Get Started
Why ESG criteria must include cybersecurity

Q&A | July 25, 2023

Why ESG criteria must include cybersecurity

Companies must expand their definition of sustainability to include survivability against all kinds of risks, especially cyberattacks

Gathering, safeguarding, and sharing data are hugely important for creating successful environmental, social, and governance (ESG) programs. After all, you can’t change what you haven’t measured. But organizations simply are not putting data or data privacy at the forefront of their ESG criteria.

That’s why Cristina Dolan and her co-author, Diana Barrero Zalles, wrote Transparency in ESG and the Circular Economy: Capturing Opportunities Through Data. Dolan, who has worked as an engineer, computer scientist, and entrepreneur in cybersecurity for decades, currently manages business partnerships and sales for security firm NetWitness. In her book, she argues that executives have to take data gathering, usage, and privacy seriously if they want to make real ESG progress. Dolan shared her views in a recent conversation with Workflow. An edited version of the conversation follows.

Related

 Facilitate Collaboration Between IT Operations Management and Security Operations with AIOps

Get eBook

Cyberattacks—especially data breaches—are one of the most immediate sustainability and ESG risks that organizations face today. When organizations are hacked, the impact is often devastating. Most small businesses that suffer a cyberattack go out of business within a few months. Small and midsize businesses make up a huge portion of most economies and are responsible for half of new employment in the U.S.

Better understanding the survivability of such companies after an attack is vitally important to investors, regulators, executives, etc. While many stakeholders can and do utilize traditional credit risk metrics, which capture how creditworthy a company is, to gain that understanding, it’s important that they go further to get a complete picture. ESG is a much more holistic way to measure the sustainability of organizations that everyone depends on.

When a company implodes, it isn’t just the employees and investors who are affected. Today’s companies are part of intricately connected ecosystems, networks, and supply chains. This interconnection creates enormous benefits as well as great vulnerabilities. When businesses fail, they affect other businesses in the ecosystem. The loss of businesses isn’t just about the loss of jobs; it impacts the tax revenue available for schools or other important infrastructure.

These interconnections also make it harder to secure that data. Organizations need to implement active monitoring and network detection and response in addition to developing plans before a breach. If a third-party vendor is breached, everyone in the network can be breached. This makes it a lot harder to gather and secure data across an entire network.

In the book, we argue that organizations that demonstrate good governance are more likely to reduce risks throughout their organizations than those that don’t. Frameworks like ISO 27001 and the NIST Cybersecurity Framework include controls that companies can implement to improve their security posture. Many of the best-run organizations require third parties to complete risk assessments before connecting to their ecosystems and networks.

Yet this is not enough. Cybersecurity defense should be an active process involving detection, response, and solid plans for incident response. It is inevitable that organizations will be attacked, and without a plan, the response will be difficult and costly. Some important activities include conducting security posture assessments, actively monitoring networks and threats, investing in resources to manage and respond to threats, creating an incident response plan and an inventory of digital assets, and implementing education and training programs.

Fortunately, public companies are required to disclose financially material risks as part of their public filings. For example, the Securities and Exchange Commission requires public companies to report certain cybersecurity breaches within four days.

Ultimately, the responsibility for ESG strategy—and data management—belongs to executives. I’ve seen too many executives make the mistake of thinking someone else will deal with the problem later. Later is too late. It’s always a matter of when—not if—your organization will be attacked. Every company should include a cyber risk profile as part of their ESG strategy today.

Trending articles

Related

Navigating the future of data privacy

Read article

Related articles

Realizing net zero
ARTICLE
Realizing net zero

Companies that want to achieve net zero must double-down on digital transformation

The business case for ESG
INFOGRAPHIC
The business case for ESG

Enterprise sustainability and governance by the numbers

A Single source of thruth for ESG
WORKFLOW QUARTERLY
A Single source of thruth for ESG

New tools are revolutionizing how companies track progress toward sustainability goals

 

Accounting for emissions
Q&A
Accounting for emissions

Companies unwilling to report climate impacts could be left behind, says KPMG’s climate leader