The concept of environment, social and governance (ESG) is described as a set of standards for a company’s behavior used by socially conscious investors to screen potential investments. It’s also fast becoming a key focus for not only the top end of the enterprise chain, but for smaller companies too.
Businesses taking up the ESG cause pledge to be ethically bound in how they treat their people and customers with respect, have a strict set of boundaries when it comes to policy making and consider the environmental implications of not only their own actions, but those of their entire supply chain. Increasingly, cybersecurity is a core part of ESG—in fact, the two almost go hand-in-hand, according to a panel of cyber leaders at the recent PrivSec event in London.
But there are differing viewpoints on the matter, as noted by Tim Burnett, head of cybersecurity and compliance at the Science and Technology Facilities Council. He cited a report from the World Economic Forum, explaining that there has been an increasing number of cybersecurity attacks on critical infrastructure ranging from finance, healthcare and other systems. But he said the report pointed out that investor and board pressures tend to focus on the environmental and social justice side, with security issues left to the regulators and insurance industries.
However, he also referenced a JP Morgan report with a differing viewpoint, that information security really should be a core part of an ESG framework. “ESG frameworks are a tangible means of evaluating corporate behavior by incorporating cybersecurity. A new dimension is added giving an insight into cyber behaviors and risks which form a critical part of the bigger ESG picture,” he read.
How Embedded Is Security in ESG?
Jonathan Wood, CEO of C2 Cyber, said ESG is “hoovering” up all budgets at the moment, and information security is regularly coming up as being a part of an overall ESG strategy. “Basically, if you want your budgets back for cybersecurity, you need to get ESG as an acronym into as many of your policies and documents as possible,” he said.
Vibha Mohan, data protection and privacy analyst, said companies back in the early 2000s were more focused on human rights and anti-slavery laws. Now in 2023, data compliance is as important as human rights to those same companies.
Wood said a ransomware attack at the Republic of Ireland Health Service in 2021 showed the social implication of not having a robust security strategy in place, as patients were unable to receive treatment or diagnoses during the height of the COVID-19 pandemic, and staff were forced to go back to using pens and paper.
“On the governance side of ESG, cybersecurity is part of the due diligence if a company buys another one,” Woods added. “The likelihood of a cyber breach has to be considered when buying an asset—if a business is bought at £10 [a share, about $12 USD] and it crashes to £5 [after a breach, about $6 USD], none of those pensions are going to do very well. So ESG in the city is imperative, and a big part of that is cybersecurity.”
The Bigger ESG Picture
Mohan stressed that cybersecurity was not only a governance part of ESG, but also embedded in the social and environmental side as well.
“You can’t look at cybersecurity purely from a governance perspective—you have to demonstrate that you have a working and functional framework and at the same time organizations have to ask what it means to them in terms of environmental and social obligations,” she said.
Wood agreed. “In the UK for example, there was a water shortage in various places over the winter—a lot of people were worried about a lack of water. Someone in the London area had built a huge data center, and the newspapers decided that this company was using all the water resources to cool their data center. We have to consider the environmental impact of running a SaaS business—it is definitely not zero,” he said.
Mohan also said the power-use implications for making copies of documents and securely storing them also has to be considered.
“People need to think about the consumption of power every time they copy something or forward something. Save the planet, send fewer emails!” she said.
Is an In-House ESG Specialist the Way Forward?
Because the whole area of ESG is becoming such an important consideration for future business strategy and since it’s so complex and all encompassing, a growing number of firms are appointing their own in-house ESG advisor.
Of course, this is not possible for every single company, particularly when budgets are stretched, but embedding ESG compliance as part of an existing team member’s role is something many firms could consider for the future.
The panel also explained that laws are changing in the UK to make CISOs criminally liable for any security breaches, which raises an ethical question about a company’s security strategy and who really should be responsible when the unthinkable happens. Can a company truly demonstrate that they have made reasonable efforts to protect their data? Is everybody in the company aware that they have a part to play in keeping data safe?
“The question is when do we move from ethical behavior to punitive behavior for breaking rules? There is a fine line to tread,” Burnett said.
Wood said the need for ESG specialists is definitely growing, particularly as security threats continue to increase.
“Business continuity is definitely part of the G in ESG. Can a business still run if their supplier is breached?” he asked. “I heard a case of a butcher in the UK who could not trade because their packaging manufacturer had been breached, so they had no boxes to ship their products in.
“We are encountering ESG managers in [Financial Times Stock Exchange] companies and often these are aligned with a data protection officer role. They are not just whispering behind the throne, they are advising the board,” he added.
By drafting in these specialists, it means there is accountability along the entire supply chain in case of any security breaches, and also ensures that a firm is hitting every element of E, S and G. It also proves that more and more firms are accepting that security is a crucial part of their ESG journey, the panel concluded.