Privacy, Cybersecurity, ESG - Inextricably Linked

(Originally appeared December 12, 2022, in my Enabling Board Cyber Risk Oversight? blog at?Privacy, Cybersecurity, ESG – Inextricably Linked)

Introduction

In my Blog Series, SEC “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Proposed Rule Changes, I covered the proposed changes in the SEC rulemaking.?That blog series aims at helping organizations prepare for increased enforcement of cybersecurity disclosures and, more importantly, improve their cyber risk management programs.?The SEC has also proposed significant changes to climate and ESG disclosures and is already monitoring required filings and voluntary statements such as those made in corporate sustainability reports, on websites, or in marketing materials.[1]

In his 2021 post,” Steve Cagle presented one of the first compelling cases to connect cybersecurity and ESG as he pointed out, “cybersecurity and ESG has become even more evident in the first half of this year as ransomware attacks and breaches continue to wreak havoc on companies, utilities, academic institutions, government entities, healthcare providers and services firms.”

What’s the problem we’re trying to solve?

This post furthers that work and dives into the intersection of privacy, cybersecurity, and ESG.?Privacy, cybersecurity, and cyber risk management exposures and oversight are material ESG issues (MEIs) and should be considered a critical part of an organization’s overall ESG risk rating. An MEI is an ESG issue with the greatest potential to affect a company’s bottom line.[2]?

The convergence of the two potential SEC disclosure requirements (cybersecurity and ESG) provides an opportunity for organizations to strengthen both ESG and privacy and cybersecurity programs.?As companies work to build investors’ and other stakeholders’ trust and confidence, expect ESG to influence privacy and security programs and vice versa.

The lost enterprise and other economic value resulting from bad privacy and cybersecurity management practices are piling up, well-documented, and not repeated here. However, as one example, a recent Morningstar Sustainalytics study on cyberattacks' impact on stock prices concluded, “It appears that in an environment where cyber risk and complexity have quickly escalated, those companies further along in their development of robust cybersecurity-related programs were better prepared to limit the damage of the cyberattack and maintain stakeholders’ trust.”[3]?Sustainalytics is a leading ESG rating firm.[4]

A recent World Economic Forum article admonishes, “Companies need to start looking at cybersecurity as part of ESG. Cyber risk is the most immediate and financially material sustainability risk that organizations face today.”[5]?ESG is all about sustainability.?Sustainability was defined as by the United Nations Brundtland Commission as “meeting the needs of the present without compromising the ability of future generations to meet their own needs.”[6]

For some time now, privacy and cybersecurity risks have been increasingly more highly rated as fundamental existential business risks:

• Over the last three years, RBC Global Asset Management’s Responsible Investment Survey has shown that cybersecurity is a top investor concern, second only to climate risk based on investor respondents from the U.S., Europe, Asia, and Canada.[7]
• The 2022 Allianz Risk Barometer survey of risk management professionals cite cyber incidents as the number one business risk, and business interruption at number two, with more than 50% of the identified “business interruptions” related to cybersecurity failures.[8]

Managing ESG risks is managing privacy and cybersecurity risks, and vice versa. At the same time, according to McKinsey’s annual survey of corporate directors, boards are not pleased with their performance on risk management with very few reporting excellent risk management over the past year, and only 40 percent saying their organizations are prepared for the next large crisis.[9] ?Hence, the privacy, cybersecurity, and ESG opportunity.

What is ESG all about, and where do privacy and cybersecurity fit in?

ESG stands for Environmental, Social, and Governance.?I read an article recently that referred to EESG (Employee, Environmental, Social and Governance), probably a better, more expansive view.[10]?In any case, ESG has evolved to be used in the context of “ESG investing” which, according to Investopedia “… refers to a set of standards for a company’s behavior used by socially conscious investors to screen?potential investments.”[11]?I’ve also heard the essence of ESG captured in the phrase—People, Planet, Profit.

Arguably, organizations that fail to identify privacy and cybersecurity risks and implement reasonable and appropriate privacy and security controls will be less resilient and more susceptible to financial losses than those that do.

In “Cyber Security: Don’t Report on ESG without it,” KPMG presents the case that cybersecurity is part of all three elements of ESG--environmental, social, and governance.[12]?A recent Harvard Law School Forum on Corporate Governance article also aligns cybersecurity closely with each of E, S, and G. ?The article proposes how NASDAQ might incorporate cybersecurity into its voluntary ESG Reporting Guide under the Corporate Governance subsection.[13] ?The NASDAQ ESG Reporting Guide already includes Data Privacy in that same section.[14]

MSCI, a leading provider of critical decision support tools and services for the global investment community and a leader in ESG ratings, includes “Privacy & Data Security” in its Social Pillar under the Product Liability subcategory.[15]?And, Sustainalytics regards “Data Privacy & Security” as an MEI and includes it in its ESG Risk Ratings.[16]

Whether you associate privacy and cybersecurity with E, S, or G or all three pillars, they are definitely ESG considerations. They should be leveraged vis-à-vis one another to improve the disclosure about and actual status of each other. Strong, proactive privacy and cybersecurity programs can improve ESG and ESG can be used to improve and organization’s privacy and cybersecurity programs.?

What to do to leverage Privacy and Cybersecurity an ESG opportunity

Last year, Bloomberg Law searched through publicly filed Form 8-Ks and Form 10-Ks, over the past five years and showed a “…burgeoning pattern of companies explicitly categorizing their compliance with data privacy regulations and voluntary standards as an environmental, social, and governance (ESG) matter.”[17] ?The title of the analysis implies that privacy (and cybersecurity) are an ESG win.

The intersection of ESG, privacy, and cybersecurity, especially in the face of potentially converging new SEC disclosure requirements, presents a unique opportunity to all companies—public, private, and non-profit.?I recommend these specific, actionable, tangible, and outcomes-based actions to harvest the opportunity:

1. Treat investments in privacy, cybersecurity and ESG as business enablers[18]
2. Establish formal board and executive team governance over leveraging them together
3. Conduct initial and ongoing privacy and security risk assessments
4. Adopt recognized privacy and security frameworks, e.g., NIST Privacy Framework[19], NIST Cybersecurity Framework[20]
5. Implement a strong, risk-based approach to managing privacy and cybersecurity risk, E.G., NIST Managing Information Security Risk process[21] or ISO/IEC 27005[22]
6. Prepare now for the proposed SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Proposed Rule Changes[23]?See my 5-part series.
7. Prepare now for the increased SEC enforcement around by the Climate and ESG Task Force related to ESG disclosures.[24]
8. Synchronize and integrate your privacy, cybersecurity and ESG program and reporting/disclosure improvement efforts.

For more information on several of these recommendations and others, refer to my book Stop the Cyber Bleeding.[25]

Questions Management and Board Should Ask and Discuss

1. How will you treat ESG and privacy, and security??As separate matters, or will they be integrated and leveraged?
2. What are the roles and responsibilities of the executive team and the board to synchronize and integrate your privacy, cybersecurity, and ESG program and reporting/disclosure improvement efforts?
3. Are ESG, privacy and security programs, and reporting/disclosure priorities part of regular board discussions?
4. Have you created a mutually agreed upon message related to your ESG and privacy and security programs separately or together?
5. Have you discussed ESG in the context of your unique vision, mission, strategy, values, and services??ESG is not one-size-fits-all.
6. Similarly, have you discussed privacy and cybersecurity in the context of your unique vision, mission, strategy, values, and services??Privacy and cybersecurity programs are not one-size-fits-all!
7. What is the current quality of your ESG program and reporting/disclosure capabilities
8. What is the current quality of your privacy and cybersecurity program and reporting/disclosure capabilities?
9. How can they be leveraged to support one another?

Endnotes

[1] Gibson, Kelly,?Hacker, Michael, Goldberg, Liz. "ESG enforcement is on the rise: Are you ready?" November 16, 2022. Available at https://www.reuters.com/legal/legalindustry/esg-enforcement-is-rise-are-you-ready-2022-11-16/?

[2] ESG, The Report. "What is an MEI in Business Sustainability?" Accessed December 2, 2022. Available at https://www.esgthereport.com/what-is-an-mei-in-business-sustainability/

[3] Zerter, Liam, Hudson, Melissa. Sustainalytics. "The Impact of Cyberattacks on Stock Prices." October 2022. Available at https://connect.sustainalytics.com/inv-report-the-impact-of-cyberattacks-on-stock-prices

[4] Sustainalytics. "ESG Risk Ratings." Accessed December 3, 2022. Available at https://www.sustainalytics.com/corporate-solutions/esg-solutions/esg-risk-ratings

[5] Sarnek, A., Dolan, C. World Economic Forum. “Cybersecurity is an environmental, social and governance issue. Here's why.”?March 1, 2022. Available at https://www.weforum.org/agenda/2022/03/three-reasons-why-cybersecurity-is-a-critical-component-of-esg/?

[6] "Sustainability." The United Nations. Accessed November 29, 2022. Available at https://www.un.org/en/academic-impact/sustainability

[7] RBC Global Asset Management. “2021 Responsible Investing Survey Key Findings.” 2021. Available at https://www.rbcgam.com/documents/en/other/esg-key-findings.pdf

[8] Allianz. "Allianz Risk Barometer." January 2022. Available at https://www.agcs.allianz.com/news-and-insights/reports/allianz-risk-barometer/download.html

[9] McKinsey & Company. "Existential risk and boards with Celia Huber." March 3, 2022. Available at https://www.mckinsey.com/industries/financial-services/our-insights/insurance/women-in-insurance-leading-voices-on-trends-affecting-insurers/existential-risk-and-boards-with-celia-huber

[10] Katz, David A. McIntosh, Laura A., Lipton, Wachtell. Harvard Law School Forum on Corporate Governance. "The SEC Takes Aim at the Public-Private Disclosure Gap." January 28, 2022. Available at https://corpgov.law.harvard.edu/2022/01/28/the-sec-takes-aim-at-the-public-private-disclosure-gap/

[11] "ESG Investing." Investopedia. Accessed December 3, 2022. Available at https://www.investopedia.com/terms/e/environmental-social-and-governance-esg-criteria.asp

[12] Govindankutty, Prasanna. KPMG. "Cyber security: Don’t report on ESG without it." October 13, 2021. Available at https://advisory.kpmg.us/articles/2021/cyber-security-report-on-esg.html

[13] Everhart, Jonathan R. Harvard Law School Forum on Corporate Governance. "Cybersecurity + ESG for the Global Capital Markets." September 15, 2022. Available at https://corpgov.law.harvard.edu/2022/09/15/cybersecurity-esg-for-the-global-capital-markets/

[14] NASDAQ. "ESG Reporting Guide 2.0." May 2019. Available at https://www.nasdaq.com/docs/2019/11/26/2019-ESG-Reporting-Guide.pdf

[15] MSCI. "ESG Ratings Key Issue Framework." Accessed November 30, 2022. Available at https://www.msci.com/our-solutions/esg-investing/esg-ratings/esg-ratings-key-issue-framework

[16] Sustainalytics. "ESG Risk Ratings." Accessed December 3, 2022. Available at https://www.sustainalytics.com/corporate-solutions/esg-solutions/esg-risk-ratings

[17] Karalis, Peter. Bloomberg Law Analysis. "Is Privacy an ESG Win? SEC Filing Trend Says Yes." December 8, 2021. Available at https://news.bloomberglaw.com/bloomberg-law-analysis/analysis-is-privacy-an-esg-win-sec-filing-trend-says-yes

[18] Chaput, Bob. The Governance Institute's E-Briefings. “Cyber Risk Management: A Business Enabler (Not an IT Issue).” September 2019. https://www.governanceinstitute.com/page/EBriefings_V16N5Sep2019#hide2

[19] NIST Privacy Framework. National Institute of Standards and Technology (NIST). Accessed November 29, 2022. Available at https://www.nist.gov/privacy-framework

[20] NIST Cybersecurity Framework. National Institute of Standards and Technology (NIST). Accessed November 29, 2022. Available at https://www.nist.gov/cyberframework

[21] NIST. “Managing Information Security Risk.” NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Accessed December 1, 2022.?Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

[22] "ISO 27005." International Standards Organization. Accessed November 19, 2022. Available at https://www.itgovernance.co.uk/iso27005

[23] SEC. "Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure". March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[24] SEC. "Spotlight on Enforcement Task Force Focused on Climate and ESG Issues." Accessed November 22, 2022. Available at https://www.sec.gov/spotlight/enforcement-task-force-focused-climate-esg-issues

[25] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n