How to Align Security with ESG Compliance

September 1, 2022 | By IANS Research

Environmental, social, and governance (ESG) compliance has become an essential and tangible component in how investors evaluate corporations — mindfully thought-out ESG standards extend past traditional financial performance indicators and analytics. A relatively new term, (formerly known as corporate social responsibility), ESC now permeates an organization’s cybersecurity program and its reputation for protecting consumer privacy. How customers, investment firms and the public perceive a brand has become a critical aspect of the ESG framework. 

This piece details the ESG criteria framework, how ESG and security impact one another, and also includes best practices to design a cybersecurity program that aligns with a corporate ESG strategy.   

What is the ESG Criteria Framework? 

The ESG framework’s non-financial indicators (environment, social and governance) identify and measure an investment's risk factors and potential growth. ESG considers elements not found on financial reports such as balance sheets, income statements, or their consequential financial analysis — but can still likely impact the company's value at some point. 

For example, a firm's waste management policy or history of deforestation wouldn't immediately show on a financial performance indicator such as net income or return on equity (ROE) rate. It is, however, part of the "environmental" factor of ESG that could impact financials and valuations in the long run. If, for example, the environmental issues caused costly legal battles, regulatory fines, or negative brand perceptions toward the business, that would likely devalue a company's stock at some point.   

While there are no definitive ESG reporting requirements for publicly traded companies, plenty of third-party providers such as Bloomberg ESG Data Services will provide ESG scores. Advocacy groups like the Sustainability Accounting Standards Board (SASB) are looking to standardize the ESG evaluation framework and require that firms report ESG scores to their shareholders.   

How Cybersecurity Programs Impact ESG 

A big challenge of ESG is how much cybersecurity management and public incidents impact the "social" and "governance" factors. The social indicators, which measure a firm's consideration of people and stakeholders, would be affected by how a business implements protective controls, detects threats, responds to attacks, and recovers from incidents - all showing consideration for customer data privacy and protection.  

Alternatively, cybersecurity also ties into the governance indicators, which evaluate the leadership's ethical standards for managing the company. An organization’s board of directors and executive team's priority on protecting organizational and consumer data and their transparency for reporting adverse cyber-related events could impact ESG scores for better or worse.    

Much of the consequences of a data breach are indirect costs such as reputational harm, with many organizations suffering damage to their brand reputation and value. There are also liability costs such as legal fees, settlement costs and regulatory fines that accrue long after the initial incident.  Total remediation costs can be incurred more than a year after a breach — which would take a while to show on a financial report.   

How to Align Cybersecurity Programs with ESG  

The solution to a solid ESG evaluation is maintaining a robust cybersecurity strategy that syncs with the firm's ethical values in managing the business and protecting its stakeholders. Here are some best practices you can use to align ESG strategies with cybersecurity initiatives and enhance your overall ESG scores.   

• View Cybersecurity as Risk Based 

Since much of ESG scoring is perceptual, simply acknowledging that cybersecurity is a considerable risk to your enterprise will go a long way in ESG. During shareholder meetings and press releases, Chief Executive Officers (CEOs) and Chief Information Security Officers (CISOs) need to take a united front in accepting data security as a top priority and ensuring the organization is taking all precautions against the rise in cyber threats.    

• Promote Swift Security Transparency 

Honesty significantly contributes to the perception and reality of organizational ethical standards. Organizations that take too much time to notify their stakeholders, initiate a cover-up, or outright lie that an incident occurred will not be perceived well by the public — especially if legal requirements are involved. The same principle applies when talking about a cybersecurity incident within the organization. If consumer data is compromised, the notification process must be fast and provide precise details of what happened, what customers can do, and how you are remediating the issue.    

• Invest in Modern Security Solutions 

Stakeholders need to know that your organization commits to investing in cybersecurity technology necessary for today's threats like multi-factor authentication (MFA) and single sign-on (SSO) tools as well as frameworks that account for modern cloud and hybrid architectures such as zero trust. Simply taking this type of initiative lets you put your money where your mouth is by proving that the leadership team is committed to innovative solutions to protect their customers and partners.    

• Hire Leaders with Security Experience  

The makeup of the board of directors and executive team are critical elements in the governance factor of ESG. Not only should your business consider hiring a CISO in a full-time or fractional capacity, but they should also hire directors and upper managers with backgrounds and knowledge in cybersecurity or compliance program management, as well as prioritize retaining cybersecurity talent at all levels.  

• Consider Third-Party Risks and ESG Impacts 

Your enterprise doesn't have to be a direct target to fall victim to a breach. Over half of all data breaches occur due to a third-party vendor or service provider. Just as you would self-audit to construct an in-house system to protect your data and digital assets, infosec teams should also look at third-party risk. Consider their unique threats, security controls, and ESG scores to ensure they prioritize their customers and ethical boundaries as much as you do.    

• Develop a Business Continuity Plan

One of the most detrimental consequences of poor risk management and cybersecurity planning is not having a solution if your primary IT production environment shuts down because of an attack. Business continuity plans apply for all types of disasters, including environmental, political, and yes — cybersecurity. It also doesn't bode well for ESG evaluations if leadership has no plans to continue operations in the worst-case scenarios. 

ESG looks past financial indicators to evaluate a firm's performance based on its ethics and impact on society. Therefore, how a business conducts itself to protect consumer data in its control and remediate incidents will serve as significant indicators of an ESG score. Protecting your brand reputation by acknowledging cybersecurity as a substantial risk factor, remaining transparent in reporting, and investing in the proper framework, personnel, and third-party providers are crucial practices for a positive ESG evaluation. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 

Access time-saving tools and helpful guides from our Faculty.

IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.