Why cybersecurity is an ESG issue (and how that can boost your business)

Cybersecurity and ESG have one important thing in common – they’re both about trust. 

That’s why cybersecurity is increasingly seen as an ESG issue, coming either under the ‘social’ aspect, or cutting across all three – environmental, social and governance, depending on who you ask. 

At Stratia Cyber, we believe cybersecurity is bound into every aspect of ESG, and that ESG and cybersecurity are increasingly entangled, and difficult to separate. 

Both cybersecurity and the failure to mitigate climate change rank among the top threats facing organisations around the world over the next ten years, according to the World Economic Forum’s Global Risks Report 2023. 

Cybersecurity issues are becoming interwoven with wider environmental and social issues, the report warns, with attacks expected on agriculture, water and energy infrastructure, while climate related risks including floods and fires pose threats to computer systems. 

This highlights how the cyber, social and ‘real’ worlds are inextricably connected – as we discussed in our blog post last year, ‘Why We Need To Redefine the Word Cyber.’

There is no separation between the cyber and the physical world, no point at which cyber ‘ends’. 

The repeated attacks on hospitals and schools by ransomware gangs highlight how cybersecurity is no longer simply an IT issue – it has real social impact, from attacks on infrastructure, to the risks of identity theft after a breach. 

An integrated approach

Both cybersecurity and ESG are increasingly subject to strict regulatory compliance frameworks around the world.

There is also increasing pressure from both investors and consumers for businesses to consider their impact on the world – and an integrated approach to ESG and cybersecurity helps companies to have a positive impact. 

Opinion-makers worldwide have increasingly highlighted the crossover between cybersecurity and ESG – with KPMG in particular highlighting how intertwined the two issues are in today’s business world. 

KPMG’s 2021 report, ‘Cyber security: Don’t Report On ESG Without it,’ says, ‘In addition to perennial concerns like anticorruption, clean water and climate change, cyber security is rising to the top of the ESG agenda.’

KPMG suggests that high-profile security breaches such as ransomware attacks have raised awareness among consumers over the risks to their data. 

KPMG says, ‘As a result, there is a demand for transparency into how organisations use and protect the confidentiality and integrity of personal data of everyday individuals.’

Failing to protect assets can lead to eroded trust between an organisation and its customers and employees, KPMG warns. 

Almost all (98%) of organisations now share operational technology cybersecurity posture in the broader risk score shared with leadership, according to Fortinet’s 2023 State of Operational Technology and Cybersecurity Report

KMPG says that cybersecurity intersects with all three pillars of ESG.
In environmental terms, KPMG says that cyber policies, compliance and risk metrics ‘can have far-reaching impacts that can cascade throughout society’. In terms of governance, reporting cyber resilience offers investors a fuller picture of an organisation’s operational capabilities, KPMG believes. In terms of social goals, customers increasingly want to know that their data is being handled responsibly.

A social issue?

By contrast, JP Morgan believes that cybersecurity falls under the social pillar (pointing out that cybersecurity has become critical to investors who want to examine data protection and information security). 

JP Morgan says, ‘ESG frameworks are a tangible means of evaluating corporate behaviour; by incorporating cybersecurity, a new dimension is added, giving insight into cyber behaviours and risks which form a critical part of the bigger ESG picture.’

JP Morgan points out that cybersecurity has long since stopped being a software industry concern – and is becoming a major topic for company management and global investors. 

With customers’ private information at risk, the social impact of breaches has become a ‘major topic’. 

JP Morgan writes, A far broader demographic is becoming increasingly concerned with cybersecurity’s social impact as well as technological implications.’

Looking to get to grips with your cybersecurity? Why not book a penetration test with our expert consultants