In the Digital World, Cybersecurity Is an ESG Risk

We live in a digital world where cyber resilience is a primary concern for everyone and is increasingly being recognized as an Environmental, Social, and Governance (ESG) issue. Cybersecurity and cyber resilience risks will face greater scrutiny from both internal and external stakeholders. Organizations that truly understand their strengths and weaknesses in the cyber domain will be better positioned to manage risks and maximize the assurance benefits provided by insurance.

Data volumes continue to grow and are expected to expand exponentially. Most data is stored by organizations, and increasing amounts are generated by internet-connected devices. The ways in which we use data are also evolving. These trends will continue, creating both opportunities and risks for all of us. Organizations that care about the responsible use of technology and data must treat cyber risk and data governance as ESG issues.

ESG reporting exists to measure the non-financial elements of an organization’s performance. The cyber domain is highly relevant to ESG because consumers and businesses increasingly expect goods and services to be available quickly and on demand. All stakeholders expect their data to be protected, and trust in the digital society has become a central pillar of being a sustainable and responsible organization.

Cyber risk is an ESG issue because we all depend on physical and digital infrastructure, as well as data, to support the movement of goods and services. Food supply chains, healthcare services, energy systems, and financial networks all rely on physical and digital infrastructure. Everyone has an interest in ensuring that this infrastructure is managed effectively and sustainably to reduce the likelihood of disruption. Infrastructure can only be sustainable if it is resilient to existing risks, because sustainability cannot exist without resilience.

Cybersecurity is an ESG risk that continues to increase alongside the rising number of cyberattack incidents. However, many organizations still have not incorporated cyber resilience into their ESG reporting.

Organizations often lack the necessary level of cyber hygiene. This occurs because cyber risk is frequently viewed solely as an Information Technology department issue, regular and systematic risk assessments are not conducted, and senior management does not adequately oversee these risks. ESG reporting oversight can help drive meaningful change in this area.

The use of cyber insurance is important, but it is only one element of a broader cyber resilience framework that may include having a dedicated executive leader responsible for cyber risk and resilience, board and senior management oversight of cyber risk assessment and control frameworks, clear approval of data ethics statements governing how data is used and not used within the organization, transparent statements about the organization’s cyber risk posture including data protection commitments, formal information security policies, regular executive-level reporting on the number, type, and impact of cyber incidents, employee training and awareness programs, inclusion of cyber risk reporting within the ESG framework, a proactive focus on cyber resilience rather than reactive cybersecurity alone, and a cyber insurance program tailored to the organization’s specific risks.

The role of captive assurance can also be viewed as a positive factor in an organization’s ESG reporting. It demonstrates a clear commitment to risk management by providing a centralized framework and a strategic lens for addressing long-term risk challenges.

Captive assurance entities can work with their parent companies to analyze and understand unique risk exposures and fund risk improvements. Once risks are identified and analyzed, companies can insure risks that cannot be eliminated or fully managed. The result is a purpose-designed insurance program aligned with the organization’s specific risk profile.

If reinsurance is required, reinsurers are typically more willing to provide coverage when an organization can demonstrate a comprehensive understanding of its cyber risks. Captive regulators also expect captives to fully understand the risks they assume, as significant exposures can materially affect a captive’s ability to meet its obligations to the parent company across its insurance portfolio.

By addressing these concerns, captive insurers ensure they not only fulfill their own ESG obligations but also contribute to the broader ESG reporting and strategy of the parent company, thereby maintaining the trust placed in them by customers and society.

Managing cyber risk and data sustainably will increasingly become an ESG issue for many organizations. The digital and physical worlds are interdependent, and digital disruption has real consequences for people, places, and the planet. Organizations that seek to leverage opportunities in the digital world must be both sustainable and resilient. Too many organizations still fall short in maintaining adequate cyber hygiene. To preserve stakeholder trust in the digital world, organizations must implement a strong cyber resilience framework, including appropriate risk transfer mechanisms.