CSR

Cybersecurity The Largest Hidden ESG Risk


Cybersecurity is rapidly becoming one of the top global risks in terms of both impact and likelihood, alongside climate change and geopolitical conflict. In response, investors need efficient models to integrate cybersecurity into their investment decisions.

The integration of Environmental, Social, and Governance (ESG) factors represents a material market consideration, incorporating non-financial factors into investment analysis to enhance risk-adjusted returns while addressing critical socio-economic and environmental challenges. Carbon emissions and climate change are prime examples of how shifting awareness and market pricing of ESG risks can generate real-world impact. It is now common practice for investors to integrate greenhouse gas (GHG) emissions into their investment processes.

As a result, trillions of dollars in capital are currently allocated and priced based on investors’ perceptions of corporate carbon performance. Through the repricing of risk and company valuations, corporations have strong incentives to reduce emissions in support of global climate mitigation efforts. In this way, investors can achieve tangible impact while avoiding investment risks by addressing “market failures” caused by previously unpriced negative externalities. Consequently, investors are incentivized to identify new non-financial ESG factors that may significantly influence market pricing.

Cybersecurity is emerging as the next-generation ESG consideration for investors, given its strong alignment with financial and investment risks, increasing regulatory scrutiny, and potential for real-world impact.

Investors are increasingly focused on assessing cybersecurity risks embedded within their portfolio companies. Cybercrime affects companies through rising frequencies of data breaches and ransomware attacks, higher corporate spending on cyber defense and insurance, and reputational damage. Large-scale cyberattacks can cause significant operational and business disruptions and create substantial litigation risks.

The severity and frequency of cybercrime continue to rise as economic digitalization expands the cyber “attack surface” available to hackers. Estimates indicate that cyberattacks per company increased by 31% in 2021 compared to 2020, while the average cost of a single data breach in 2022 reached USD 4.35 million. Ransomware has become a major concern for businesses, with survey data showing that 83% of organizations experienced a ransomware attack within the past two years. In the United States, the most commonly demanded ransom payments now range between USD 5 million and USD 10 million.

Corporate cybersecurity spending has become a significant cost burden. Total global business spending on cybersecurity products and services is projected to reach USD 1.75 trillion during the 2021–2025 period, compared to USD 1.0 trillion spent between 2017 and 2021. Certain U.S. financial institutions reportedly spend more than USD 1 billion annually solely to secure and protect digital infrastructure and client data.

An increasing number of companies are also purchasing cyber insurance. A U.S. study found that cyber insurance adoption rose from 26% in 2016 to 47% in 2020. The global cyber insurance market is projected to grow to USD 34 billion by 2031, up from approximately USD 8.5 billion in 2021.

Recent large-scale cyberattacks have targeted hospitals, pharmaceutical companies, travel and leisure firms, financial services operators, and energy infrastructure providers. These incidents not only disrupt operations and generate hundreds of millions of dollars in losses and legal liabilities but also compromise sensitive personal data and threaten critical national functions.

In a major 2017 case, Chinese military hackers exploited an unpatched software vulnerability to infiltrate Equifax, a U.S. consumer credit reporting agency. The attackers stole personally identifiable information, including names, addresses, and Social Security numbers linked to detailed financial records of approximately 145 million individuals.

Following the disclosure of the breach, the company’s stock price fell by as much as 35%, and credit spreads on its investment-grade debt widened by 118 basis points. In 2019, the company reached a settlement with U.S. regulators requiring at least USD 575 million in fines, penalties, and consumer restitution.

From a broader societal perspective, inadequate cybersecurity protections can result in macroeconomic damage with national strategic implications, industrial espionage, erosion of innovation and investment incentives, and violations of data privacy. These threats extend to critical functions underpinning economic and national security, public health, and the safety and freedoms of citizens. Investors increasingly recognize that cybersecurity risk is not confined to directly affected companies but impacts the broader economic and market systems underlying asset valuations.

Economic losses from cybercrime and cyber espionage are escalating dramatically. Some estimates suggest that global annual losses could reach USD 10.5 trillion by 2025, up from USD 6 trillion in 2021. This scale implies that the economic impact of cybersecurity may be comparable to that of climate change. Reflecting this, cybersecurity consistently ranks among the top five global risks in surveys of CEOs and global decision-makers, alongside climate change and geopolitical conflict. Based on these trends, a growing number of investors are incorporating cybersecurity performance as a non-financial ESG factor into corporate investment analysis.

An exclusive and systematic approach is required to integrate cybersecurity into credit analysis in a quantitative manner.

Cybersecurity Risk as a Market Failure

Current markets face significant challenges in recognizing, assessing, and pricing corporate cybersecurity risks.

First, corporate cybersecurity has traditionally been viewed as an extension of the IT department and treated as a compliance cost to be minimized. As a result, preparedness spending is often insufficient relative to the level of risk. Reporting lines and accountability for cybersecurity are frequently unclear, and board-level oversight and expertise may be limited.

Second, cybersecurity has generally fallen outside the scope of comprehensive regulation. Much digital infrastructure is privately owned, and cybersecurity policies are often based on best practices rather than mandatory requirements. Many cyber incidents and breaches go unreported or unacknowledged publicly, making it difficult for investors to assess cybersecurity risk accurately. Going forward, systematic integration of cybersecurity risk into investment analysis will increase demand for more material cybersecurity-related disclosures, while regulatory developments are likely to require greater transparency and preparedness.

Third, cybersecurity performance is difficult to standardize across companies. Cybercriminals opportunistically target areas of weakness using evolving intrusion strategies, meaning risk vectors and attack methods constantly change. Cyber defenders cannot simply focus on a fixed set of high-risk systems or rely on a single preventive method. Likewise, investors cannot rely on a uniform framework to compare cybersecurity risk across companies based solely on known vulnerabilities.

Companies are also reluctant to disclose detailed information about their cybersecurity policies and performance due to legitimate concerns that excessive transparency regarding vulnerabilities could invite further attacks. As a result, investors evaluating cybersecurity across firms must often rely on proxy measures of cyber preparedness and adherence to best practices.

These challenges complicate the comprehensive integration of cybersecurity risk into investment processes. In particular, the lack of comparable cybersecurity performance data has hindered efficient market pricing of corporate cyber risk.

Adopting Cybersecurity Data as a Next-Generation ESG Factor

To address these challenges in corporate debt investment, attention can be directed toward measuring “cyber hygiene,” defined as the routine implementation of best practices to maintain network and data security, such as patching known vulnerabilities, enforcing strong password requirements, and maintaining secure data backups.

Data necessary to evaluate cyber hygiene comprehensively is increasingly available to investors. Traditional ESG data providers tend to offer subjective assessments of issuers’ privacy and data protection policies. However, survey-based methods may not provide accurate and objective measures of organizational cybersecurity performance. Specialized data providers now offer “cyber risk ratings” based on automated measurements of cyber hygiene. Similar to credit ratings, which estimate an issuer’s ability to repay debt and implicitly assess default probability, cyber risk ratings aim to reflect overall cybersecurity performance and the implied risk of data breaches or ransomware attacks.

Indeed, some traditional credit rating agencies are now integrating cybersecurity risk ratings directly into corporate credit assessments as part of non-financial ESG data. This approach is logical, as cybersecurity risk can directly affect credit quality and investment outcomes.

Integrating Cybersecurity into ESG Credit Analysis

Cybersecurity can be incorporated directly into ESG credit assessment models as a Governance factor within corporate debt investment strategies. This reflects the view that cybersecurity performance is indicative of overall corporate governance quality. Strong cyber hygiene signals effective governance structures and higher-quality risk management, supporting more attractive corporate debt investments from a risk-adjusted perspective.

The resulting assessment can be integrated into screening, security selection, risk monitoring, and issuer engagement across global corporate credit strategies, ensuring that cybersecurity risk signals are systematically reflected in fixed-income investment processes.

Beyond individual issuer performance, sector-specific cybersecurity materiality is also critical. A sector materiality matrix can be constructed based on three dimensions:

  1. The potential socio-economic impact and damage resulting from cyberattacks on the sector. The more critical the goods and services provided, the higher the cyber materiality.

  2. The observed frequency of cyberattacks targeting the sector. Higher attack frequency implies higher materiality.

  3. The overall sophistication of cybersecurity and resource availability within the sector. Higher average cyber hygiene reduces cyber materiality.

Under this framework, the highest cyber materiality is assigned to sectors that are highly vulnerable, frequently targeted, and capable of generating the greatest damage to essential service provision if attacked. Cyber hygiene performance data can then be adjusted based on sector risk information as an input into the overall ESG credit assessment model.

Conclusion

With rising financial materiality and a rapidly evolving regulatory and disclosure environment, corporate cybersecurity represents the next-generation factor for mainstream ESG investors to integrate into investment decision-making. Addressing the “market failure” arising from insufficient attention to corporate cybersecurity through ESG integration can incentivize higher performance standards, potentially contributing to improved risk-adjusted returns and stronger socio-economic resilience as a meaningful real-world impact.