Positive corporate actions on cybersecurity have positive externalities similar to environmental or socially responsible practices.

February 10, 2021

ESG and Cyber Risk: How Both Measure Responsible Corporate Behavior for Investors

As a corporate citizen, a firm’s environmental impact from conducting its business (E), commitment to social justice (S), as well as sound corporate governance policies (G), are becoming increasingly important factors in assessing the social responsibility and long-term sustainability of corporations big and small. These metrics are often jointly referred to as ESG, and their use is rapidly growing as a means of identifying corporations that are built for long-term sustainable growth and fueled by a new generation of socially and environmentally conscious investors, institutional and otherwise. It has been estimated the overall value of global assets utilizing these principles is over $40 trillion in 2020 and growing; the overall market for such data metrics is rapidly approaching $1 billion annually [1].

While it can be hard to argue against positive performance of any metric [2][3], it is however, important to get an intuitive understanding of why these metrics work. At their core, these metrics are attempting to measure and quantify corporate behaviors. Corporate behaviors are driven by not only the principles that organizations apply to their business practices, but also the people throughout the organization that implement those principles on a day-to-day basis. And it is this underlying quality of an organization that is more likely to be a successful predictor of future success. ESG metrics are therefore ways of assessing these intangible qualities that are generally hard to measure.

Cyber risk metrics add an additional dimension to the evaluation of corporate behavior. This is because even though cyber risk metrics are based on very different data, they at their core are measuring cyber behaviors at an organization to determine the risk of adverse events, following the same underlying principles as ESG ratings — the driver of these metrics is always the underlying corporate behaviors. The specific raw cyber signal being measured is not nearly as meaningful as what it says about the corporate behaviors that caused that signal to be what it was. Just as with ESG metrics, it is those corporate behaviors that will determine how resilient an organization is to future adverse cyber events or future adverse business events in general.

Another striking similarity between cyber risk and ESG metrics is that they are all measuring corporate behaviors concerning (the investment in) public goods [4]. As much as clean air/water is a public good, and that a corporation’s positive environmental policy/impact can benefit those outside its corporate walls, so is digital and data security and privacy: a corporation’s cyber policy and risk can have far-reaching impact rippling through a society given the inter-connectedness of the world we live in. Positive corporate actions on cybersecurity have positive externalities similar to environmental or socially responsible practices. An organization that implements positive cybersecurity practices improves their eco system across all of its associations near and far. Conversely, an organization’s poor cybersecurity practices directly impact the cyber risk exposure of its customers, business partners and investors.

The inherent similarity between cyber risk and ESG makes the former an excellent addition to the set of metrics investors should use to evaluate responsible corporate behavior.


[1] Anne-Laure Foubert, “ESG Data Market: No Stopping Its Rise Now”, Opimas, March 2020

[2] Khan, Mozaffar and Serafeim, George and Yoon, Aaron, “Corporate Sustainability: First Evidence on Materiality” in The Accounting Review, Vol. 91, No. 6, pp. 1697-1724., Nov 2016

[3] Morgan Stanley, “Sustainable Reality: Understand Risk and Returns of Sustainable Funds”, Morgan Stanley Institute for Sustainable Investing, 2019

[4] P. Naghizadeh and M. Liu, “Opting Out of Incentive Mechanisms: A Study of Security as a Non-Excludable Public Good,” in IEEE Transactions on Information Forensics and Security, vol. 11, no. 12, pp. 2790-2803, Dec 2016

By Manish Karir, Managing Director, ISS ESG

Share this
Share on twitter
Share on linkedin
Share on email