Leveraging Cybersecurity as a Business Growth Enabler

While there are countless benefits to investing in cybersecurity, from protecting sensitive information to mitigating risks, one not often highlighted is the positive impact cybersecurity has on a companyʼs ESG profile. As ESG is used as a means to identify and take action on material areas of risk and opportunity, cybersecurity emerges as an important area of exposure for many companies, especially those with access to large amounts of confidential, sensitive information.

A strong ESG program reflects not only relevant topics to a company’s industry but also areas of concern to its key stakeholders, which often includes customers, investors, regulators, and employees. Cybersecurity regularly arises as a key consideration for many of these groups, as each has an interest in proactively mitigating risks related to cybersecurity incidents. Companies can send a strong signal to all of these stakeholder groups by involving their Chief Information Security Officers (CISOs) in ESG assessments, strategy, and improvement projects.

How Does Cybersecurity Contribute to ESG?

Data is a companyʼs most critical asset – 90% of S&P 500 Companiesʼ asset values are intangible, meaning there would be serious consequences should a cybersecurity incident cause data to be stolen or leaked.1 Cybersecurity incidents can also disrupt business operations or impact the safety of people and the environment. Because the potential damage from a cybersecurity incident is significant, strong cybersecurity practices are a core pillar of ESG programs. In fact, for many of our clients, it is one of the most material areas of risk in the governance category (the “G” of ESG). Most ESG reporting frameworks and rating agencies, including S&P Global and Sustainalytics, already consider cybersecurity when evaluating a companyʼs governance structure, standards, and practices.2, 3

What Can CISOs Do to Contribute to ESG Efforts?

Once a company conducts a materiality assessment with cybersecurity defined as one of the key issues to address, incorporating strong cybersecurity practices into an organisationʼs ESG program benefits the company by making cybersecurity both more integrated into the larger governance program and allowing the cybersecurity team and the CISO to engage with the broader employee base. CISOs should ideally be a part of a defined ESG Executive Leadership Committee—an entity at the top of the organization with decision making power and the ability to meaningfully integrate ESG into business strategy decisions. Through this committee, the CISO should engage with the defined ESG/sustainability team to understand their work to date, including materiality assessments and stakeholder communications, frameworks, and targets, and how cybersecurity can be integrated further. CISOs should also proactively contribute to ESG and Corporate Sustainability reports to demonstrate to shareholders the value that cybersecurity is adding to the organisation. Including CISOs in these reports will demonstrate cybersecurity processes and controls maturity, resulting in better stakeholder alignment and higher scores during independent sustainability assessments.

How Will Cybersecurity and ESG Integration Add Value?

Cybersecurity teams are often considered a risk management function within an organisation, helping to identify and manage cybersecurity-related risks. Effective cybersecurity measures also have an overlooked role in creating value for a firm, as strong cybersecurity programs can help companies achieve better external ESG ratings, engage more meaningfully with investors, and decrease operating costs and volatility. As ESG evaluations become more nuanced—whether from investors, peers or third parties—companies should expect to receive an increasing number of inquiries about what they are doing to protect the intangible assets on their balance sheets. A strong cybersecurity program, including clear stakeholder communication around the programʼs value, is essential to both mitigating risk as well as receiving credit for action taken.

Footnotes:

1: Jarzebowski, Martin, “As Intangible Assets Grow, So Does The Role Of ESG Standards,” Forbes (29 December, 2020), https://www.forbes.com/sites/forbesfinancecouncil/2021/12/29/as-intangible-assets-grow-so-does-the-role-of-esg-standards/?sh=2cac3f4d4d44.

2: “What sets S&P Global ESG Scores apart?,” S&P Global (2023), https://www.spglobal.com/esg/solutions/data-intelligence-esg-scores.

3: “The ESG Risk Ratings: Material ESG Issue – Data Privacy And Security,” Sustainalytics (January 2022), https://connect.sustainalytics.com/hubfs/INV/MEI%20backgrounders/Data-PrivacyBackgrounder%20Jan%202022.pdf.

Related Insights

Published

June 06, 2023

temp Key Contacts

Wouter Veugelen

Senior Managing Director, Head of Australia Cybersecurity

Miriam S. Wrobel

Senior Managing Director, Global Leader of Environmental, Social and Governance (ESG) and Sustainability

Most Popular Insights

  1. SEC Issues New Private Fund Rules
  2. Watch Out for These ‘Hidden’ Sanctions Traps
  3. Does the Corporate Debt Maturity Wall Really Exist?
  4. Harnessing the Power of AI for Construction Disputes
  5. Future-Proofing White-Collar Crime Defenses

Sign up to get access to FTI Consulting Insights

Subscribe