Environmental, Social & Governance (ESG)

Environmental, Social & Governance (ESG) is a concept that covers:
  • Environmental.  This component addresses how an entity impacts the natural world (e.g., energy consumption/efficiency, carbon footprint, waste management, pollution, etc.).
  • Social. This component address how an entity manages its relationships with stakeholders (e.g., employees, customers, local communities, vendors, etc.). Key considerations about these relationships include labor practices, human rights, diversity, inclusion, health and safety and community engagement.
  • Governance. This component address how an entity is led and managed (e.g., executive leadership). Key considerations include executive compensation, shareholder rights, board structure, ethical business practices, transparency and accountability. 

Cybersecurity & Data Privacy Implications For ESG

ESG criteria are considerations of interest for "social responsibility" at the corporate level. ESG is traditionally used to screen potential investments as a way to support and maintain ethical conduct across organizations. However, with the evolving landscape of statutory, regulatory and contractual obligations, there are two significant points of intersection between an entity's cybersecurity & data privacy controls with the "social" component of ESG factors:

  1. Data protection / data privacy; and
  2. Human rights. 

The social criteria component of ESG takes into account the human factor at the individual level, as well as what occurs within those organizations as part of normal business operations. This is where cybersecurity & data privacy come into play with the social criteria of the ESG model with the real-world ramifications associated with access to sensitive data and critical systems.

ESG is inexplicitly intertwined with cybersecurity & data privacy practices, since these functions have the ability to directly affect individuals, organizations, governments and society as a whole. Therefore, IT/cyber/privacy operations cannot merely “check the box” by providing access or data without understanding the real-world ramifications associated with compliance with a law, regulation or contractual obligation. How an entity responds to potentially hostile compliance requirements will determine its genuine adherence to ESG principles for corporate responsibility, since non-compliance might be the morally-correct path for an organization to take.

Cybersecurity Controls To Address ESG Practices

The Secure Controls Framework (SCF) added ESG-specific controls that are intended to identify potentially harmful compliance requirements that have profound, life-changing implications from complying with a law or regulation from a hostile nation / oppressive regime. The goal of these ESG-specific controls is to elevate risk / decision making away from cybersecurity & data privacy practitioners by directing those issues to the entity's executive leadership to address the moral and legal ramifications of such compliance actions. The implications include, but are not limited to: 

  • Foreign government espionage;
  • Intellectual property theft; and
  • Human rights abuses.

On the cybersecurity & data privacy side of ESG, unlike buying carbon credits, an organization cannot make up for its own lacking cybersecurity & data privacy practices by buying goodwill from another organization that implements its own responsible cybersecurity & data privacy practices. This means organizations need to step up and actually do what they should be doing to earn a good "social" rating, in the scope of ESG compliance. In cybersecurity, "a standard is a standard for a reason" and that concept needs to be enforced, even if it means making difficult choices that could negatively affect profits. Without an ethical, morally-rigid leadership team, ESG is not only meaningless, but fundamentally dishonest and indicative of fraudulent business practices. ESG must be driven from the highest levels of the organization's leadership team, but only if they are willing to chose the harder right over the easier wrong. 

ESG Virtue Signalling

ESG is is easily abused, where ESG is only as good as the executive leadership team involved in enforcing those self-imposed mandates. Any critical review of an entity's ESG program should evaluate exceptions management practices to determine if the ESG is:

  • Merely "virtue signaling" to promote the entity through fraudulent marketing purposes; or
  • Willing to operationalize difficult decisions that could lead to lost profits in the pursuit of being a good corporate citizen. 

ESG virtue signaling is disingenuous and offers no benefit to society in any form.  

Beware of "Garbage In Garbage Out" ESG Practices

Fraud Magazine published an article on concerns related to abusing ESG principles. The very real existence of fraudulent practices associated with ESG puts the entire concept of ESG on shaky ground, such as:

  • Making an organization look better than it is through the purchase of carbon credits to offset manufacturing practices; or
  • Selectively enforcing prohibitions on choosing supply chain partners (e.g., Uyghur forced labor). 

The issue of choosing the harder right over the easier (and more profitable) wrong is the fundamental flaw with ESG in many organizations, since "faithful ESG practices" will often lead to a decision that would avoid engaging in or put an end to a profitable business venture.