Want to advance on ESG? Cyber and privacy can help, while boosting trust in your brand

Where companies are today: Top priorities treated in isolation

If your company is like most, you’re paying serious and growing attention to cybersecurity and privacy. In PwC’s August 2022 Pulse Survey, both business executives and board members deemed cyber their No. 1 business risk. The pressure’s likely to keep growing along with evolving cyber disclosure requirements such as the SEC’s proposed new rules and privacy regulations. Half of the executives responding to PwC’s 2023 Digital Trust Insights Survey told us that data security concerns restrict their ability to make data-driven decisions.

Many business leaders prioritize ESG, but they generally concentrate on just a few areas — especially environmental sustainability in light of proposed SEC climate disclosure requirements and the Inflation Reduction Act.

Rising priorities are also evidenced by rising investments. Forty-nine percent of US business executives in our Pulse Survey said they plan to increase investments in cybersecurity and privacy. Almost as many (45%) plan to increase investments in ESG activities. Yet despite these dual areas of investment, few companies are looking at them together — even though some external stakeholders may be doing just that.

ESG, privacy and cyber already meet here: ratings agencies

ESG ratings agencies often include cybersecurity and privacy in their “ESG scores,” which many investors use as a shorthand for your ESG status. With MSCI ESG Research, for example, cybersecurity and privacy can be nearly a third (29%) of the ESG score for retail companies, 28% for telecom companies, and 20% for healthcare providers.

The agencies and organizations that issue the ESG scores have their own criteria for assessing cybersecurity and privacy. Still, there is common ground. The more details you’re able to attest to publicly about privacy and security programs, the better. Analysts are more likely to view your company in a favorable light if, for example, you have detailed policies and procedures as well as a specified privacy leader — especially if your reporting defines your policies and names your leader.

A data breach, besides the potential for financial and reputational harm, may also impact your ESG rating. If it’s severe enough, it could affect your scores for several years. But effective incident management and transparency can help. ESG analysts like to see metrics on the frequency and impact of breaches as well as procedures to close a breach quickly while rapidly informing customers, regulators and other stakeholders. These same stakeholders will also likely want to see the actions you’re taking to reduce the risks of such breaches going forward.

It’s also likely that companies that have independent assurance (such as SOC 2 reports) performed on topics such as information security, availability and privacy will be more favorably viewed by ESG analysts. Other common factors considered include the scope of your data protection policy, the rights you offer people to control their data, how often your information security systems are audited and your rules (including consent requirements) for transferring personal data to third parties.

Four steps to help cyber, privacy and ESG build on each other — and build trust

The importance that ESG analysts assign to cyber and privacy highlights an important truth: When you align your cyber, privacy and ESG programs, all three can benefit. Together, they can become a strategic differentiator, as robust ESG and cyber and privacy programs support each other and enhance trust in your brand.

Four steps can help.

1. Make connections. Your privacy, cybersecurity and ESG or corporate social responsibility (CSR) leaders should connect about your company’s privacy, cybersecurity and ESG agendas. Typically, chief data officers (CDOs), chief privacy officers (CPOs) and chief security officers (CSOs) all should have a seat at the table with ESG and CSR leaders — to complete the next three steps together.
2. Understand your data flow. Together, privacy, security and ESG leaders can map out your company’s data flow — how and where you collect, create, use, share and eliminate data. Ask, are we collecting the right data? Neither too little nor too much? And are we protecting our data and empowering our customers in ways that don’t just meet cyber and privacy compliance requirements but enhance trust for both our customers and our decision-makers?
3. Strengthen your programs. Guided by the knowledge you’ve gained of your company’s data flow, strengthen your cyber and privacy programs to better protect data and increase stakeholder trust. Standard, industry-recognized frameworks and specialized technology can help you streamline and automate cyber and privacy, reducing both risks and effort. With the help of your ESG specialists, you can implement these frameworks and tools in ways that can lower the costs and improve the accuracy of related ESG reporting.
4. Decide what to disclose. Working together, privacy, cyber and ESG leaders can decide what aspects of your privacy and cybersecurity programs belong in ESG reporting. These aspects may be different — and more thorough — than what you’re already disclosing to meet regulatory requirements, including those from the SEC. The right answer will likely depend on your programs’ maturity, the stakeholders you wish to reach and the standards on which your ESG program is based.

Build a path to greater trust

Nearly all your stakeholders — whether customers, employees, analysts, regulators or investors — increasingly want to know that your company is protecting data and privacy rights as well as supporting environmental sustainability, societal progress and top-notch governance.

You can help give these stakeholders what they want if you align your ESG reporting with your cyber and privacy programs. The end result could be greater trust in both your data and your brand.