The rise of Environmental, Social and Governance (ESG) as a metric to examine an organisation's sustainability, along with socially responsible investing brings to light an intriguing way of measurement. This article looks into ESG ratings, and discuss if Cybersecurity is a discipline that fits within it.
What are ESG Ratings and how do they operate?
ESG Rating - Measures a company's exposure to long-term ESG risks (such as Greenhouse gas emissions, working conditions, policies & standards) that have financial implications, usually not highlighted by conventional financial analysis.
An ESG rating is usually measured within two methodologies, either a numerical-score or letter-based. The numerical range is usually scored between 0-100 with 70+ seen as “good” and 50 and below as “bad”. The Letter-based approach ranges from CCC (worst) to AAA (best).
MSCI Score Chart:
ESG ratings are used to determine the positioning of an organisation against ESG risks. As a result, these factors and ratings have spawned off ESG investment, which allows for investing within spaces that prioritise the three factors (also termed as “socially responsible investing”, “sustainable investing” and “impact investing”). These ratings serve as a basis for the decision making made by investors.
When looking at the prominent names within the space, we quickly stumble across the American finance firm, MSCI. They are widely seen as a dominant player within the ESG ratings field. Their entrance into this space stems from a demand for ESG metrics as a methodology for investment. This assures investors are gaining a return from their portfolios but also establishes that firms within these portfolios align with society goals, such as Net-Zero approaches etc. MSCI will then use their scoring metrics to produce a report, highlighting the positioning of the examined firm.
There has been some criticism over MSCI and how ESG ratings are determined. Some reports are claiming of upgrades in a firm's ESG rating without the appropriate radical change. Furthermore, detates have arised over whether ESG ratings allow for clever marketing ploys, without any actionable steps, accelerating greenwashing. Further information on this subject can be found here.
What makes Cybersecurity an ESG value:
There are a wide range of opinions on why Cybersecurity is an area that should be incorporated within ESG measurement. Lets explore some of the views on this topic in greater detail:
S&P Global released their insights in May 2021 calling Cybersecurity a growing concern for ESG. This is due to cyberattacks and associated financial losses and disruptions increase in severity and frequency. They go on to state the cyber insurance market is underdeveloped and often tagged onto existing policies that were not intended to cover cyber risk.
Here are some further insights from their article:
The Colonial Pipeline cyberattack began to raise questions over how prepared industries are to mitigate risk and safeguard vulnerabilities.
Energy infrastructure needs to become more cyber resilient due to digitisation and automation of energy systems, increasing the scope of an attack.
Companies need to go beyond IT security and evaluate cyber risk from cyber-informed engineering perspectives.
World Economic Forum:
The World Economic Forum's article determined three reasons why Cybersecurity is an ESG issue.
1) It presents a threat to value
There has been an increase in intangible assets, representing 90% of the asset value within organisations (tripling on the S&P 500 index in the last 35 years). The COVID-19 pandemic brought an accelerated shift to digitise assets.
The most critical intangible asset in determining the value of a company is data. As companies grow, the intangible value grows, increasing the potential impact of a cybersecurity breach. Companies need to focus on protecting critical assets, so that in event of a breach, value loss is minimised.
2) It presents a threat to society
With consumer convenience and the digital shift, organisations have adopted digital transactions, creating cybersecurity risks. Data breaches can have a potentially huge impact on people. Hackers have increasingly targeted healthcare data and institutions, impacting the quality of care for the community.
3) Insurance can’t mitigate risk indefinitely
Companies are relying more on insurance to manage risk, rather than implementing governance. As courts rule in favour of policyholders, insurers will continue to narrow the scope of coverage, limiting the extent organisations can rely on it. Insurance alone is not a substitute for good governance.
Where does Cybersecurity fall within ESG?
This is also an area of debate, with belief that Cybersecurity is a component within either the Social or Governance pillar. Lets examine a few views on this question:
Principles for Responsible Investment (PRI):
PRI believe that Cyber and governance go hand in hand. “Governance can be a proxy for the strength of cyber resilience within a firm. It allows investors to assess if a company has an organisation-wide approach to cybersecurity, without having to delve into technical detail”. Essentially, they state governance processes/structures can be indicative to manage cyber risk.
However, JPMorgan view Cybersecurity as more of a social concern “Cybersecurity is becoming a worldwide social concern, with growing interest from around the globe”.
NASDAQ report Cybersecurity within its ESG framework and similarly to JPMorgan, have classified it as a “social” issue. They state within their 2020 sustainability report that Data privacy & cybersecurity have “social issues that may arise from the company’s approach to collecting data, obtaining consent, and managing customer expectations regarding how their data is being used, or issues that may arise from incidents such as data breaches in which personally identifiable information and other customer data may be exposed”.
We believe that aspects of Cybersecurity fall both within the social and governance pillars. PII and other customer data all will be linked to people, which would see this side of cyber viewed as “social”. However, governance is also a factor if you weigh in various policies/strategies (maybe stemming from legislation) that organisations implement/need to implement in order to be viewed as more cyber resilient.
Overall, we believe that Cybersecurity is an area that needs to be factored more into ESG frameworks, It can comfortably fit into two pillars. Cybersecurity is one of many areas an organisation should be measured against, given the digitisation of modern systems and processes within modern organisations. We look forward to see if changing views and prioritisation of this discipline will lead to more incorporation within ESG frameworks.