Cybersecurity and ESG: Think About It


Cybersecurity and ESG may not seem all that related, but if you take a minute or two to keep reading, we think you’ll see the connection, across all three pillar of E, S, and G. Before we get started, we note that this is just one example of how ESG research and analytics can help investors and corporations identify non-obvious sustainability issues. Let’s dive in.

Cybersecurity and the Environment.

In developed economies, much of our infrastructure– we’re talking about drinking water supplies and wastewater treatment, the electric grid, that sort of thing – depends heavily on technology. For example, water treatment facilities and the pipelines that connect them to buildings and houses are linked together via computer networks in control centers that are vulnerable to cybersecurity threats. A cybersecurity breach could cause a significant threat to public health, according to the Cybersecurity and Infrastructure Security Agency’s (CISA) list of National Critical Functions. The critical nature of water treatment plants, and power plants and the electric grid, make them targets for cybercriminals and terrorists. 

According to the Washington Post (WaPo), in October 2021 the FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency warned that U.S. water and wastewater systems are being targeted by “known and unknown” malicious actors. The WaPo article goes on to state that in February 2021, the water-treatment system in Oldsmar, Fla., was breached; the hacker(s) attempted to raise the level of sodium hydroxide in the water from 100 parts per million to over 100 times that level, which would have been poisonous. Thanks to the efforts of an alert employee, a disaster was avoided—this time.

For insights into the challenges of addressing these risks across the multiple jurisdictions involved, as well as information about organizations that are working to build infrastructure-related cybersecurity solutions, we recommend this article from Cybersecurity Guide

The Social Impact of Cybersecurity.

Raise your hand if you have ever been informed that your personal data may have been compromised by a hacking incident—from a retailer, a health care provider, your alma mater, a certain hotel chain (twice), Facebook, a credit card issuer… we could go on, but we’ll assume you have raised your hand by now (we do). It makes all of us feel vulnerable, and perhaps a bit resentful toward the entities that were breached. The reputational risk of these events is huge, and the negative impact on customer loyalty can take years to repair. Concerns about data privacy will only increase as more and more details of our lives are stored digitally.

In May 2021, hackers linked to a ransomware organization gained access to an outdated VPN account at Colonial Pipeline, making the company’s operational technology network, including a 5,500 mile pipeline, vulnerable to a remote takeover. For days, drivers (including those truck drivers that are a critical part of supply chains) up and down the East Coast faced long lines at the gas pump. Gas prices shot up as consumers began to hoard supplies while Colonial held secret negotiations to restore access to its computer systems. 

Investors are looking for evidence that companies see cybersecurity as a critical issue. This should include ongoing training for every employee, from the C-Suite to part-time support staff, about how they are a critical part of a company’s defenses against cybercrime. 

Governance and Cybersecurity.

Given that cyberattacks are a threat to a company’s reputation and profitability, investors want to know that cybersecurity is being addressed at the highest level. This often means appointing a chief information security officer, making cybersecurity reporting an ongoing task for either the audit committee or a separate risk committee, and ensuring that there are one or more individuals on the board with sufficient cybersecurity expertise. If these steps are not taken in a meaningful way and a breach occurs, there are likely to be ramifications that include a hit to the company’s stock price and calls for a change in management. For some additional perspective, see this brief report from KPMG.

OWL ESG’s data and analytics service allows investors, asset managers, and companies to create custom ESG analysis that can focus on almost any corner of sustainability, including cybersecurity. To learn more, please contact us here.