The other S in ESG: How security considerations can affect the success of your ESG programs
ESG (Environmental, Social, and Governance) frameworks offer strategic and repeatable processes and guidelines to evaluate corporate behavior and the value of intangible impacts that an organization may have. As organizations develop, implement, and track their goals and impacts related to ESG, it’s inevitable to see new technologies introduced to store and monitor new forms of customer and employee Personally Identifiable Information (PII) and business critical data in a form of Intellectual Property (IP). This is especially true when the information is stored in a third-party managed off-site location or in a cloud environment.
Because of this, business leaders and those working in the ESG space are finding that cybersecurity is fast becoming a core consideration. On top of cybersecurity’s critical role in protecting systems, networks, programs, data and the personal information of employees and customers, it is equally important to investors, who typically examine data protection and information security policies, to assess and evaluate a company’s controls that protect against cyber risks.
Just how important is this?
In today’s digital economy, businesses are challenged to simultaneously meet their ESG targets and ensure robust cybersecurity and privacy measures. These concerns have been at the forefront of global risk maps for several years. Cybersecurity is a prevalent issue, specifically in the context of the digital economy, as corporate stakeholders require cyberattacks and security breaches to be proactively mitigated and measured in governing enterprise-wide risk management. Additionally, cyber-attacks can have a significant impact on the environment, the people, and the governance of corporate entities. The social and environmental impact of such attacks was well demonstrated by the SolarWinds and Colonial Pipeline attacks, or the more recent one involving a threat group, operating under the name Cyber Av3ngers inked to the late November attack against the Municipal Water Authority of Aliquippa in Pennsylvania.
ESG ratings agencies often include cybersecurity and privacy in their “ESG scores,” which many investors use as shorthand for a company’s ESG status. For example, within MSCI, a leading provider of critical decision support tools and services for the global investment community ESG Research, privacy and data security, along with chemical safety, responsible investment, consumer financial protection and product safety are considered key elements of product liability within the social pillar of the MSCI ESG score.
As noted above, one of the reasons why cybersecurity is important to ESG frameworks is that it is a key metric for measuring the social pillar. Cybersecurity has gained wider attention as the global workforce has pivoted to working from home and as data breaches have occurred to companies in various industries. Companies can be fined and/or suffer reputational damage if they do not adequately protect their information networks, resulting in loss of customers and revenue, and increased struggles to recruit talent and maintain a strong employer reputation. It could also have a material impact on industries that have conventionally spent lower budgets on cybersecurity issues.
Moreover, additional data security regulations have been introduced globally to enhance the protection of personal information, reshaping corporate behavior towards data usage and security. In May 2018, the General Data Privacy Regulation in Europe (EU GDPR) was introduced, and in June 2018, the California Consumer Privacy Act (CCPA) was passed. Growing compliance requirements will likely drive corporate spending higher and may lead to financial losses if companies fail to take necessary precautions to protect the individual members of society who interact with their brand.
How are organizations managing increased requirements?
As enterprises gear up to strengthen their security and privacy strategies to satisfy basic customer expectations and compliance requirements, key ESG pillars can be a solid foundation. Alternatively, the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), International Organization for Standardization (ISO) standard series 27000, or Center for Internet Security (CIS) controls guidance can help achieve the same goals.
As a means to supplement existing resources, a virtual Chief Information Security Officer (vCISO) is one solution that has been gaining popularity in recent years. Virtual CISOs provide businesses with the expertise of a highly trained security professional without the high cost of hiring a (or another) full-time employee. This can be particularly beneficial for small and medium-sized businesses (SMBs) and nonprofit organizations (NFPs), who may not have the resources to hire an in-house CISO.
A vCISO provides the same level of knowledge and experience as an in-house CISO, but at a more affordable and scalable cost. Larger companies, even those who have an in-house CISO, can also benefit from a vCISO, in a form of a deputy CISO who could be dedicated to specific cybersecurity areas and provide assistance across the organization as needed, such as to researching strategies to ensure the company is achieving its ESG initiatives and objectives.
The writing’s on the wall
Cybersecurity is a critical component of ESG frameworks, and ESG success cannot be achieved without robust security controls in place and qualified personnel to manage the information security program. It is a key metric under the social and governance pillars and continues to gain attention as data breaches become daily news. It demonstrates a focus on taking care—of who you serve, how you serve, and the environment where it all takes place.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.