CSR

Cyber Risk Emerging as the “G” in ESG


Cybersecurity continues to be a significant source of potential executive liability within corporations. As Environmental, Social, and Governance (ESG) considerations remain a top priority in organizational risk management—both now and in the future—regulators and investors are increasingly viewing cyber-related risks as a core issue within the “G” (Governance) pillar of ESG.

This heightened focus has led to growing regulatory scrutiny and expanded governance requirements worldwide. The pace of this exposure is expected to accelerate in the coming years.

Executive and Board-Level Accountability

Companies must consider the potential for shareholder litigation arising from cybersecurity incidents, reflecting a broader shift toward event-driven securities litigation. There has also been increased legal scrutiny regarding board oversight responsibilities, which may have significant implications for directors’ duties related to cyber risk management.

Regulators are increasingly requiring companies to disclose detailed information about cybersecurity incidents, including:

  • When the incident was discovered and whether it is ongoing

  • A brief description of the nature and scope of the incident

  • Whether data was stolen, altered, accessed, or used for unauthorized purposes

  • The impact of the incident on company operations

  • Whether the company has recovered or is in the process of recovering from the incident

These requirements compel companies to provide timely updates regarding the current material impact and potential future consequences of cyber incidents on operations and financial condition.

Expanding Cyber Governance Disclosure

Organizations are now expected to disclose information about cybersecurity oversight and governance structures. This expectation is expanding to include detailed disclosure of policies and procedures used to identify and manage cybersecurity risks.

Cyber-related governance disclosures typically include:

  • The board’s oversight of cybersecurity risks

  • Information about cybersecurity expertise at the board level

  • A description of management’s role in assessing and managing cyber risks

  • Relevant management expertise and responsibilities in implementing cybersecurity policies, procedures, and strategies

Such transparency reinforces accountability and demonstrates governance maturity.

Litigation Trends and Growing Regulatory Pressure

In recent years, numerous shareholder lawsuits have been filed following cybersecurity or privacy incidents that led to declines in stock prices after public disclosure. While many companies have successfully defended these cases, some have resulted in shareholder victories. These outcomes have encouraged further litigation when share prices fall due to cyber-related events.

At the same time, the increasing number of cybersecurity and privacy incidents—combined with expanding privacy regulations across multiple jurisdictions worldwide—has elevated cybersecurity and privacy to a strategic business priority for many organizations.

Cyber risk is no longer solely an IT issue; it has become a governance imperative under ESG, directly influencing executive accountability, regulatory compliance, investor confidence, and long-term corporate value.