What role will cybersecurity play in ESG evaluation frameworks, and which sectors are most vulnerable to increased scrutiny by ESG rating agencies on their cyber resilience?
FORMER CTO OF FORTUNE 500 CYBERSECURITY COMPANY
Cybersecurity is about data confidentiality, integrity and availability (CIA) and the tech to ensure CIA of applications, systems, networks, and program code. On the periphery, policies and related ontology that enable us to better understand cyber risk in the context of overall enterprise risk have helped thinking evolve beyond cybersecurity as core technology and frame it as an ESG concern where we can set targets and measure performance. In other words, by including cybersecurity alongside other issues touching ESG, we can begin to understand the impact of a wider variety of drivers – such as the shift to a remote workforce in response to a pandemic – on overall enterprise risk. By extension, this supports the evolving role of enterprises as caretakers of data rather than owners.
PROFESSOR, PORTFOLIO MANAGER, AND SUSTAINABILITY EXPERT ADVISOR TO EUROPEAN COMMISSION
The importance of cybersecurity from an ESG perspective, more particularly the social dimension as well as the governance one, has increased with the digitalization of the workforce of companies. The social dimension is linked with the potential breaches that could affect both employees and customers. The governance one is on the other hand linked with the establishment of adequate practices and policies that can mitigate the risk of cyberattacks. The sectors most vulnerable to increased scrutiny are those where information and data represent a key part of business operations – such as Technology and Communications Services – as well as those with large amounts of end customer data, like Consumer Discretionary and Financials.
SENIOR CYBER INTELLIGENCE ANALYST AT CYBERSECURITY FIRM & FORMER ANALYST AT GEOSTRATEGIC CONSULTANCY
Cybersecurity will increasingly play a role in ESG evaluation frameworks in line with broader scrutiny of corporate cyber hygiene. Cyberattacks such as ransomware that lock entire networks have serious potential for all-of-company disruption. Industries as a whole that have not invested as highly in cybersecurity and information sharing networks are likely to face additional scrutiny. For instance, many of the largest companies in the financial services industry have started developing their own cyber fusion centers, while those organizations built into manufacturing and other technology supply chain operations have lagged in investment. The latter has been particularly stark in the last year, based on the number of ransomware attacks successfully hitting those sectors and hacks like SolarWinds.