July 31, 2023

Cybersecurity and privacy issues have become prominent ESG concerns as organizations frequently manage sensitive information concerning their beneficiaries, employees, third parties, and other stakeholders. Protecting this data from cyber threats and ensuring privacy is a crucial responsibility, as stakeholders expect organizations to have robust cybersecurity measures in place to safeguard their personal information.

Failure to comply with applicable laws, regulations governing data protection, and contractual requirements governing data protection and privacy can result in legal and financial consequences – negatively impacting an organization’s ESG standing. Organizations are also expected to uphold ethical principles and responsible practices as protecting stakeholder data and respecting privacy are integral components of ethical conduct.

Cybersecurity and privacy policies are facing greater scrutiny by stakeholders who are assessing an organization’s commitment to responsible and transparent operations. Earlier this year, COSO released supplemental guidance for organizations who are reporting on ESG/sustainability for public disclosure or enterprise decision-making. The revised framework includes cybersecurity and privacy-related issues as they relate to ESG:

COSO ICSR ESG Topics

COSO Supplemental Guidance: COSO-ICSR-ESG-TOPICS

Source: COSO Supplemental Guidance: “Achieving Effective Internal Control Over Sustainability Reporting (ICSR)

Strong cybersecurity and privacy practices factor into ESG in several ways:

  • Environmental: While cybersecurity and privacy may not be directly related to environmental concerns, they do contribute to the overall sustainability and resilience of an organization’s operations. Effective cybersecurity measures can prevent data breaches, cyberattacks, and the resulting environmental impact that may arise from incidents such as data loss or system disruptions. By safeguarding sensitive information, organizations can reduce the need for resource-intensive recovery processes and minimize environmental harm.
  • Social: Protecting the privacy and data of individuals is a critical social responsibility. Organizations that prioritize cybersecurity and privacy demonstrate their commitment to respecting and safeguarding the personal information of their stakeholders, including customers, employees, and partners. This helps build trust, maintain confidentiality, and protect individuals’ rights to privacy.
  • Governance: Organizations must establish robust governance structures and processes to manage cybersecurity risks, comply with applicable regulations, and protect sensitive information. Strong governance practices include establishing policies and procedures, conducting risk assessments, implementing security controls, evaluating third parties, and providing cybersecurity training and awareness programs for employees.

GRF Can Help

Organizations that prioritize cybersecurity and privacy concerns demonstrate their commitment to responsible governance, risk management, and stakeholder protection – enhancing their overall ESG performance. To learn more, visit our page on GRF’s Cybersecurity and IT Risk Auditing Services, contact us online, or reach out to Melissa through the contact info below.

Melissa Musser, CPA, CIA, CITP, CISA

Partner and Director, Risk & Advisory Services