Why Cybersecurity Is Important to the ESG Framework

Beyond its critical role in protecting systems, networks, programs, and data, cybersecurity is equally important to investors, who typically review data protection and information security policies to assess a company’s cyber risk exposure. Although cybersecurity has traditionally been viewed as a technology issue, it is now increasingly recognized as a key consideration within Environmental, Social, and Governance (ESG) frameworks—particularly under the Social pillar.

The ESG framework serves as a tangible mechanism for evaluating corporate behavior. By incorporating cybersecurity, a new dimension is added—providing insight into cyber conduct and risk exposure, which are essential components of the broader ESG picture. Existing cyber risks explain why cybersecurity is rapidly becoming a central consideration in ESG evaluations.

Rising Costs and Expanding Exposure

The year 2020 was particularly challenging for organizations worldwide, with the average adjusted cost of a data breach reaching approximately $4 million per company. The rapid shift to remote work further exacerbated the situation, increasing the average total cost of data breaches by nearly $137,000.

In today’s rapidly expanding digital economy, cybersecurity is no longer limited to the software industry. It has become a board-level concern for corporate management, global investors, and organizations across all sectors exposed to digital infrastructure and customer data. Society at large is increasingly concerned about the social impact of cybersecurity failures and their broader technological implications.

Regulatory Pressure and Industry Impact

Cybersecurity has gained broader attention as the global workforce transitioned to remote work and as data breaches affected companies across multiple industries. Organizations may face fines and reputational damage if they fail to adequately protect their information networks.

Sectors particularly exposed to these risks include Information Technology, Consumer Discretionary, Financial Services, and Communication Services. However, industries that historically allocated lower budgets to cybersecurity may also face significant material impacts.

Additional data protection regulations have been introduced globally to strengthen personal information safeguards, reshaping corporate behavior regarding data usage and security. In May 2018, the European Union introduced the General Data Protection Regulation (EU GDPR). Shortly after, in June 2018, the California Consumer Privacy Act (CCPA) was enacted in the United States.

Increasing compliance requirements are likely to drive higher corporate spending and may result in substantial financial penalties in cases of non-compliance.

Growth of the Cybersecurity Industry

As cybersecurity concerns expand, the industry continues to grow. Core cybersecurity spending reached approximately $68 billion in 2020, including significant investments in:

• Infrastructure protection

• Network security equipment

• Integrated risk management

• Application security

Security services spending reached approximately $64 billion in 2020. The fastest-growing segment has been cloud security, with demand expected to increase further in the post-COVID environment. Global revenues in the security software segment are projected to experience steady growth.

From a global perspective, the United States leads the cybersecurity market, accounting for roughly 65% of global market share, followed by Asia at approximately 27%.

Geopolitical and Geographic Risk Considerations

Cybersecurity has become a global social issue, attracting growing international attention. A global perspective is essential when evaluating cyber risk, as company-level assessments are incomplete without considering geographic and geopolitical exposure.

Foreign jurisdictions may initiate or sponsor cyberattacks against organizations, and these risks are not always captured in traditional risk analyses.

According to analyses by Next Peak, countries vary significantly in cyber capability and threat exposure. For example, China has a strong national cyber strategy, established incident response teams, and advanced internet content management systems. However, it ranks high in national cyber threat risk due to alleged hacking activities, weak cybercrime enforcement, and intellectual property protection concerns.

India is also considered to have elevated cybercrime risk despite relatively lower internet penetration rates. This risk is partly driven by a high number of malicious IP addresses registered within the country. Frequent nationwide internet shutdowns further contribute to cyber dissent risk indicators.

On the other hand, the United States demonstrates strong cyber capabilities due to substantial government investment. However, it remains a primary target of cybercrime, contributing to a relatively elevated geo-cyber risk score in comparative analyses.

Market Performance and Investment Trends

The MSCI ACWI IMI Global Cyber Security Index aims to represent companies that may benefit from increased investment in systems, products, and services designed to protect against cyberattacks. While the index has underperformed the broader Information Technology sector at times, it has outperformed the overall market in certain periods.

These dynamics highlight the growing importance of cybersecurity from an investment perspective.

Cybersecurity as an Emerging ESG Metric

There are multiple factors that make cybersecurity an increasingly compelling focus for businesses, investors, and society. Considering cybersecurity as an ESG metric is still relatively new, but evidence suggests sustained and growing interest from stakeholders worldwide.

The future of cybersecurity within ESG frameworks appears set for continued expansion. It is rapidly evolving from being merely a technical issue into a strategic governance, social, and investment priority.