The increasing frequency of cyber threats poses a significant risk to business operations, continuity, and reputation.

As companies embrace ESG initiatives, they must also recognise the critical role of cybersecurity in safeguarding sensitive data, maintaining trust and credibility, mitigating environmental and social risks, and improving corporate governance.

Within the context of the current cyber landscape, the importance of cybersecurity cannot be overstated. Organisations face persistent and evolving threats that can have significant financial, operational and reputational consequences. At the same time, the concept of ESG has gained traction as a framework for evaluating a company’s behaviour and impact on various stakeholders.

While the focus on environmental sustainability and social responsibility has been prevalent, the integration of cybersecurity into the ESG agenda is becoming increasingly essential.

There are many advantages of managing cybersecurity and ESG issues in unison to safeguard organisations’ well-being, secure their future, and protect the interests of customers, clients, and business partners.

Protecting sensitive data

One of the primary advantages of incorporating cybersecurity measures into ESG frameworks is the protection of sensitive data.

ESG frameworks typically require companies to collect and report various data points, including energy consumption, greenhouse gas emissions, labour practices, and supply chain management. Additionally, companies must store personal information about their employees, such as names, addresses, social security numbers, and employment history.

This employee data is highly valuable to cybercriminals who may exploit it for identity theft and other malicious activities.

Cybersecurity measures play a crucial role in safeguarding this sensitive data from cyber threats such as data breaches, ransomware attacks and phishing scams. By implementing robust cybersecurity protocols, companies can ensure the integrity of ESG data, protect their brand reputation, and maintain financial stability.

Another significant benefit of cybersecurity in ESG frameworks is the preservation of trust and credibility.

Companies that prioritise cybersecurity are seen as trustworthy and credible by investors, customers, and other stakeholders.

According to a survey conducted by BDO LLP (US) in 2023, cyber threats continue to grow in number and sophistication – a trend that accelerated during the pandemic – so it is not surprising that 79 per cent of directors say a data breach poses at least some or a significant risk to their business. Approximately two-thirds of CFOs surveyed believe ESG, natural disasters, data privacy breaches, and public health threats pose some or significant risk to the business in 2023.

On the other hand, companies that neglect cybersecurity measures are more susceptible to data breaches and other cyber incidents, which can damage their reputation and erode stakeholder trust. These incidents can lead to substantial financial losses, legal liabilities, and undermine a company’s credibility and sustainability.

The urgency of cybersecurity and ESG risks

Both cybersecurity and ESG risks are urgent and financially significant concerns that organisations must address.

Numerous studies and reports have consistently ranked cybersecurity and climate change among the top risks facing businesses today. The current editions of AXA’s Future Risks Report and the World Economic Forum’s Global Risks Report highlight the criticality of these risks in shaping the next decade.

The immediate financial impact of cybersecurity incidents and climate change threats on business assets, both tangible and intangible, cannot be ignored.

Companies invest substantial resources in building physical infrastructure, and the value of the data stored on these systems, including financial information, intellectual property and sensitive personal data, is even more significant. Furthermore, cyber incidents and climate change are increasingly recognised as critical enterprise risks, with potential consequences extending beyond financial impacts.

The interconnected dynamics of cybersecurity and climate change

The dynamics of cyber-risks and climate change are closely intertwined, and they continue to evolve in complexity.

Cyber risks can have a direct impact on sustainability efforts, posing threats to critical infrastructure and networked systems involved in the transition to renewable energy. Conversely, climate-related risks, such as floods, fires, and heatwaves, can create vulnerabilities in system reliability, network defence, and human error.

The interconnected nature of social, physical, and cyber domains means that factors affecting one system can inadvertently affect others. As malicious actors adopt new technologies and tactics, and climate-related events become more intense and frequent, predicting, and mitigating future risks becomes increasingly challenging.

Extending the social impacts of ESG to cybersecurity

While cybersecurity has traditionally been viewed as an IT issue, its effects reach far beyond the purview of technology.

Breaches, nefarious activities and social engineering can have wide-ranging societal impacts, including identity theft, risks to vulnerable demographics and exploitation of marginalised groups.

Targeting healthcare institutions, schools, small businesses or local governments, for example, can disrupt communities and compromise the well-being of individuals.

The shift to remote work, accelerated by the COVID-19 pandemic, has further highlighted the need for enhanced cybersecurity measures to protect networks and sensitive data. Additionally, the potential for societal breakdowns fuelled by extreme climate events and energy instability poses significant risks to businesses.

Regulatory compliance and governance in ESG and cybersecurity

Both ESG and cybersecurity are subject to increasing regulatory compliance frameworks. While compliance regimes may vary, organisations must prioritise good governance of data, technology and decision-making processes to ensure business resiliency.

A strong compliance foundation helps companies avoid over-reliance on insurance coverage to mitigate the costs of breaches or disruptive events.

Furthermore, cybersecurity plays a vital role in enhancing corporate governance, a fundamental component of ESG frameworks. Cybersecurity activities such as risk assessments, incident response plans and security audits help companies identify and address governance gaps related to data protection, risk management and compliance.

By addressing these gaps, companies can improve their overall governance practices, leading to more effective ESG reporting, better decision-making and enhanced stakeholder engagement. Moreover, companies that demonstrate a commitment to cybersecurity governance are better positioned to attract and retain top talent and support from ESG-focused investors.

As insurance companies narrow their coverage scope due to the frequency and cost of cyber breaches, organisations must demonstrate robust governance practices to protect their assets and stakeholders.

Standardised frameworks can set precedent, align stakeholders, and facilitate measurement, risk assessment, accountability and governance.

The business imperative of prioritising ESG and cybersecurity

The role of businesses in society is increasingly scrutinised, with greater attention paid to activities that impact the environment and society.

Long-term survival and success require organisations to consider the broader impacts across stakeholders. Pressure from investors, boardrooms, employees, customers, supply chains and purpose-driven accelerators has empowered the need for better ESG practices. Integrating cybersecurity into the ESG agenda is not only a responsible approach but is also good business sense. By prioritising ESG and cybersecurity, companies can enhance their reputation, attract and retain top talent, meet customer expectations, manage supply chain implications, and align with evolving societal demands.

Rethinking risk: From cybersecurity to resilience

The concept of ESG encompasses evaluating the environmental, social and ethical impacts of investments and activities.

However, true long-term business resilience requires organisations to consider profitable business vitality in conjunction with a healthy society and environment. Technology innovation has shifted from mere digitisation to broader goals, including democratisation, decentralisation, and decarbonisation.

Companies that fail to recognise the interconnectedness of cybersecurity and ESG, and neglect to integrate their strategies, risk more than just breaches or costly insurance claims. They risk compromising their sustainability, reputation, and ability to thrive in an increasingly interconnected and cybersecurity-aware world.

A strategic imperative

The integration of cybersecurity into the ESG agenda is crucial for organisations seeking to navigate the complex risks and challenges of the digital era.

By recognising the interconnected dynamics of cybersecurity and climate change, extending the social impacts of ESG to cybersecurity and prioritising good governance and compliance, businesses can safeguard their operations, customers and reputation while fulfilling their broader social and environmental obligations.

Cybersecurity is a critical component in protecting sensitive data and maintaining the trust of stakeholders. Ultimately, the effective management of cybersecurity risks within the framework of ESG is not only a responsible approach but also a strategic imperative for long-term success and resilience.

Need help with your cybersecurity?

Contact a member of BDO’s Cybersecurity team if you require assistance.

This article was first published by BDO Singapore on 18 September 2023.