Getty Images/iStockphoto

Tip

5 reasons to integrate ESG and cybersecurity

Every business faces global systemic risks, yet most have failed to integrate cybersecurity with ESG programs. Here are five reasons why integration makes good business sense.

It's time for businesses to add a new component to their cybersecurity strategies.

In the wake of environmental disasters fueled by climate change, businesses are realizing that many risks historically deemed externalities must be incorporated into internal strategies. To accommodate that shift, it's important that businesses interweave an environmental, social and governance (ESG) program into their overall cybersecurity strategies.

Here are five reasons why ESG-cybersecurity integration is so important.

1. Both are urgent and financially significant risks facing all organizations

Study after study has ranked cybersecurity and disruptions related to climate change among the top risks facing organizations. The 2021 editions of AXA's "Future Risks Report" and the World Economic Forum's "Global Risks Report," for example, each cite climate change and cybersecurity as major factors defining the next decade.

The most immediate reason why cybersecurity and climate change present paramount risks to business is that both threaten the value of business assets, both tangible and intangible. Companies have invested billions of dollars to build up their physical infrastructure, and the value of the data stored on these systems -- financial information, intellectual property, behavioral, health and security -- is worth even more.

But financial impacts are only part of the equation.

Chart of the top business risks in 2022
Cyber incidents and climate change are increasingly deemed as critical enterprise risks.

2. Cyber-risks influence sustainability; climate risks influence cyberthreat mitigation

Cyber-risks, such as attacks on critical infrastructure or other networked systems coming online as part of projects to transition to renewable energy, threaten the integrity of sustainability investments. The reverse is also true: Climate-related risks -- such as floods, fires and heat waves -- along with societal upheavals pose numerous vulnerabilities for system reliability, computer network defense, human error, safety and more. The interconnected nature of our social, physical and cyber domains means that factors in one system can inadvertently affect the others.

What's more, the dynamics of both cyber-risks and climate continue to evolve. Malicious actors are employing new technologies and tactics as they attack emerging blockchain and cryptocurrency businesses. And, as climate-related events grow more intense and more frequent, it becomes more difficult to predict the future.

3. Cyber-risk applies to the social impacts of ESG

Although cybersecurity has long been viewed as an IT issue, the effects of breaches, nefarious use and social engineering extend well beyond the purview of IT. Much wider societal impacts exist, among them identity theft, risks to vulnerable demographics, exploitation of marginalized groups and fallout from geopolitical turmoil.

Consider the many effects on communities when attackers target healthcare institutions, schools, small businesses or local governments. Meantime, the shift to remote work fueled by the pandemic has forced companies to confront new cybersecurity risks when protecting their networks.

Finally, there is the specter of even more serious societal breakdowns stoked by extreme climate events and energy instability, all of which pose significant risks to businesses.

The effects of climate change, as well as other environmental exposures, threaten human ecosystems and communities in many ways -- with disproportionate risks to certain groups.

4. Both ESG and cybersecurity are subject to increasing regulatory compliance frameworks

Compliance regimes vary widely. Business resiliency depends on good governance of both data and technology, as well as environmental, social and corporate decision-making.

A solid compliance foundation can help a company avoid relying on insurance coverage to mitigate the costs of a breach or other disruptive event. Thanks to ever more frequent and expensive breaches, insurance companies are already narrowing their scope of coverage, and thus the extent to which organizations can trade insurance for good governance.

While regulatory intervention is no silver bullet, standardized frameworks can set a precedent and align stakeholders for better measurement, risk assessment, accountability and governance.

5. Prioritizing ESG and cybersecurity is just good business sense

The role business plays in society is under the microscope, especially as more attention is paid to activities that damage the planet or society. Businesses interested in long-term survival must account for broader impacts across stakeholders. The signals to do better are coming from everywhere, with the following among them:

  • pressure from investors and boardrooms;
  • employee expectations and talent pipelines;
  • customer expectations for sustainable and inclusive brands;
  • supply chain/partner implications; and
  • startups and purpose-driven accelerators.

Rethinking risk toward resilience

ESG describes how investors and businesses assess the environmental, social and ethical/governance impacts of their investments and activities. Yet, the real imperative for long-term business resilience is to configure profitable business vitality in concert with a healthy society and environment. We are already seeing technology innovation shifting from digitization to broader goals, such as democratization, decentralization and decarbonization.

Companies that fail to recognize these changes and don't integrate their ESG and cybersecurity strategies risk a whole lot more than a breach or costly insurance claim.

Next Steps

5 ESG benefits for businesses

Dig Deeper on Risk management