Leveraging Cybersecurity as a Business Growth Enabler
June 06, 2023
While there are countless benefits to investing in cybersecurity, from protecting sensitive information to mitigating risks, one not often highlighted is the positive impact cybersecurity has on a companyʼs ESG profile. As ESG is used as a means to identify and take action on material areas of risk and opportunity, cybersecurity emerges as an important area of exposure for many companies, especially those with access to large amounts of confidential, sensitive information.
A strong ESG program reflects not only relevant topics to a company’s industry but also areas of concern to its key stakeholders, which often includes customers, investors, regulators, and employees. Cybersecurity regularly arises as a key consideration for many of these groups, as each has an interest in proactively mitigating risks related to cybersecurity incidents. Companies can send a strong signal to all of these stakeholder groups by involving their Chief Information Security Officers (CISOs) in ESG assessments, strategy, and improvement projects.
How Does Cybersecurity Contribute to ESG?
Data is a companyʼs most critical asset – 90% of S&P 500 Companiesʼ asset values are intangible, meaning there would be serious consequences should a cybersecurity incident cause data to be stolen or leaked.1 Cybersecurity incidents can also disrupt business operations or impact the safety of people and the environment. Because the potential damage from a cybersecurity incident is significant, strong cybersecurity practices are a core pillar of ESG programs. In fact, for many of our clients, it is one of the most material areas of risk in the governance category (the “G” of ESG). Most ESG reporting frameworks and rating agencies, including S&P Global and Sustainalytics, already consider cybersecurity when evaluating a companyʼs governance structure, standards, and practices.2, 3
What Can CISOs Do to Contribute to ESG Efforts?
Once a company conducts a materiality assessment with cybersecurity defined as one of the key issues to address, incorporating strong cybersecurity practices into an organisationʼs ESG program benefits the company by making cybersecurity both more integrated into the larger governance program and allowing the cybersecurity team and the CISO to engage with the broader employee base. CISOs should ideally be a part of a defined ESG Executive Leadership Committee—an entity at the top of the organization with decision making power and the ability to meaningfully integrate ESG into business strategy decisions. Through this committee, the CISO should engage with the defined ESG/sustainability team to understand their work to date, including materiality assessments and stakeholder communications, frameworks, and targets, and how cybersecurity can be integrated further. CISOs should also proactively contribute to ESG and Corporate Sustainability reports to demonstrate to shareholders the value that cybersecurity is adding to the organisation. Including CISOs in these reports will demonstrate cybersecurity processes and controls maturity, resulting in better stakeholder alignment and higher scores during independent sustainability assessments.
How Will Cybersecurity and ESG Integration Add Value?
Cybersecurity teams are often considered a risk management function within an organisation, helping to identify and manage cybersecurity-related risks. Effective cybersecurity measures also have an overlooked role in creating value for a firm, as strong cybersecurity programs can help companies achieve better external ESG ratings, engage more meaningfully with investors, and decrease operating costs and volatility. As ESG evaluations become more nuanced—whether from investors, peers or third parties—companies should expect to receive an increasing number of inquiries about what they are doing to protect the intangible assets on their balance sheets. A strong cybersecurity program, including clear stakeholder communication around the programʼs value, is essential to both mitigating risk as well as receiving credit for action taken.
1: Jarzebowski, Martin, “As Intangible Assets Grow, So Does The Role Of ESG Standards,” Forbes (29 December, 2020), https://www.forbes.com/sites/forbesfinancecouncil/2021/12/29/as-intangible-assets-grow-so-does-the-role-of-esg-standards/?sh=2cac3f4d4d44.
2: “What sets S&P Global ESG Scores apart?,” S&P Global (2023), https://www.spglobal.com/esg/solutions/data-intelligence-esg-scores.
3: “The ESG Risk Ratings: Material ESG Issue – Data Privacy And Security,” Sustainalytics (January 2022), https://connect.sustainalytics.com/hubfs/INV/MEI%20backgrounders/Data-PrivacyBackgrounder%20Jan%202022.pdf.
Most Popular Insights
- 10 Global Cybersecurity Predictions for 2024
- Global CFO Survey 2024
- Bridging the Gap Between Artificial Intelligence Implementation, Governance, and Democracy: An Operational and Regulatory Perspective
- The Power of Positive Paranoia: A Key Trait for Every CEO and General Counsel in 2024
- A Targeted Approach is Key to Implementing AI