ESG and C: Does Cybersecurity Deserve Its Own Pillar in ESG Frameworks?

Below is an excerpt from ISS Corporate Solution’s recently released paper “ESG and C: Does Cybersecurity Deserve Its Own Pillar in ESG Frameworks?” The full paper is available for download from the ISS Corporate Solutions (ICS) online library.

Summary:

Thefts of personal information during a cybersecurity breach erode trust on the part of customers investors, employees, and other stakeholders, demonstrating the link between cyber risk and social risk. The new disclosure and reporting requirements embedded in the Security and Exchange Commission’s latest regulations governing the oversight of cybersecurity underline the link between governance risk and cyber risk.

All this evidence shows that either cybersecurity is already part of ESG, and, perhaps, a more appropriate abbreviation should be ESGC. Most enterprise risk management policies have already All this evidence shows that either cybersecurity is already part of ESG, and, perhaps, a more appropriate abbreviation should be ESGC. Most enterprise risk management policies have already expanded their oversight from purely financial risk to these other areas, including cybersecurity. Cyber risk can be as harmful to a company’s reputation and value as any other ESG issue, and the damage is inflicted and experienced in much the same way. As cyberattacks increase in size and frequency, the direct and indirect damage to companies — including loss of customer confidence, reputational damage, potential impact on the stock price and possible regulatory actions or litigation — arguably touches all aspects of ESG.

It’s important for companies to respond to growing stakeholder concern about these issues through transparent disclosures that detail how they manage these risks across all the ESG pillars and, in some cases specifically, focus on the “C” of cybersecurity. Board oversight of cybersecurity and technological risk may be strengthened if it is handled by the same committee that oversees ESG risk.