For Consideration: ESGC instead of ESG

What is ESG and why it matters

In 2006, Environmental, Social, Governance (ESG) issues were mentioned within the United Nations’ Principles for Responsible Investment (PRI) Report. ESG criteria were laid out to incorporate financial evaluations of companies in order to focus on further developing sustainable investments. Since then, ESG continues to grow, driven by pushes from investors to help ensure their investments in companies meet their expected outcomes and also align with their own greater goals and objectives. According to a recent study in Business Wire, 68% of companies that implemented ESG criteria aided in improved returns, and 77% of respondents confirmed their belief that investing in ESG strategies increased their portfolio company’s financial performance.

ESG has become mainstream with various frameworks and rating agencies being used by business stakeholders, investors, and governments to assess the impacts of portfolio companies on climate change, human rights, and governance. Additionally, it can be used to understand current and future risks, and to form solutions and goals. In return, companies that participate in ESG are demonstrating a stable growth pattern (of higher returns and reduced risk). ESG has become an investment criteria: if investors don’t see such ESG practices, they may not invest since they find such companies disadvantageous and far riskier.

With investors pushing for such changes over the years, evidence has shown that companies implementing ESG grow safely and perform better overall for stakeholders, including investors, employees, customers and partners.

In this era of societal changes and mounting global concerns, ESG is slowly evolving with the times, but not fast enough — particularly when it comes to cybersecurity.

Where does Cybersecurity fit?

Back in September 2017, Equifax’s cybersecurity breach impacted millions of individuals. However, MSCI, one of the largest providers of ESG ratings globally, raised a red flag about Equixfax’s governance practices in regards to a cyber vulnerability well before the breach occurred. If Equifax focused on their MSCI rating, there’s a good chance it would have prevented the breach from occurring.

According to JP Morgan, over $68 billion USD was spent globally on infrastructure protection, network security equipment, integrated risk management, and application security in 2020. It is estimated that the average cost of a data breach is $4 million USD to the average targeted company in 2020. With the rise of cyber attacks, thousands of businesses and nonprofits have shut down due to breaches, and millions of lives have been impacted in various ways. Healthy cybersecurity programs are a must for every single organization since it’s about protecting systems, networks, programs, and data.

Data protection and information security policies are now assessed by investors seeking to discover how risky a prospective company is prior to investing. Additionally, cybersecurity is now a major topic for company management, global investors, and all industries. Moreover, compliance requires companies to spend more on protecting their company, customer and partner data and digital assets, or else face the consequences of financial loss and reputational harm if any misconduct is committed.

Cybersecurity is increasingly seen as an aspect of ESG considerations, given the operational risk mitigation, internal/external communications and other steps involved in recovery from a cyber attack. Cybersecurity falls squarely under the “S” or social component of ESG; it also sits within the realm of “G” or governance component. However, ESG was formed way before today’s cybersecurity landscape and the growth of the cybersecurity industry. Additionally, for the longest time, cybersecurity has been seen as merely a software industry concern, which is far from true.

Cybersecurity shouldn’t just be optional or an element that falls under Social and Governance, it needs and deserves its own criteria since it is an economic-wide problem. Treating cybersecurity as an element of a larger SG metric is to ignore just how badly breaches impact us all. Cybersecurity deserves its own placement and mindshare as a key aspect of ESGC (Environmental, Social, Governance, Cybersecurity), given its scary dynamic and the rampant growth and spread of breaches. By allowing ESGC, companies are pushed if not forced to take cybersecurity more seriously than ever before — a crucial step given that statistics show that one in five small businesses have fallen victim to a cyber attack, and — even more troubling — 60% of SMBs that fall victim to a cyberattack will go out of business within 6 months.

It’s time for ESG to evolve with today’s landscape… and become ESGC.

1. Cybersecurity impacts more than one industry, it impacts all sectors, just as environmental, social, and governance issues do.

2. Adding C to ESG acknowledges that cyber attacks take down businesses and greatly impact people’s lives.

3. The rise of cyber attacks will continue to increase.This pushes us to consider that poor cybersecurity practices lead to poor performing companies, which in turn impact the public and the economy in various ways — all negative.

4. The creation of ESG was prior to the growth of cybersecurity, and if ESG was created today, it would most likely automatically include ESGC.

5. ESG frameworks continue to evolve with time to include cybersecurity standards across industries, but new topics and metrics around cybersecurity are increasing annually, which could push to incorporate ESGC.

6. ESG enforces transparency in reporting to stakeholders, and they also deserve to know what companies are doing to take their cybersecurity seriously, thwart attacks, and protect reputation.

ESG measurement systems are far from completed and will continue to evolve overtime. But incorporating cybersecurity into ESG frameworks can’t and shouldn’t wait. We need a broadly applicable set of criteria to help ensure that companies are cyber resilient and are prioritizing cybersecurity as part of their risk management across the board. Adopting ESGC allows for up-to-date ratings and frameworks to be created and practiced. It may reduce breaches and help drive faster breach response times, both of which are essential steps towards helping to prevent ever more impactful disasters down the road.