No Match Found
Cyber and privacy can be a key factor in ESG ratings — over 25% of the total score in some cases — yet it’s rare for cyber, privacy and ESG leaders to align their efforts
Cyber, privacy and ESG leaders can collaborate to better understand data flow, implement cyber and privacy leading practices and decide on appropriate disclosures.
Collaboration can strengthen all three programs, increasing trust in your data and brand
Today, it’s rare for companies to align ESG investments with cyber and privacy — even though cyber and privacy can be a key factor in ESG ratings. In fact, the opportunities from collaboration among cyber, privacy and ESG leaders go far beyond ratings. When these leaders work together in the right way, they can help turn all three programs into a strategic differentiator for your brand — based on trust.
If your company is like most, you’re paying serious and growing attention to cybersecurity and privacy. In PwC’s August 2022 Pulse Survey, both business executives and board members deemed cyber their No. 1 business risk. The pressure’s likely to keep growing along with evolving cyber disclosure requirements such as the SEC’s proposed new rules and privacy regulations. Half of the executives responding to PwC’s 2023 Digital Trust Insights Survey told us that data security concerns restrict their ability to make data-driven decisions.
Many business leaders prioritize ESG, but they generally concentrate on just a few areas — especially environmental sustainability in light of proposed SEC climate disclosure requirements and the Inflation Reduction Act.
Rising priorities are also evidenced by rising investments. Forty-nine percent of US business executives in our Pulse Survey said they plan to increase investments in cybersecurity and privacy. Almost as many (45%) plan to increase investments in ESG activities. Yet despite these dual areas of investment, few companies are looking at them together — even though some external stakeholders may be doing just that.
ESG ratings agencies often include cybersecurity and privacy in their “ESG scores,” which many investors use as a shorthand for your ESG status. With MSCI ESG Research, for example, cybersecurity and privacy can be nearly a third (29%) of the ESG score for retail companies, 28% for telecom companies, and 20% for healthcare providers.
The agencies and organizations that issue the ESG scores have their own criteria for assessing cybersecurity and privacy. Still, there is common ground. The more details you’re able to attest to publicly about privacy and security programs, the better. Analysts are more likely to view your company in a favorable light if, for example, you have detailed policies and procedures as well as a specified privacy leader — especially if your reporting defines your policies and names your leader.
A data breach, besides the potential for financial and reputational harm, may also impact your ESG rating. If it’s severe enough, it could affect your scores for several years. But effective incident management and transparency can help. ESG analysts like to see metrics on the frequency and impact of breaches as well as procedures to close a breach quickly while rapidly informing customers, regulators and other stakeholders. These same stakeholders will also likely want to see the actions you’re taking to reduce the risks of such breaches going forward.
It’s also likely that companies that have independent assurance (such as SOC 2 reports) performed on topics such as information security, availability and privacy will be more favorably viewed by ESG analysts. Other common factors considered include the scope of your data protection policy, the rights you offer people to control their data, how often your information security systems are audited and your rules (including consent requirements) for transferring personal data to third parties.
The importance that ESG analysts assign to cyber and privacy highlights an important truth: When you align your cyber, privacy and ESG programs, all three can benefit. Together, they can become a strategic differentiator, as robust ESG and cyber and privacy programs support each other and enhance trust in your brand.
Four steps can help.
Nearly all your stakeholders — whether customers, employees, analysts, regulators or investors — increasingly want to know that your company is protecting data and privacy rights as well as supporting environmental sustainability, societal progress and top-notch governance.
You can help give these stakeholders what they want if you align your ESG reporting with your cyber and privacy programs. The end result could be greater trust in both your data and your brand.