Continue reading this on our app for a better experience

Open in App
Floating Button
Home Digitaledge In Focus

Do cybersecurity and ESG go hand in hand?

Nurdianah Md Nur
Nurdianah Md Nur • 9 min read
Do cybersecurity and ESG go hand in hand?
When organisations integrate cybersecurity into their ESG strategy, they are approaching cybersecurity from a holistic perspective rather than as an isolated risk. Photo: Unsplash
Font Resizer
Share to Whatsapp
Share to Facebook
Share to LinkedIn
Scroll to top
Follow us on Facebook and join our Telegram channel for the latest updates.

Once thought to be an IT issue, cybersecurity is now a business risk as successful cyber attacks can have materi­al consequences through financial losses and indirect costs like diminishing reputation. Moreover, cybersecurity should be incorporated into environmental, social and corporate governance (ESG) strategies as it addresses the risks associated with increasing reliance on digital systems and data, and helps strengthen an organisation’s business resilience.

“Amidst the recent spike in cyber attacks across industries, including the financial services sector, cybersecurity is emerging as a key area of interest to all organisational stakeholders — including investors, regulatory bodies and customers — and is a growing factor in evaluating credit risk,” Christophe Bar­el, managing director for Asia Pacific of industry consortium FS-ISAC, tells DigitalEdge.

He adds: “It is critical to two pillars of ESG: Governance, in terms of operational risk management, and social, in terms of being responsible for customers’ sensitive data and handling communications in the wake of an attack. Without robust cybersecurity measures in place, organisations are exposed to significant risks that can un­dermine their sustainability and long-term value creation, not to mention their very existence.”

Daryl Seetoh, senior associate at law firm Baker McKenzie Wong & Leow, agrees that cy­bersecurity is a strong hallmark of good governance as it reflects accountability. “Organisations that develop robust cybersecurity systems demonstrate a commit­ment to addressing concerns about the digital space and build trust with their stakeholders, particularly how their personal data is safeguarded and shared. [Cybersecurity can have so­cial implications too] as digital threats pervade many aspects of our everyday life linked with technology.”

He continues: “Given that ESG frameworks have become one litmus test of a well-managed and responsible organisation, cybersecurity undoubtedly has an important place within these standards. If we are to rely on the ESG frameworks to showcase organisations which comply with our standards for the future, the frameworks must adapt to the demands of the times.

See also: 80% of AI projects are projected to fail. Here's how it doesn't have to be this way


With cybersecurity as a critical part of ESG frameworks, stakehold­ers may holistically assess an organisation’s commitment to sustainable profitability, good governance, social responsibility, business ethics, environmental sustainability and a beneficial impact on the world.



Daryl Seetoh, senior associate, Baker McKenzie Wong & Leow

A holistic approach

When integrated into ESG, cy­bersecurity becomes an inte­gral part of the organisation’s business strategy instead of an isolated function. “Rather than viewing it as a standalone or predominantly IT issue, the approach [to cybersecurity] be­comes more holistic and aligned with the broader corporate re­sponsibility to execute sound business risk management pro­grammes. In essence, cyberse­curity is seen not just as an op­erational necessity, but also as a critical aspect of corporate citizenship and stewardship,” says Nathan Wenzler, chief se­curity strategist at cybersecuri­ty firm Tenable.

See also: Responsible AI starts with transparency

He continues: “For instance, embracing this integrated risk management perspective means recognising the potential social impact of a data breach, such as that the misuse of personal customer information could lead to a loss of trust and harming individuals directly. It acknowl­edges that robust cybersecurity practices are part of good govern­ance and shows that a company is managing its risks responsibly and effectively. This can build confidence among stakeholders, including investors, customers and regulators.”

Wendy Lim, partner, Cyber, Advisory at KPMG in Singapore, also believes cybersecurity will better align with broader organ­isational goals and stakeholder expectations when integrated into an ESG framework. “From KPMG’s interactions with indus­try players, we have observed organisations and their boards paying greater attention towards harmonising cyber and ESG strategies, focusing on areas such as safeguarding information assets and ensuring transparent report­ing.


By making cybersecurity a key part of their ESG strategy, organisations are signalling its importance to stakeholders and making it a board-level issue — particularly since they would be responsible for reporting on its progress annually.



Wendy Lim, partner, Cyber, Advisory, KPMG Singapore

Varying levels of awareness

There are currently different levels of awareness of the need to make cybersecurity a core com­ponent of the ESG strategy. “Similar to how businesses’ invest­ment in cybersecurity can vary across the board, taking action on incorporating cybersecurity into their ESG strategy can also differ across Asia Pacific. Fac­tors that businesses will consid­er include upfront investments, resource availability, technical expertise and regulatory pres­sures,” shares Lim.

Larger multinational corporations, notes Wenzler, are generally more aware of the importance of cybersecurity due to their exposure to international markets and the rigorous regu­latory environments in which they operate.

To stay ahead of the latest tech trends, click here for DigitalEdge Section

However, he foresees an upward trend in both awareness and inclination to incorporate cybersecurity into ESG strategies.


Globally, there is a growing body of regulatory and compliance directives being handed down, prescribing organisations of all sizes and in broader industries to have ESG initiatives in place. With that comes the need to ensure they have formal cybersecurity programmes to support those initiatives.



Nathan Wenzler, chief se­curity strategist, Tenable

He adds: "It is possible that governments and regulators across Asia Pacific will become more prescriptive with regard to the steps and measures firms will need to take to ensure an adequate cybersecurity posture, which means that awareness will also likely grow.”

As regulations around data privacy and security globally increase, would complying with them be sufficient to reduce an organisation’s exposure to cyber risks? No, states Seetoh, as those regulatory frameworks only help form the scaffold which organisations shape and develop their cybersecurity programmes.

He adds: “Organisations ought to not allow regulatory compliance to form an inhib­iting perimeter that restricts their cybersecurity programme development. In line with the spirit of ESG, the goal should not only be regulatory compliance but to also go above and beyond as responsible stewards to the planet and society at large.

“In the context of cybersecu­rity, this could entail taking the initiative to spearhead improvements to their programmes and pioneer industrial standards or best practices. Having ownership over their cybersecurity pro­grammes enables organisations and industries to develop sym­biotic synergies with regulatory institutions in cybersecurity. While taking direction from regulatory institutions, organisations may also offer insights into their own industry-specific advancements and needs, enabling both sides to work off one another. In doing so, both general society and the individ­ual organisations benefit from a jointly constructed and robust cybersecurity framework.”

Integrating cybersecurity into ESG

To effectively integrate cyberse­curity into their ESG strategy, organisations must first have vis­ibility of their cyber risks. “By understanding the state of cy­bersecurity throughout the or­ganisation, stakeholders will be better able to make sound decisions about how, when and where to address cyber risks and protect the initiatives that support their ESG programme,” says Wenzler.

Meanwhile, Seetoh highlights the need to ensure the ESG framework organisations adopt aligns with their specific cybersecurity risks, business needs, legal and compliance requirements, and ESG goals. “Engage trusted ad­visers as necessary to leverage their expertise and get assistance with an audit of the integration. Having third-party reviews of the integration prevents systematic biases that may conceal misalign­ment, inefficiencies and gaps.”

Once the groundwork is done, Barel recommends organisations to look at:

  • Increasing board-level en­gagement and engendering a mindset shift in prioritis­ing cyber risk
  • Codifying cyber risk frameworks and protocols into an organisation’s governance structure, such as mandat­ing cybersecurity risk as­sessments at regular inter­vals to identify, prioritise and mitigate risks
  • Implementing robust employee awareness and training programmes to educate employees about their role in protecting sensitive data and detecting potential threats
  • Engaging with industry as­sociations, government bod­ies and peer organisations in cross-sector knowledge sharing and collaboration, including participation in cyber defence exercises.


Many of the best practices that organisations can embrace to integrate cybersecurity into their ESG strategy mirror those that help firms build business resilience against cyber risk.



Christophe Bar­el, managing director for Asia Pacific, FS-ISAC

It is also vital to measure and report their integrated cy­bersecurity and ESG efforts to show progress and accounta­bility to stakeholders. “[To do so effectively,] organisations should develop clear metrics or key risk indicators that align with their strategic objectives. These could include incident response times, the number of staff trained, or the results of penetration tests or phishing campaigns. Regular audits and transparent reporting can help demonstrate the effectiveness of these efforts and build stake­holder confidence,” adds Lim.

Organisations can take re­porting a step further by trans­lating cybersecurity’s technical metrics into something tied to the broader business risk met­rics. Wenzler explains: “This means using fewer metrics that are volume-based and moving towards trending of risk levels over time, tying financial impact from direct loss or regulatory fines, or leveraging risk models that can show which areas of the organisation are most at risk of harm from a cyber attack and how much that contributes to the overall health and risk of the organisation.

“It’s not an easy process, and for many IT practitioners, it is a very different style of reporting metrics. [However, this can help] demonstrate how proactive security efforts are helping to lower the likelihood of financial and legal harm to the organisation. Additionally, companies can showcase their ongoing investment in cyberse­curity training and tools, as well as the adoption of best-practice frameworks as commitments to protecting their technology assets in support of their ESG programmes. [This helps] demonstrate credibility to their customers or constituents.”

As the cyber risk landscape evolves, organisations must make cybersecurity a core component of their ESG strategy. Doing so will enable them to take a more holistic, strategic and proactive view of cybersecurity, which will in turn help strengthen their business resilience.

×
The Edge Singapore
Download The Edge Singapore App
Google playApple store play
Keep updated
Follow our social media
© 2024 The Edge Publishing Pte Ltd. All rights reserved.