companies] are thinking about cyber as an ESG issue already,” says Pan. “They just don’t know it yet.”

So why the disconnect? A large part of the issue is language, says Pan. ESG has become a catchall that means different things to different people. At the same time, however, some executives think it’s synonymous with environmental sustainability alone, she says. As a result, connecting cyber to ESG feels like an unnecessary leap.

Yet ESG covers a lot more than just sustainability. Many key ESG frameworks—CDP, the Climate Disclosure Standards Board, the Global Reporting Initiative, and the Science Based Targets initiative, to name a few—identify and measure risk factors that don’t appear on a standard balance sheet but nonetheless could impact a company’s core business and market cap.

“How well can you sustain your business in the face of danger? Cybersecurity is core to that,” she says.

Thus, explicitly linking cybersecurity to ESG isn’t a matter of semantics. “Cybersecurity is a crucial part of any ESG strategy,” insists Shaun McAlmont, CEO of cybersecurity training firm NINJIO. Organizations use ESG ratings to make decisions and get resources, he says. Without incorporating cyber into ESG scores, they could be leaving resources on the table that they need to build better cyber strategies.

Reporting frameworks and ratings rely on data about cyber risk, carbon emissions, and so on. To bring cybersecurity and ESG into alignment, executives should make data gathering and privacy an integral part of their overall governance and compliance processes. 

The benefits of doing so are clear: The organizations that are ahead on ESG are better at collecting, sharing, and safeguarding data than their counterparts, according to the ServiceNow/ThoughtLab survey. Of the businesses that are leaders and made the most progress on ESG, the vast majority—over 90%—excel at setting, tracking, and reporting ESG metrics. Only 60% of their non-leading counterparts can say the same.

At the same time, gathering lots of data is less important than gathering the right data, Pan says. Companies struggle to gather useful data because there isn’t consistency between federal and global cybersecurity standards and practices. For accurate measurement, stakeholders across cyber and ESG should talk to each other and share access to a centralized repository of data.

In over half of all organizations surveyed by ServiceNow and ThoughtLab, data is widely available, traceable, and usable for decision-making. Leaders are more likely to collect and share data than others. Compiling data and making it available throughout the organization can help executives better calculate and manage risk, educate employees, and demonstrate to shareholders and customers a company's commitment to ESG.

Incorporating cybersecurity into ESG reporting will result in a clearer picture of organizational risk, says Drexel's Garber.

Incorporating cybersecurity into ESG reporting will result in a clearer picture of organizational risk.

With that information in hand, it’s crucial that organizations develop robust data-driven training programs for their employees. “You can have a beautiful internal policy with great best practices, but if your employees aren’t engaging in regular tabletop exercises, it’s meaningless,” she says.

At a time when companies are facing a variety of risks, preparing for one disruption can help mitigate others. Rather than waiting for a worst-case scenario to come true, executives would do well to bring potential risks to light early on. Openness and preparedness make companies more resilient. Equally important, they help build a more honest relationship with customers and other stakeholders.

All of this work is good for business, says Garber. “Consumers are more and more educated,” she says. “If you can show them you’re putting in the work, it matters, and it can be great for building consumer trust.”

Trending articles

Related

 Facilitate Collaboration Between IT Operations Management and Security Operations with AIOps

Get eBook

Related articles

Automating Risk and Compliance
Q&A
Automating Risk and Compliance

New technologies are keeping corporate leaders in compliance with the fast-changing rules that affect their businesses

The future-ready manufacturer
ARTICLE
The future-ready manufacturer

New research shows how technology investments can yield priority outcomes across the value chain

Author

Evan Ramzipoor is a writer based in California.

Articles by Evan Ramzipoor