Data privacy and cybersecurity-related issues have become significant drivers of business risk as companies digitize and business models shift toward complex, data-driven products and services. The widespread collection and use of personal data means that data privacy and cybersecurity have become material ESG issues (MEIs) for companies across a broad range of subindustries.
Here is a list of seven questions every organization should address to effectively manage data privacy and cybersecurity-related ESG issues.
Question One: Digitization is one of the key drivers of the transition to a greener economy. How can my company balance digitization with data privacy and cybersecurity risks?
For most companies, management of cybersecurity as a MEI involves strong performance across three key elements:
Data privacy and security policy: A company’s public-facing statement which signals its high-level commitments to privacy and cybersecurity.
Data privacy program: Provides evidence that a company has implemented controls that reflect applicable privacy laws, regulations, and industry standards.
Cybersecurity program: Provides evidence that a company has implemented industry-standard security safeguards to mitigate the risk of incidents and breaches.
Question Two: How can my company act now to position privacy as an ESG priority?
Companies can take immediate action on ESG issues related to cybersecurity by setting a few achievable short-term goals related to employee training and governance.
Question Three: What key questions should our leadership be asking about our organization’s cybersecurity?
Cybersecurity is ranked as the top threat to growth by global CEOs,1 yet many organizations still aren’t sure how to manage this MEI in a world of rapidly evolving technology. Corporate leaders should start by asking questions related to their organization’s exposure to threats, governance practices, and plans in the event of a breach or other cybersecurity incident. Below is a short list of questions as a starting point.
Exposure to Threats
Where governance is concerned, corporate leaders should ask questions such as, “How does our data program and cybersecurity program implement best practices? What is our leadership’s role in the event of an incident?” As outlined in question four below, governance plays a significant role in the management of cybersecurity as an MEI, and leaders should aim to create a culture of data privacy and protection.
With cybersecurity and data privacy threats only continuing to grow in number and complexity, corporate leaders cannot afford to ignore implementing a pre-emptive response plan. Some key questions to ask include, “What are our business recovery plans in the event of a cyber incident? And what are the layers of protection we have put in place?”
Question Four: What is the role of corporate governance in managing cybersecurity risks?
Fostering a culture of data privacy and protection means building strong cybersecurity and cyber resilience programs from the top. Companies following best practices will establish a dedicated role for assuming responsibility for privacy issues and cybersecurity. The role should be at the C-level or someone directly reporting to a C-level executive, such as a chief privacy officer or chief information security officer.
Question Five: What are some key elements of effective privacy, data and cybersecurity policies and programs?
Data Privacy and Security Policy
Data Privacy Program
Question Six: What are the long-term risks of a data privacy breach or cyberattack and how can my company recover after experiencing one?
A growing number of companies are acknowledging that they will inevitably experience cyberattacks, whether directly to their own data infrastructure or through their supply chains.
Question Seven: How does cybersecurity impact my ESG risk profile?
In general, Morningstar Sustainalytics considers approximately 20% of the risks related to cybersecurity to be unmanageable, due to the fact that part of the risk pertains to actions taken by individuals external to the company, such as hackers.
Source: Morningstar Sustainalytics. Data as of January 26, 2022. For informational purposes only.
1 PwC. 2022. "PwC's 25th Annual global CEO Survey." https://www.pwc.com/gx/en/ceo-agenda/ceosurvey/2022.html
Risk and Opportunity in Biodiversity: How Sustainable Finance Can Help
This article outlines how biodiversity loss poses material risks to business and how it connects to many other issues that companies can’t ignore. In addition, it covers how biodiversity conservation presents substantial economic opportunities, and how businesses can address and access these opportunities by issuing linked instruments that integrate biodiversity considerations.
Today’s Sustainable Bond Market: Boosting Confidence in Sustainable Bond Issuances
In this article, we examine the kinds of sustainable bonds offered in the market, some of the key regulations being developed in different markets and the current initiatives to improve the quality and credibility of issuances.
Webinar Recap: How Integrating ESG Can Drive Opportunity for Private Companies
Recently, Morningstar Sustainalytics hosted a webinar – ESG in the Lifecycle of a Private Company: How Stakeholder Demands Drive Sustainability in Private Markets – to address some of the questions private companies might have surrounding ESG and how it could impact their business.