For more updates follow Grant Thornton Bharat on WhatsApp
ESG (Environmental, Social, and Governance) practices have become a driving force in today's business landscape. With increasing reliance on technology and data, cybersecurity has become integral to protecting sensitive information and ensuring smooth operations. The integration of cybersecurity with ESG practices is no longer limited to financial protection. This integration enables organisations to safeguard stakeholders, minimise risks, and capitalise on opportunities in the digital age. Cybersecurity has become an essential enabler of sustainable business practices, fostering a proactive approach to ESG principles.
Integration of cybersecurity programs into ESG practices extends beyond traditional risk management. Socially, cybersecurity is essential for addressing public concerns over personal data protection, building customer confidence, and demonstrating proactive protection. Reporting on cybersecurity risk metrics provides insights into overall corporate behaviour and risk management oversight, aligning with ESG rating principles and reflecting a company's preparedness and resilience to cyber events.
Data is a critical asset to the growing value of organisations. Cybersecurity breaches pose a significant risk to this value and potential economic profit. Increased digital transactions lend a helping hand in these breaches, impacting individuals and essential services, such as healthcare and utilities. Addressing cyber risk becomes crucial to protect society at large. Heavy reliance on insurance coverage is not a sustainable solution as insurers narrow cyber policy coverage, exposing organisations. Thus, installing robust cybersecurity measures and practicing effective governance and risk management is essential.
Cybersecurity breaches involving the theft of personal information erode trust among customers, investors, and stakeholders. Cyber risk harms a company's reputation and value as other ESG issues. In the RBC Global Asset Management Responsible Investment Survey, asset managers ranked cybersecurity as their second-biggest concern among ESG-related themes. Cybersecurity as a pillar in ESG frameworks reflects the need to mitigate cyber threats.
Rating agencies encourage companies to prioritise cybersecurity and privacy by assigning weightage to these parameters. When evaluating companies, ESG analysts consider breach frequency, impact, and remediation procedure metrics. In India, introducing the Business Responsibility and Sustainability Reporting (BRSR) framework further reinforces the importance of ESG disclosures. The BRSR guidelines, issued by the Securities and Exchange Board of India (SEBI), provide standardised reporting requirements for ESG parameters. This report becomes integral to companies' annual reports, transparently aligning financial and non-financial disclosures. Companies that embrace and align their cybersecurity practices accordingly have a better chance of enhancing their ESG scores and attracting responsible investors. Moreover, companies with independent assurance report on information security and privacy are viewed favourably. They reflect the implementation of data protection policies, individual data control rights, regular security system audits, and rules for third-party data transfers.
Data breaches have far-reaching consequences beyond financial losses. They can significantly impact a company's ESG ratings and overall reputation. Data breaches expose a company to regulatory scrutiny and may result in litigation and fines. The Indian Computer Emergency Response Team (CERT-In) announced mandatory cybersecurity guidelines 2022 related to reporting cybersecurity incidents. By demonstrating a proactive approach to cybersecurity and emphasising the protection of stakeholder data, companies can minimise the negative impact of data breaches on their ESG ratings.
Cross-functional collaboration can be fostered by aligning agendas with other leaders in cybersecurity, ESG, and privacy. Additionally, involving Chief Data Officers (CDOs), Chief Privacy Officers (CPOs), and Chief Security Officers (CSOs) in ESG discussions ensures a holistic approach.
Developing privacy and data governance metrics to monitor progress towards ESG goals, establishing robust cybersecurity governance, identifying responsible individuals for implementing the cybersecurity action plan, and fostering accountability throughout the organisation is crucial for risk management. A comprehensive plan to identify vulnerabilities and respond to credible threats must be implemented.
By recognizing the convergence of ESG and cybersecurity, organisations can transform risks into opportunities and foster a resilient and sustainable future for all stakeholders, including employees, customers, regulators, investors, and society.
This article first appeared in ETCISO.in on 09 August 2023.