About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

ISS ESG Creates Cybersecurity Score, Index as Investors Link Data Protection to ESG

Subscribe to our newsletter

Cybersecurity used to be regarded purely as a technology and operations issue. But more and more investors are drawing a line between vigilance against data breaches and ESG performance.

Protecting personal privacy of corporate employees and customers through the security of data is widely viewed today as falling under the social pillar of ESG. Further, the safeguarding of data is an important aspect of corporate audit and risk oversight, which falls within the governance pillar.

It’s a debate that began as the ESG project started to gain momentum but was given greater impetus when the coronavirus prompted governments to impose virus-mitigating lockdowns, forcing workforces the world over to work from home. With millions more people relying of networked connectivity to get things done, personal and corporate data had become more widely distributed, creating more end users and more potential points of cyber vulnerability.

“We’re getting more questions from investors about how companies are protecting themselves from cyberattacks, because it becomes an economic event for the company,” said Hernando Cortina, head of index strategy at ISS ESG, which earlier this year launched a cybersecurity risk score for clients and last month a related ISS ESG US Cyber Risk Index. “When we look at governance, we typically look at things like board composition, executive compensation, shareholder rights – but there’s another pillar, which is audit and risk oversight general management of risks within a company. And that’s a social and governance concern.”

Line Drawn

Financial institutions have begun drawing a line between cybersecurity and ESG as data has become more critical to firms’ sustainability and social performances, and as cyberattacks have increased in severity and frequency. Any attack on data has the potential to undermine sustainability and carbon-reduction projects. Distributed energy microgrids illustrate the potential vulnerability of such projects – they are data dependent and rely on secure networks to meet their objectives.

JPMorgan recognised the importance of cybersecurity to ESG, writing in 2021 that the total impact of data breaches – operational, reputational and regulatory – could have a knock-on effect on a company’s “bigger ESG picture”.

Data providers rising to the challenge. MSCI’s ACWI IMI Global Cyber Security Index, which highlights which companies would most benefit from increased vigilance, is often used in ESG due diligence assessments.

ISS ESG is the latest investment data and technology company to offer visibility into companies’ cybersecurity postures through an index. The New York-based sustainable investment arm of Institutional Shareholder Services has produced its ISS ESG US Cyber Risk Index. It uses the ISS ESG US Cyber Risk Score, which analyses publicly available data to assess the cyber security postures of companies and compares that with the history of all cyber breaches. It covers large- to mid-cap US stocks that have been screened for controversial weapons and norm-based research red flags.

Defence Prospects

The score, which provides the backbone of ISS ESG’s own US Cyber Risk Index, isn’t incorporated into ISS ESG’s aggregated sustainability assessments. However, Cortina said it provides a valuable pointer to the suitability of potential investments, Cortina told ESG Insight.

“This is for investors who are trying to assess the likelihood that a company may or may not be breached,” Cortina told ESG Insight. “It’s basically assessing the posture of cyber assets and seeing whether those correlate with breaches. The value of the cyber score is in connecting how those security postures relate to the likelihood of being breached.”

ISS ESG’s Cyber Risk Score may also be of use to corporates looking at their own defences, said Cortina. That’s especially so for sustainability-aware companies too because they tend to be the target of more cyberattacks, Cortina said.

“What we’ve seen is that companies that have a more elevated ESG profile – tech, consumer, financial, energy companies – they tend to be more the target of cyberattacks just because of the nature of the information they have,” he said.

Subscribe to our newsletter

Related content


Upcoming Webinar: ESG data sourcing and management to meet your ESG strategy, objectives and timeline

Date: 11 June 2024 Time: 10:00am ET / 3:00pm London / 4:00pm CET Duration: 50 minutes ESG data plays a key role in research, fund product development, fund selection, asset selection, performance tracking, and client and regulatory reporting, yet it is not always easy to source and manage in a complete, transparent and timely manner....


Bloomberg ESG Tool Assesses Potential Impact of Company Business on UN SDGs

Bloomberg has launched a tool that investors can use to assess the potential impact of a company’s business on any of the United Nations’ 17 Sustainable Development Goals (SDGs). It is a response to increasing demand for objective SDG-related data and provides data mapping and materiality assessment to offer more clarity to investors seeking to...


RegTech Summit New York

Now in its 8th year, the RegTech Summit in New York will bring together the regtech ecosystem to explore how the North American capital markets financial industry can leverage technology to drive innovation, cut costs and support regulatory change.


The Global LEI System – A Solution for Entity Data?

The Global LEI System – or GLEIS – has been in development since the middle of last year. Development has been patchy at times, but much has been done, leaving fewer outstanding issues, but also raising new questions. What’s emerging is a structure for the GLEIS going forward, complete with a mechanism for registering and...