Cybersecurity used to be regarded purely as a technology and operations issue. But more and more investors are drawing a line between vigilance against data breaches and ESG performance.
Protecting personal privacy of corporate employees and customers through the security of data is widely viewed today as falling under the social pillar of ESG. Further, the safeguarding of data is an important aspect of corporate audit and risk oversight, which falls within the governance pillar.
It’s a debate that began as the ESG project started to gain momentum but was given greater impetus when the coronavirus prompted governments to impose virus-mitigating lockdowns, forcing workforces the world over to work from home. With millions more people relying of networked connectivity to get things done, personal and corporate data had become more widely distributed, creating more end users and more potential points of cyber vulnerability.
“We’re getting more questions from investors about how companies are protecting themselves from cyberattacks, because it becomes an economic event for the company,” said Hernando Cortina, head of index strategy at ISS ESG, which earlier this year launched a cybersecurity risk score for clients and last month a related ISS ESG US Cyber Risk Index. “When we look at governance, we typically look at things like board composition, executive compensation, shareholder rights – but there’s another pillar, which is audit and risk oversight general management of risks within a company. And that’s a social and governance concern.”
Line Drawn
Financial institutions have begun drawing a line between cybersecurity and ESG as data has become more critical to firms’ sustainability and social performances, and as cyberattacks have increased in severity and frequency. Any attack on data has the potential to undermine sustainability and carbon-reduction projects. Distributed energy microgrids illustrate the potential vulnerability of such projects – they are data dependent and rely on secure networks to meet their objectives.
JPMorgan recognised the importance of cybersecurity to ESG, writing in 2021 that the total impact of data breaches – operational, reputational and regulatory – could have a knock-on effect on a company’s “bigger ESG picture”.
Data providers rising to the challenge. MSCI’s ACWI IMI Global Cyber Security Index, which highlights which companies would most benefit from increased vigilance, is often used in ESG due diligence assessments.
ISS ESG is the latest investment data and technology company to offer visibility into companies’ cybersecurity postures through an index. The New York-based sustainable investment arm of Institutional Shareholder Services has produced its ISS ESG US Cyber Risk Index. It uses the ISS ESG US Cyber Risk Score, which analyses publicly available data to assess the cyber security postures of companies and compares that with the history of all cyber breaches. It covers large- to mid-cap US stocks that have been screened for controversial weapons and norm-based research red flags.
Defence Prospects
The score, which provides the backbone of ISS ESG’s own US Cyber Risk Index, isn’t incorporated into ISS ESG’s aggregated sustainability assessments. However, Cortina said it provides a valuable pointer to the suitability of potential investments, Cortina told ESG Insight.
“This is for investors who are trying to assess the likelihood that a company may or may not be breached,” Cortina told ESG Insight. “It’s basically assessing the posture of cyber assets and seeing whether those correlate with breaches. The value of the cyber score is in connecting how those security postures relate to the likelihood of being breached.”
ISS ESG’s Cyber Risk Score may also be of use to corporates looking at their own defences, said Cortina. That’s especially so for sustainability-aware companies too because they tend to be the target of more cyberattacks, Cortina said.
“What we’ve seen is that companies that have a more elevated ESG profile – tech, consumer, financial, energy companies – they tend to be more the target of cyberattacks just because of the nature of the information they have,” he said.
Subscribe to our newsletter
