- Doug Chia
There Is No “C” In “ESG”: An Illustration of ESG’s Biggest Risk
Updated: Oct 26, 2022
[This post was published on the Harvard Law School Forum on Corporate Governance on October 14, 2022. It was also featured on "The D&O Diary" website on October 17, 2022.]
You keep using that word, I do not think it means what you think it means.
Empty your mind. Be formless, shapeless, like water.
At its core, ESG stands for the principle that one should identify and consider environmental, social, and governance factors when making business and investment decisions. But this basic concept has morphed into something seriously flawed—elusive to those trying to objectively define it for constructive purposes and at the same time too easily contorted by those with less-than-constructive commercial and political interests.
One of the biggest flaws of ESG is the subjective open-endedness of what counts as E, S, or G. What fits under each is no longer obvious. An example of this is cyber security.
Is Cyber Security ESG?
Corporations manage cyber security along with physical security and other types of business interruption risks. They also examine cyber security in the context of another acronym that starts with E – ERM (enterprise risk management) – typically within the COSO framework.
Now cyber security is also being characterized as an ESG issue. If cyber security is ESG, is it E, S, G, or some combination thereof? Can it be all of them? How far do you have to stretch to make it so? And given cyber security is a material risk for most companies, why does this matter?
If forced to assign one letter of ESG to cyber security, the one most proximate is G on the notion that a company’s board of directors has a duty oversee cyber security (and ERM more generally) or under the concept of “data governance" (which is not the same thing as "corporate governance"). But arguments espoused by experts run the gamut. A few are excerpted below.
Cyber is E
Since a corporation’s positive environmental policy/impact can potentially benefit those outside its corporate walls, it is considered a public good to contribute to clean air and water. In the same sense, the interconnectedness of today's world means that a corporation’s cyber policy, compliance and risk metrics can have far reaching impacts that can cascade throughout society. Organizations with robust cyber security programs—and reporting that gives stakeholders transparency into those programs—are well positioned to improve their ecosystems and safeguard their connections with other associations throughout the world. (KPMG)
The interconnectedness of global economies means that a company’s cybersecurity policies, compliance, and risk metrics can have far-reaching impacts on the environment. Companies with robust cybersecurity programs are better positioned to improve their environmental footprints, without interruptions and cyber threats to their environmental efforts.” (Global ReEnergy)
Cyber is S
While cybersecurity has mainly been viewed as a technology issue, it is now also regarded as a key environmental, social and governance concern, falling under the ‘Social’ pillar... In a booming digital economy, cybersecurity is no longer just a software industry concern. It is becoming a major topic for company management, global investors and players from all industries with exposure to cyber technology and customers’ private information. A far broader demographic is becoming increasingly concerned with cybersecurity’s social impact as well as technological implications. (JPMorgan)
At first glance, cyber security might not seem to have a strong connection to the social aspects of ESG. However, with high-profile data breaches, a company’s relationship with its customers can be severely damaged if their personal data becomes public. (KPMG)
Data breaches can have a huge impact on people. Hackers have increasingly targeted healthcare data and institutions, with an impact on the quality of care for the community as a whole. A disruption to the utility industry, such as the attack on Colonial Pipeline in the United States, can also lead to temporary income loss, further affecting the community. (World Economic Forum)
Cybersecurity is important to the social aspects of ESG, as the public has become more concerned with the protection of personal data. Cybersecurity has risen to the level of other areas that the public is concerned about regarding what companies are doing for society (i.e., advancing diversity, human rights, etc.). Additionally, the public wants to know that the data shared with companies is protected. A commitment to cybersecurity drives customer confidence and promotes a company’s proactiveness to protect against cyber threats. (Global ReEnergy)
Cyber is G
Cyber risk is the most immediate and financially material sustainability risk that organizations face today. Those that fail to implement good governance on cybersecurity, using appropriate tools and metrics, will be less resilient and less sustainable. (World Economic Forum)
Cybersecurity continues to represent a significant potential source of executive liability risk. As Environmental, Social, and Governance considerations continue to move to the forefront of organizations’ current and future risks, regulators and investors increasingly view cyber related risk as their top issue in the ‘G’ pillar of ESG. (MarshMcLennan)
Reporting on cybersecurity risk metrics provides key insights into a company’s overall corporate behavior and risk management oversight. (Global ReEnergy)
Cyber is C
Cyber is considered part of ESG (environmental, social, and governance) considerations; primarily within the governance aspect in terms of operational risk management, but also the social realm in terms of how communications are handled in the wake of an attack. However, as a key operational risk that can have material implications for an entity’s brand, reputation and wider business profile, cyber increasingly warrants a distinct focus in its own right. (Northwestern Mutual/S&P Global)
ESG’s Biggest Risk
Cyber security is not the only subject matter that some have added to the universe of ESG (e.g., tax strategy, Russia’s invasion of Ukraine). Nor is it the only one that experts differ on what letter gets assigned (e.g., DE&I, talent). But the various and creative ways in which cyber security can be packaged as ESG shown above (with all due respect to those authors) demonstrate the potential for ESG to become an open-ended term. Even past evangelists (most notably Bob Eccles and Anne Simpson) now pray that we move on and search for a better one.
One could argue that the term "ESG" is best used as shorthand for anything not typically measured with traditional financial metrics, or “externalities” in general, and pedantic arguments over specific words and letters (like this blog post!) miss the point. But the possibilities for what is an ESG issue cannot be endless. What is not ESG? An undisciplined approach to what constitutes ESG will render it meaningless to those who need to understand its importance (e.g., Warren Buffett), and an absence of boundaries makes ESG ripe for manipulation, co-option, and ridicule by those with ulterior motives (e.g., the Free Enterprise Project). Continuing down this path will undermine the concept of ESG as a critical component of business and investment decisions. ESG’s own biggest risk may be that it can be whatever you want or need it to be.