How a Company’s Cybersecurity Practices Impact ESG Ratings

As organizations today implement digitized business models and leverage more and more technological advancements for increased productivity, cybersecurity has become a top concern for individuals and investors alike. Nobody want’s their data leaked, accounts hacked, or identity stolen! It’s easy to see then, why a company’s cybersecurity practices are coming under the microscope. In addition to federal regulations, there’s a little (big) something else putting pressure on companies to implement cybersecurity solutions: ESG ratings. Let’s take a look at how a company’s cybersecurity practices impact ESG ratings.

How Cybersecurity Practices Impact ESG Ratings

One factor that contributes to a company’s overall ESG rating, or score, are their cybersecurity practices. Drilling down, the ESG rating specifically relating to cybersecurity include issues such as Data Protection and Privacy, but also Customer Satisfaction and Regulatory Compliance.

To improve ratings related to these particular ESG issues, a business must implement security protocols and solutions that address cybersecurity threats. In addition, investors must also understand that the ESG framework necessitates collaboration between regulators, companies, and industry stakeholders.

By implementing industry-standard security protocols, an organization can further align itself with ESG principles, allowing it to have a better rating. Cybersecurity solutions can also equip businesses with in-depth analytics, helping them to make informed decisions for strategic growth, and potentially increased profits for investors.

Without properly addressing cybersecurity threats, increased digital and technological exposure can leave a company vulnerable to online threats.

Security breaches, data leaks, and proprietary information misuse can leave companies with extraordinary monetary costs, as well as reputational damage causing lost revenue. Organizations not adequately mitigating their cybersecurity risks with enhanced security protocols are putting their company—and by extension, their investors—at risk.

The Current Cybersecurity Landscape

Understanding the current cybersecurity landscape can help investors see which practices and solutions can positively impact a company’s ESG ratings.

In recent years, factors such as the pandemic and geopolitical tensions have added immense risk to the adoption of technological advancements in business operations, due to increased exposure to online threats that include unauthorized access and data breaches.

Recent forecasts have shown that the global cost of cybercrime is expected to surge to over $23 trillion by 2027. However, solutions to combat exposure to online threats have emerged. Businesses are increasingly implementing them, and the market volume for such solutions is expected to increase to over $270 billion by 2028.

Understanding ESG Ratings

ESG ratings basically refer to a set of standards pertaining to an organization’s behavior that investors may use to determine potential returns. The MSCI ESG score that we use at Rowling & Associates is one of the most popular methods for rating companies based on their ESG practices. This rating system has seven scores used to categorize companies into three categories that include:

• Leader – Companies in this category have a score of “AAA” or “AA” and are considered to be industry leaders in managing ESG risks and leveraging opportunities.
• Average – Companies in this category are given a score of “A,” “BBB,” or “BB” because they are able to manage some ESG rating factors effectively; however, tend to fall short on others.
• Laggard – Companies with a score of “B” or “CCC” are generally not managing ESG risk factors and are considered to have high exposure to threats that may impact their business.

Investors can use ESG ratings to help determine which factors are paramount to a business. Doing so lends insight into the decisions a company is likely to make, as well as the long-term risks it’s exposed to currently, and potentially in the future. Investors then factor this ESG analysis in with other traditional valuation methods, before deciding whether to allocate capital to a particular company or investment fund that includes the company.

Security Protocols That Improve ESG Rating

Companies use a wide range of cybersecurity practices to safeguard their networks, data, and applications. Deploying strong security protocols for data protection and privacy contribute to a higher ESG rating in that area. Some of the security protocols that investors consider prior to allocating capital include the use of:

Threat Intelligence

Threat intelligence refers to the process of identifying and analyzing cyber threats for the purpose of developing prevention measures. Such prevention measures may include firewalls and data encryption.

Using threat intelligence helps an organization comply with ESG standards pertaining to data protection and privacy. Companies that use threat intelligence are able to proactively address concerns regarding exposure to risk, and therefore are assessed as a lower risk to investors.

Attack Surface Management (ASM)

ASM is the process of identifying, analyzing, and monitoring network vulnerabilities and attack surfaces that a cybercriminal could use to breach an organization’s network. Investors must know that competent businesses implement ASM from an attacker’s perspective.

This allows the companies to better understand their vulnerabilities and helps them develop effective remediation protocols. Both these factors help improve the ESG rating and help make the company a lower-risk option for investors.

Access Control and Management (ACM)

Data breaches can occur from both external and internal sources. However, companies that have comprehensive access control and management protocols are able to secure organizational resources by developing strategies based on the Zero Trust framework.

Companies with ACM protocols are capable of limiting access on a need-only basis. This helps them increase the effectiveness of their data protection measures and improve their ESG rating.

Data Encryption

Many organizations deal with or store sensitive customer information such as bank account numbers or credit card details.

To protect such information from unauthorized access, companies encrypt data that is at rest and in transit data. This ensures that information can’t be accessed without an encryption key and helps improves their ESG ratings.

Final Thoughts

The technological advances and digitization efforts a company makes to improve productivity can also leave it exposed to cybersecurity risks. ESG analysis of a company’s cybersecurity standards can be used to better understand the protection measures it has in place.

Cybersecurity exposure, whether exploited or unexploited, transitions into poor data protection protocols and decreased customer satisfaction. Both these factors can lower the company’s ESG rating, specifically related to the “S” pillar (social responsibility), making such companies a less desirable choice for investment.

It’s just one of the factors that impact a company’s overall ESG rating, but in today’s age, a very important one used by investors to determine its viability as an investment.