On the cybersecurity front, there is no shortage of chilling news. Ransomware attacks on school systems and data breaches among healthcare companies are just a slice of an expanding class of technology-driven crime.
Cybersecurity failure ranks as the fourth likeliest critical threat to the world within the next two years, behind infectious diseases, livelihood crises, and extreme weather events, according to the World Economic Forum’s Global Risks Report 2021.
Given the far-reaching potential impacts of cyber incidents, environmental, social, and governance (ESG) investors have increasingly added cyber issues and data privacy to their assessments. While some debate whether the challenges fall under the social or governance pillar, cybersecurity’s importance to corporate responsibility is clear.
Putting Cybersecurity on the ESG Radar
Cybersecurity ranked as the most pressing ESG issue for 67% of institutional investors surveyed by RBC Global Asset Management in its 2019 Responsible Investment Survey. Of note, the poll emphasized that the potential legal liabilities stemming from expanded regulations represented a significant governance concern.
Likewise, governance specialists with the Principles for Responsible Investment (PRI) concluded that “[c]ompanies can only ignore these threats at their peril.” Their report contended that governance structures and processes that incorporate cybersecurity and data privacy elements reflect a company’s ability and willingness to identify, address, and resolve issues that can impact every stakeholders.
Yet those potentially broad ripple effects have prompted some observers to categorize cybersecurity as a social factor, especially given the dominance of technology over many companies’ cultures and overall impacts in the marketplace. Accordingly, one group of industry consultants writing on the Harvard Law School Forum on Corporate Governance asserts that a board that fails to actively oversee data security and reliability is failing all of its stakeholders.
Regardless of ESG categorization, another Harvard forum post cautions against merely providing lip service. Instead, a robust approach to cybersecurity reviews, training, and outcomes fosters much-needed understanding, disclosure, and accountability among companies.
Mitigating cyber risks requires a change from business as usual.
Growing Investor Pressure
In its 2019 Responsible Investment Survey, RBC found that investors are best served by companies that disclose key, relevant data on their cybersecurity efforts and welcome sharing additional information going forward.
The RBC study was part of a broader effort facilitated by the PRI to use cyber governance as a proxy for cyber resilience. Although the two-year study resulted in improved reporting, the PRI recommended that investors continually press boards of directors to actively monitor cyber issues, integrate cybersecurity into corporate strategy, and improve disclosures.
Separately, 2020 EY research into 76 Fortune 100 companies found that the frequency of cybersecurity reporting, active preparedness, and ties to executive compensation among the largest companies in the US remains dismally low.
As with well-documented environmental risks, mitigating cyber risks requires a change from business as usual. The responsibility and accountability prevalent in ESG analysis can help drive that change.