The ransomware attack on the Colonial Pipeline in May 2021 was just one of many signs that environmental and cybersecurity risk are closely connected. Thefts of personal information during a cybersecurity breach erode trust on the part of customers investors, employees and other stakeholders, demonstrating the link between cyber risk and social risk. The new disclosure and reporting requirements embedded in the Security and Exchange Commission’s latest regulations governing the oversight of cybersecurity underline the link between governance risk and cyber risk.
All this evidence shows that either cybersecurity is already part of ESG, and, perhaps, a more appropriate abbreviation should be ESGC. Most enterprise risk management policies have already expanded their oversight from purely financial risk to these other areas, including cybersecurity. Cyber risk can be as harmful to a company’s reputation and value as any other ESG issue, and the damage is inflicted and experienced in much the same way. As cyberattacks increase in size and frequency, the direct and indirect damage to companies — including loss of customer confidence, reputational damage, potential impact on the stock price and possible regulatory actions or litigation — arguably touches all aspects of ESG.
This convergence of these of risks is widely recognized across companies, investors and governments. The World Economic Forum’s Global Risk Report 2022 notes that the five main areas of risk are economic, geopolitical, social, environmental and technological. According to an RBC Global Asset Management Responsible Investment Survey, asset managers rank cybersecurity as their second-biggest concern among ESG-related themes. That places it above the environmental risks of climate change and water and the governance risk of shareholder rights and voting. The only ESG-related theme of higher concern is the governance-related risk of anti-corruption.
Cybersecurity is ranked at four on a scale where five means “Make or Break investment decisions” in almost all jurisdictions (U.S., Europe, Canada, and Asia, according to the RBC survey). Only in Asia did most respondents rank it at 3. Climate risk and cybersecurity/data privacy were also the two factors with the highest increase in percentage points in terms of what managers were “most closely focusing on” between 2020 and 2021. The response to the ransomware attack on the Colonial Pipeline, which involving a wide range of government bodies, also indicates how authorities are taking notice of ESGC.
It’s important for companies to respond to growing stakeholder concern about these issues through transparent disclosures that detail how they manage these risks across all the ESG pillars and, in some cases specifically, focus on the “C” of cybersecurity. Board oversight of cybersecurity and technological risk may be strengthened if it is handled by the same committee that oversees ESG risk.
Finally, companies should consider using cyber risk ratings to identify issues across public facing networks in the same way they use third-party environmental and social (sustainability) ratings. Like other ESG factors, cybersecurity risks need to be managed carefully all along the supply chains and not just in a company’s core business.
ESG and C: Does Cybersecurity Deserve Its Own Pillar in ESG Frameworks?
