Skip to content

Search the site

Cybersecurity as a critical ESG framework category

JPMorgan: "All evidence points to continued interest across the board"

Investors are increasingly considering robust cybersecurity as a core component of their Environmental, Social, and Governance (ESG) frameworks according to JPMorgan -- which sees it falling under "S", or the social pillar.

And pressure is likely to mount from investors for public cybersecurity resilience reporting as a result, the global investment bank suggested in a new report this month, saying interest is growing.

Some $347 billion poured into ESG-focused funds in 2020, with more than 700 new funds launched globally to capture capital inflows. Amid the froth, regulators have been taking an increasingly long hard look at the credibility of many funds' ESG claims. Yet many institutional investors are deeply serious about driving ESG change across their portfolios and improving cybersecurity is increasingly part of that push.

Follow The Stack on LinkedIn

As JPMorgan puts it in an August 19 blog: "[Cybersecurity] is becoming a major topic for company management, global investors and players from all industries... a far broader demographic is becoming increasingly concerned with cybersecurity’s social impact as well as technological implications... Considering cybersecurity as an ESG metric is still a relatively new stance but all evidence points to continued interest across the board."

(Beyond considering it as part of a public ESG reporting framework, investor pressure on portfolio companies to shore up their cybersecurity is growing more broadly: as penetration testing lead at 6point6 Misha Newman recently told The Stack, along with cyberinsurance requirements, pressure from investors is one of the key drivers of more regular penetration testing among his clients -- increasingly extending to SMEs as well.)

Cybersecurity and ESG

The pros and cons of cyber resilience reporting. Credit: Swiss Re.

Others in the space see cybersecurity as more of a "G" or governance issue.

The PRI, the world's leading proponent of responsible investment, for example , initiated a three-year collaborative engagement on cyber governance in 2017, with 55 institutional investors (holding over $12 trillion in assets) engaging 53 portfolio companies from five different sectors to understand how they are demonstrating preparedness and addressing cyber-related risks, using governance as a proxy for resilience.

As the PRI found after that exercise: "The extent of board buy-in on cyber security can be a good litmus test for the effectiveness of a company’s approach to cyber risk. Although companies are increasingly disclosing clear board accountability in this area, they appear to demonstrate different levels of comfort in communicating how boards assess and oversee company-wide cyber-security improvements."

An index focussed on companies that benefit from increased spending on cybersecurity has notably outperformed its sister MSCI ACWI Investable Market Index in recent years.

That has changed little since the report was published in 2020. Reinsurance giant Swiss Re's analysts are among those advocating more public cyber-resilience reporting meanwhile, drawing an ESG parallel and urging companies to get proactive in thinking about how they report this.

"We believe that, despite the potential challenges and downsides, some form of external cyber resilience reporting (akin to ESG reporting) will inevitably be required of certain companies in the not too distant future. The trick will be in finding the right balance and formula to protect the disclosing company from exposing vulnerabilities to adverse actors," they note.

"We can think of cyber resilience as what ESG was like about 15‒20 years ago: a topic that was developing but still incipient in terms of being on the corporate and regulatory radar as an important financial factor that could be gauged through meaningful metrics by both  external and internal stakeholders. Cyber is getting there faster because of its challenging, threatening, and potentially existential nature."

Customising cybersecurity in ESG frameworks

Nasdaq is among those to already report on cybersecurity as part of its ESG framework (under "Cybersecurity & Client Privacy", sitting under the "S" or social component of its own custom ESG framework).

As the technology and data provider noted in a 2018 report, after a series of interviews with its stakeholders this sat right at the top of the "social" issues deemed most important to them. As the company's most recent annual sustainability report details, for Nasdaq this category "addresses the company’s management of risks related to the collection, retention, and use of sensitive, confidential, or proprietary customer data.

This also spans risks around use of PII and "customer data for secondary purposes, including marketing. Also included are social issues that may arise from the company’s approach to collecting data, obtaining consent, and managing customer expectations regarding how their data is being used, or issues that may arise from incidents such as data breaches in  which personally identifiable information and other customer data may be exposed. Lastly, it addresses the company’s strategy, policies and practices related to IT infrastructure, employee training, and other mechanisms used  to ensure security of customer data."

In terms of how Nasdaq structures its reporting process, it has its Information Security team review and update its governance documents, including an Information Security Charter, Information Security Policy and the Information Security Program Plan annually, and present them to its Audit & Risk Committee for review and/or approval. The latter also receives quarterly briefs from Nasdaq's CISO, which feature a "Cybersecurity Dashboard... which contains information on cybersecurity controls, incidents and threats to the Company’s information security, and ongoing prevention and mitigation efforts for such threats."

Its clear that absent further regulatory requirements, most companies that do report cybersecurity resilience as part of a sustainability report are using heavily customised metrics.

Expect to see more pressure for some form of staandardisation in the near future.

See also: JPMorgan's CIO on spending $600m annually on cybersecurity