About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

ISS ESG Creates Cybersecurity Score, Index as Investors Link Data Protection to ESG

Subscribe to our newsletter

Cybersecurity used to be regarded purely as a technology and operations issue. But more and more investors are drawing a line between vigilance against data breaches and ESG performance.

Protecting personal privacy of corporate employees and customers through the security of data is widely viewed today as falling under the social pillar of ESG. Further, the safeguarding of data is an important aspect of corporate audit and risk oversight, which falls within the governance pillar.

It’s a debate that began as the ESG project started to gain momentum but was given greater impetus when the coronavirus prompted governments to impose virus-mitigating lockdowns, forcing workforces the world over to work from home. With millions more people relying of networked connectivity to get things done, personal and corporate data had become more widely distributed, creating more end users and more potential points of cyber vulnerability.

“We’re getting more questions from investors about how companies are protecting themselves from cyberattacks, because it becomes an economic event for the company,” said Hernando Cortina, head of index strategy at ISS ESG, which earlier this year launched a cybersecurity risk score for clients and last month a related ISS ESG US Cyber Risk Index. “When we look at governance, we typically look at things like board composition, executive compensation, shareholder rights – but there’s another pillar, which is audit and risk oversight general management of risks within a company. And that’s a social and governance concern.”

Line Drawn

Financial institutions have begun drawing a line between cybersecurity and ESG as data has become more critical to firms’ sustainability and social performances, and as cyberattacks have increased in severity and frequency. Any attack on data has the potential to undermine sustainability and carbon-reduction projects. Distributed energy microgrids illustrate the potential vulnerability of such projects – they are data dependent and rely on secure networks to meet their objectives.

JPMorgan recognised the importance of cybersecurity to ESG, writing in 2021 that the total impact of data breaches – operational, reputational and regulatory – could have a knock-on effect on a company’s “bigger ESG picture”.

Data providers rising to the challenge. MSCI’s ACWI IMI Global Cyber Security Index, which highlights which companies would most benefit from increased vigilance, is often used in ESG due diligence assessments.

ISS ESG is the latest investment data and technology company to offer visibility into companies’ cybersecurity postures through an index. The New York-based sustainable investment arm of Institutional Shareholder Services has produced its ISS ESG US Cyber Risk Index. It uses the ISS ESG US Cyber Risk Score, which analyses publicly available data to assess the cyber security postures of companies and compares that with the history of all cyber breaches. It covers large- to mid-cap US stocks that have been screened for controversial weapons and norm-based research red flags.

Defence Prospects

The score, which provides the backbone of ISS ESG’s own US Cyber Risk Index, isn’t incorporated into ISS ESG’s aggregated sustainability assessments. However, Cortina said it provides a valuable pointer to the suitability of potential investments, Cortina told ESG Insight.

“This is for investors who are trying to assess the likelihood that a company may or may not be breached,” Cortina told ESG Insight. “It’s basically assessing the posture of cyber assets and seeing whether those correlate with breaches. The value of the cyber score is in connecting how those security postures relate to the likelihood of being breached.”

ISS ESG’s Cyber Risk Score may also be of use to corporates looking at their own defences, said Cortina. That’s especially so for sustainability-aware companies too because they tend to be the target of more cyberattacks, Cortina said.

“What we’ve seen is that companies that have a more elevated ESG profile – tech, consumer, financial, energy companies – they tend to be more the target of cyberattacks just because of the nature of the information they have,” he said.

Subscribe to our newsletter

Related content


Recorded Webinar: ESG: A Growth Opportunity and a Regulatory Challenge

ESG investing, regulation and compliance are central concerns for financial institutions, although not all jurisdictions are equal. In the US, ESG has become a partisan issue making SEC regulation uncertain; the EU is on good form and has already implemented multiple regulations; and Asia Pacific is advancing as regulators and exchanges deploy ESG rules. Greenwashing...


Delivering on ESG Through the Cloud

By Shaun Hurst, Principal Regulatory Advisor for EMEA, Smarsh. ESG, the acronym that refers to the alignment of environmental, social, and governance performance and objectives with company practices and investor strategies, has evolved from being a ‘nice to have’ for companies and financial institutions to a concrete expectation. But with rising regulation, litigation and growing scrutiny...


Institutional Digital Assets Briefing, New York

TradingTech Insight Briefing New York will explore how trading firms are innovating and leveraging technology as a differentiator in today’s cloud and digital based environment.


ESG Handbook 2023

The ESG Handbook 2023 edition is the essential guide to everything you need to know about ESG and how to manage requirements if you work in financial data and technology. Download your free copy to understand: What ESG Covers: The scope and definition of ESG Regulations: The evolution of global regulations, especially in the UK...