Building Cyber Resilience in ESG Frameworks

A seasoned professional with over two decades of experience designing, implementing and managing technical and non-technical security solutions for IT and information security organizations within both the public and private sectors.

With the steady rise of cyberattacks, the concern regarding their significant impact extends beyond businesses and out to their customers, constituents, and individual employees as well. Customers are increasingly mindful of how organizations prioritize data security and privacy. According to nearly half of Indian business leaders, data security and privacy practices have a direct influence on customer buying decisions, driven by credibility and trust. While many business leaders prioritize Environmental, Social, and Governance (ESG) initiatives, their focus tends to primarily focus on environmental sustainability. However, there is an opportunity to align ESG goals by placing emphasis on cybersecurity and privacy, which are two crucial aspects of ESG ratings. The collaboration between cybersecurity, privacy, and ESG leaders presents opportunities that extend well beyond ratings. When these leaders collaborate effectively, they can transform all three programs into strategic differentiators for their organization that is rooted in trust and brings tangible benefits to all parties involved.

The greatest opportunity for organizations lies in giving significant and increasing focus to cybersecurity and privacy. According to PwC's Pulse Survey, business executives and board members worldwide have identified cybersecurity as their top business risk. The pressure is set to intensify with the emergence of evolving cybersecurity disclosure requirements, including those outlined in the proposed Digital Personal Data Protection Bill in India and the Digital India Act. For organizations aiming to enhance their ESG and cybersecurity investments, this presents an opportunity to approach them with a unified perspective.

Cyber Risk Sets ESG Efforts Back

Cybersecurity directly affects the social aspect of an organization's ESG goals. Compromises to public-facing systems, websites, or social media platforms can have severe consequences, damaging brand reputation and undermining the organization's efforts to engage with communities addressing important social issues.

Data breaches also pose a similar threat, eroding the trust between an organization and its customers. Studies show that 93 percent of individuals express concern about data privacy. Protecting customer data is a critical component of any ESG program. Organizations that prioritize data privacy can enhance their ESG credibility, especially in sectors dealing with vast amounts of data, such as technology, finance, healthcare, and critical infrastructure. Committing to safeguarding and appropriately securing customer data establishes a level of trust, where users are treated equally, and their personal information is respected, enabling safe interactions with the organization.

Data breaches not only sever customer trust but also result in significant financial repercussions, including legal and the process of restoring compromised infrastructure amongst others. These financial burdens may impede an organization's ability to allocate resources to its ESG initiatives.

Cybersecurity also plays a pivotal role in the environmental aspect of ESG. Organizations creating or managing Operational Technologies (OT) that contribute to environmental goals can become potential targets for cyberattacks. Compromising these systems can lead to extensive damage to the environment, machinery, and related infrastructure.

Furthermore, cybersecurity and privacy are often factored into ESG scores by rating agencies such as MSCI ESG Research. These scores serve as shorthand for investors to assess an organization's ESG status. For instance, cybersecurity and privacy can account for nearly a third (29%) of the ESG score for retail companies, 28% for telecom companies, and 20 percent for healthcare providers. Impairment of ESG ratings can have long-lasting effects on an organization's overall ESG scores leading to potential reputational issues and a reduction in business from customers or other companies who prefer to work with higher rated organizations. Maintaining strong ESG scores involves effective incident management, policy and process transparency, and demonstrating tangible efforts to mitigate the risks of future breaches. ESG analysts expect metrics on breach frequency, impact, and the organization's procedures to promptly address breaches while informing customers, regulators, and other stakeholders. Stakeholders also seek evidence of proactive measures to minimize the likelihood of future breaches.

Exposure Management Paves the Way to Meeting ESG Goals

To ensure the overall success and integrity of an organization, cybersecurity should be an integral part of its ESG strategy. By incorporating cybersecurity into the ESG framework, risks can be identified and mitigated before they are exploited, proactively preventing the detrimental effects of those cyberattacks on the organization. While having a strong incident response capability is valuable, it is crucial to also adopt a proactive and preventative cybersecurity approach that reduces cyber risks before they are exploited.

A preventative strategy entails gaining comprehensive visibility into areas that could negatively impact the ESG program. This allows organizations to more proactively address those risks before cybercriminals or nation-state actors successfully execute cyberattacks that disrupt ESG initiatives. While traditional vulnerability management falls short of providing complete visibility across the entire attack surface, exposure management can bridge this gap. It enables organizations to understand where cyber risks exist across their environment, whether that’s IT systems, web applications, cloud environments, and identity management systems like Active Directory. With this level of understanding about the security state of the entire attack surface, organizations can prioritize remediation efforts and make informed risk decisions.

Identifying and addressing cyber risks before attackers exploit them is crucial to safeguarding the safety and integrity of ESG initiatives. It helps protect against threats such as ransomware, DDoS attacks, data breaches, and reputation loss before harm can be caused to the trust built with customers or to the financial health of the organisation itself.

Robust cybersecurity measures not only support data privacy efforts but also drive transparency in how organizations handle data, promoting stronger ethical operations and initiatives. In an era where customers seek assurances regarding the safety, fair usage, and privacy of their personal data, they are more likely to trust organizations that invest in or work with proactive cybersecurity programs like exposure management. These measures provide assurances and demonstrate tangible efforts in the interest of due diligence. By aligning cybersecurity with the overall business objectives, organizations can better integrate cybersecurity into their ESG efforts, showcasing a commitment to maintaining the safety and integrity of these programs.