The Importance of Cybersecurity’s Role in ESG and the Need to Take Action

In today’s data-driven world, cybersecurity has emerged as one of the greatest threats to the global economy and a major risk faced by businesses worldwide. With data projected to account for 90% of the value of intangible assets across companies, the stakes are extremely high. It is therefore no surprise that cybersecurity is increasingly becoming a priority within corporate Environmental, Social, and Governance (ESG) reporting and implementation agendas.

Cybersecurity refers to the practice of protecting computer systems, networks, and data from theft, damage, or unauthorized access. In today’s digital era, where companies rely heavily on technology, cybersecurity is critical to business continuity for several reasons:

Corporate Data Protection – Companies store sensitive data, including customer information, financial records, and intellectual property. A breach can result in severe financial and reputational losses.

Legal and Regulatory Compliance – According to the United Nations Conference on Trade and Development (UNCTAD), many countries have enacted strict data protection and privacy laws that companies must comply with or face substantial fines.

Operational Continuity – Cyberattacks can disrupt operations, causing unplanned downtime and significant financial losses.

Cybersecurity is now widely recognized as an integral part of ESG. The topic began gaining attention as an ESG issue in the late 2010s, particularly as a governance matter, aligning with the “G” in ESG. ESG reporting frameworks such as the Global Reporting Initiative (GRI) and the Sustainability Accounting Standards Board (SASB) have acknowledged the importance of cybersecurity within corporate sustainability strategies.

Examples of how cyberattacks can impact ESG-related issues include:

Environmental Pollution – A facility’s leak detection system may fail, or hackers may take control of industrial systems, causing water or soil contamination. In 2021, hackers infiltrated a water treatment plant in Florida, remotely altering chemical levels in the water supply. Similar attacks have occurred in the United States, Australia, and Israel.

Occupational Health and Safety – Unexpected shutdowns of safety systems can lead to serious accidents, including injuries and fatalities, particularly in manufacturing environments. In 2014, a cyberattack targeting a German steel plant forced the shutdown of a blast furnace, causing significant facility damage and exposing workers to safety risks.

Product and Service Safety – Products may require recalls due to cybersecurity vulnerabilities or susceptibility to hacking. In 2017, the U.S. Food and Drug Administration recalled 500,000 pacemakers due to the risk that hackers could drain their batteries or alter patients’ heart rates, potentially causing death. In 2020, a German hospital was forced to close its emergency unit following a ransomware attack, which resulted in the death of a patient.

Because the urgency of cybersecurity is relatively recent, companies are often required to rapidly recruit expertise in areas where they previously had limited experience. This challenge is compounded by a significant global shortage of cybersecurity professionals, making it difficult for organizations to find the necessary talent and expertise. Nevertheless, as cyberattacks remain a persistent threat, companies face both internal and external pressure to act swiftly and effectively.

Recognizing the need for strong governance mechanisms to address cybersecurity urgency, many companies have begun establishing accountability at the C-suite level, positioning cybersecurity under the broader umbrella of business risk rather than solely as an Information Technology risk. For example, organizations may appoint a dedicated cybersecurity committee or conduct regular risk assessments, demonstrating strong governance practices. Another example of sound cybersecurity governance is implementing standardized frameworks that translate cybersecurity threats into financial risks. This structured approach facilitates clear communication between experts and non-experts, often with the ultimate goal of achieving certifications and standards such as ISO/IEC 27001, ISAE 3402/3000, and SSAE 18.

Leading organizations have taken the following steps to mitigate their exposure to cybersecurity risks:

Employee Training and Culture – Training all employees on cybersecurity best practices and fostering a culture of security awareness. Regular awareness campaigns, quizzes, mandatory online training sessions, and simulated cyberattacks help prevent attacks at their source.

Technology – Investing in advanced cybersecurity technologies, expertise, and tools enables companies to stay ahead of cyber threats. For instance, organizations may implement 24/7 Security Monitoring and Incident Response Plans.

Security Return on Investment – Assessing the effectiveness of corporate security investments. For example, companies can evaluate the financial value of email security solutions by measuring both costs and realized benefits.

Even with best-practice measures in place, no company is immune to cyberattacks. However, these measures provide protective layers that enable companies to mitigate and manage the potential impact of cyber threats. Looking ahead, several emerging capabilities offer pathways for further strengthening cybersecurity efforts:

Artificial Intelligence (AI) and Machine Learning – These technologies can detect anomalies and potential threats in real time, enhancing incident response capabilities.

Cyber Threat Intelligence – Leveraging threat intelligence to proactively identify emerging risks and vulnerabilities can prevent attacks altogether.

Zero Trust Architecture – Adopting a “never trust, always verify” approach, where access is granted strictly on a need-to-know basis, reduces the likelihood of breaches.

As cyberattacks grow increasingly complex, companies must design sophisticated cyber programs that leverage AI and continuously adapt to fast-moving, multi-dimensional threats. This is particularly relevant for industries that rely heavily on sensitive data, such as healthcare, finance, government, and customer personal information, which are especially vulnerable to cyber and data security risks.

Cybersecurity must be prioritized within corporate ESG strategies and activities. Companies that have not yet implemented best practices should consider taking immediate action to ensure preparedness against potential cybersecurity challenges. Research has identified several key actions organizations can take to mitigate cybersecurity-related risks:

Integrate Cybersecurity into ESG Strategy – Recognize cybersecurity as a critical ESG component and incorporate cybersecurity initiatives and reporting into the broader ESG agenda. This effort must be driven from the top and supported by senior leadership.

Establish Strong Governance Mechanisms – Create C-suite accountability for cybersecurity, treating it as a business risk rather than solely an IT risk, supported by dedicated committees and regular risk assessments.

Invest in Employee Training and Culture – Train all employees in cybersecurity best practices and cultivate a culture of security awareness through ongoing awareness initiatives, quizzes, and cyberattack simulations.

Leverage Advanced Cybersecurity Technologies – Invest in advanced cybersecurity technologies, expertise, and tools to stay ahead of threats, ideally supported by 24/7 Security Monitoring and Incident Response Plans to detect and respond to threats promptly.

Explore Emerging Capabilities – Consider adopting new technologies and practices to strengthen cybersecurity efforts, such as AI and Machine Learning for real-time threat detection, Cyber Threat Intelligence, and Zero Trust Architecture.