Why is cybersecurity a growing ESG concern?

Enterprises are increasingly evaluated against their ESG (environmental, social, and governance) impact amidst growing demand for transparency. Here's how and why you must rethink your cybersecurity strategy for better data protection and digital safety.

FacebookTwitterLinkedIn
Why is cybersecurity a growing ESG concern?

Companies under pressure to disclose ESG

As the consequences of their actions ripple out to the world at large, companies now have to answer to more than just their stockholders.

Regulators, investors, and an increasingly-engaged public have heightened corporate scrutiny; under pressure from global investor groups1 and new sustainability reporting regulations2, companies have begun including environmental, social, and governance (ESG) disclosures in their financial reporting.

ESG is a tangible means of evaluating corporate behaviour—a series of objective benchmarks that focus on three key areas:

● Environmental data: how the company manages their resources and cares for the environment

● Social data: how well the company treats its clients and workers; how its management makeup reflects society’s diversity

● Governance data: information on the company’s internal governance and share class structure

ESG disclosures often reveal opportunities or risks that conventional financial analysis cannot adequately spell out. Consider cybersecurity: given today’s cloud-based and Internet-connected technology’s global reach, what ESG risks lie on the flipside of network technology’s benefits—and what are their implications for investors and the wider public?

Cybersecurity: a major ESG consideration

In previous decades, the cost of cyberattacks proved mere chump change, as critical infrastructure like power generation plants and other public utilities were not connected to the Internet. That’s all in the past, as the rising cost of breaches and the increasing interconnection of critical utilities have advanced cyberattacks’ worst-case impacts.

According to recent research by IBM/Ponemon Institute3, the average cost of a data breach in 2021 is US$4.24 million, a 10% increase from the average in 20194 (US$3.86 million). In Singapore, the government imposed a record fine of S$1 million5 on parties involved in the 2018 SingHealth breach that exposed the personal data of 1.5 million patients.

Public utilities’ operational technology/control systems’ connectivity has also made them tempting targets for cyber criminals, as demonstrated by recent, repeated cyberattacks by advanced persistent threats6 (APTs) in the Asia-Pacific region. According to the 2021 RBC Global Asset Management Responsible Investment Survey7, some 15% of Asia respondents rated cybersecurity/data privacy as a major ESG concern, with 10% considering it a “make or break” issue.

No surprise there–cybersecurity affects all ESG’s three pillars.

Cyberattacks on critical infrastructure like oil and gas production, manufacturing and chemical production, and marine systems can inflict a cataclysmic impact on the environment–causing “fires, explosions, and hazardous material releases that result in bodily injury, property damage, environmental remediation expense, and significant legal liability claims,” as an AXA XL paper explains8.

A sufficiently damaging cyber breach can also affect a company’s social standing. Cybersecurity failures can impact a company’s relationships with its workforce, the communities it serves, and political decision-makers. Never mind the effect on the bottom line; the reputational cyberattack costs may be difficult to bounce back from.

Finally, a company’s resilience against cyberattacks depends in large part on the leadership’s buy-in on cybersecurity. A company’s ESG standing may suffer if its governance fails in the event of an attack, particularly if its risk governance models9 have not been updated to cover cyber risk.

Raising your ESG score by addressing cybersecurity

With these consequences in mind, companies must address cybersecurity concerns, not just for short-term impact, but also to satisfy questions from investors, stakeholders, and the wider public. Aligning cybersecurity with broader ESG factors require companies to take an organised approach to cybersecurity strategy, execution, and reporting.

Companies can address cybersecurity’s ESG impacts by taking four critical steps:

1. Build a cybersecurity strategy. Companies should create a plan that can identify present and potential vulnerabilities, and formulate a response to credible threats. Any effective strategy depends on adopting privacy and cybersecurity by design—an approach to cybersecurity “that builds in risk thinking from the onset10”, instead of considering them after the fact. This involves integrating privacy and cybersecurity into the design, operation, and management of the company’s systems and business practices.

Beyond simply helping staff to navigate the cyberattack risks, the plan can also reassure shareholders and the public that the company takes a proactive attitude towards cyber risk.

2. Formulate cybersecurity governance. Build accountability into cybersecurity: the company should identify the principals in charge of implementing the cybersecurity action plan; and develop privacy and data governance metrics that monitor cybersecurity-related ESG goals’ progress over time.

By building a leadership and accountability structure around the company’s cybersecurity, the management team and regulators can gain meaningful insight into the company’s cybersecurity-related issues, and hold business units and programs to account.

3. Align with external cybersecurity frameworks. Companies should consider applicable legislation and relevant industry standards and frameworks, and examine how well their governance frameworks comply with these standards.

These range from ESG-specific regulations, like the European Union’s Sustainable Finance Disclosure Regulation (SFDR)11 and the climate and diversity disclosures12 required by the Singapore Exchange (SGX); to data security regulations, like the European Union’s General Data Protection Regulation13 and the Singapore Personal Data Protection Act (PDPA)14.

4. Create a culture of accountability and transparency. Cybersecurity needs to be built into the company’s internal processes, at all levels. First, buy-in from the board and senior management must be secured, to ensure sustained progress on all cybersecurity initiatives. Management must be periodically appraised on information security and data governance issues; it can no longer be the IT department’s sole purview.

To protect any cybersecurity weak links, non-IT rank and file employees must also receive periodic cybersecurity training. Internal audits of cybersecurity practices and controls must be regularly undertaken.

Finally, the leadership must make full disclosures around data ethics and cybersecurity issues. High transparency demonstrates to customers and other stakeholders that data is being collected, stored, processed, and protected in an ethical manner. It shows the leadership’s awareness of their cybersecurity strategy’s broad social impact.

Burnish your ESG bona fides with Singtel’s cybersecurity services

Cybersecurity is no longer a pure technology issue: it’s also an issue for investors and other stakeholders, who demand up-to-date disclosures on data protection and information security policies to better inform capital allocation and investment decision-making.

Tap Singtel’s pool of experienced, certified cybersecurity advisors that can secure your network, protect vital IT assets, and respond to threats in real-time. With Singtel on your side, you can provide peace of mind for your customers, and ensure that your cybersecurity can stand up to the most revealing ESG disclosures.

Speak to us now to find out how you can weave cybersecurity into your ESG goals.

 

References:

1 PRI, Investor groups call on companies to reflect climate-related risks in financial reporting, 2020.

2 S&P Global, New EU ESG disclosure rules to recast sustainable investment landscape, 2021.

3 IBM, Cost of a Data Breach Report, 2021.

4 IBM, Cost of a Data Breach Report, 2019.

5 The Straits Times, Singapore's privacy watchdog fines IHiS $750,000 and SingHealth $250,000 for data breach, 2019.

6 SOCRadar Cyber Intelligence Inc.,Top 5 Cyber Attacks in the Asia Pacific (APAC) in 2021, 2021.

7 RBC Global Asset Management, 2021 Key Findings: Responsible Investment Survey, 2021.

8 AXA, Environmental risks: cyber security and critical industries, 2020.

9 Harvard Law School Forum on Corporate Governance, Cybersecurity: An Evolving Governance Challenge, 2020.

10 EY - Global, How to manage cyber risk with a Security by Design approach, 2020.

11 EUROSIF - Sustainable Finance Disclosure Regulation (SFDR)

12 Allen & Gledhill, SGX mandates climate and board diversity disclosures, 2022.

13 Intersoft Consulting - General Data Protection Regulation (GDPR)

14 Singapore Statutes Online - Personal Data Protection Act 2012

You may also like

Unlock Enterprise Mobile Connectivity with 5G URSPShare
Apr 2025 | -
5G
Unlock Enterprise Mobile Connectivity with 5G URSP
As enterprises embrace hybrid and mobile work models, the need for reliable, secure, and application-aware connectivity is greater than ever. This latest IDC Snapshot, sponsored by Singtel, explores how 5G Network Slicing and URSP are redefining mobile experiences — enabling mission-critical apps to perform at their best, wherever work happens. More than just a technical evolution, IDC provides a practical roadmap for how organisations can assess readiness, define routing policies, and collaborate with service providers to unlock the full potential of 5G URSP.
How Southeast Asia got on board with the green portShare
Apr 2025 | -
sustainability
How Southeast Asia got on board with the green port
Six of the world's ten most efficient ports are in Asia. As a leader in port innovation through technology, Southeast Asian ports are meeting increasing demands and operating effectively despite increasing uncertainty. Digital twins, automation and network slicing are key enablers in this shift.
High speed, low power: How 5G is a sustainability tour de forceShare
Apr 2025 | -
sustainability
How 5G is a sustainability tour de force
The high speed and low latency of 5G are opening up more opportunities for innovative technology applications. The lower-energy network also makes it a logical enabler of sustainability, and companies are using it to reduce energy use, monitor emissions and protect natural environments.