Cybersecurity and Privacy Become Key ESG Imperatives

July 31, 2023

Cybersecurity and privacy issues have become prominent ESG concerns as organizations frequently manage sensitive information concerning their beneficiaries, employees, third parties, and other stakeholders. Protecting this data from cyber threats and ensuring privacy is a crucial responsibility, as stakeholders expect organizations to have robust cybersecurity measures in place to safeguard their personal information.

Failure to comply with applicable laws, regulations governing data protection, and contractual requirements governing data protection and privacy can result in legal and financial consequences – negatively impacting an organization’s ESG standing. Organizations are also expected to uphold ethical principles and responsible practices as protecting stakeholder data and respecting privacy are integral components of ethical conduct.

Cybersecurity and privacy policies are facing greater scrutiny by stakeholders who are assessing an organization’s commitment to responsible and transparent operations. Earlier this year, COSO released supplemental guidance for organizations who are reporting on ESG/sustainability for public disclosure or enterprise decision-making. The revised framework includes cybersecurity and privacy-related issues as they relate to ESG:

COSO ICSR ESG Topics

Source: COSO Supplemental Guidance: “Achieving Effective Internal Control Over Sustainability Reporting (ICSR)”

Strong cybersecurity and privacy practices factor into ESG in several ways:

Environmental: While cybersecurity and privacy may not be directly related to environmental concerns, they do contribute to the overall sustainability and resilience of an organization’s operations. Effective cybersecurity measures can prevent data breaches, cyberattacks, and the resulting environmental impact that may arise from incidents such as data loss or system disruptions. By safeguarding sensitive information, organizations can reduce the need for resource-intensive recovery processes and minimize environmental harm.
Social: Protecting the privacy and data of individuals is a critical social responsibility. Organizations that prioritize cybersecurity and privacy demonstrate their commitment to respecting and safeguarding the personal information of their stakeholders, including customers, employees, and partners. This helps build trust, maintain confidentiality, and protect individuals’ rights to privacy.
Governance: Organizations must establish robust governance structures and processes to manage cybersecurity risks, comply with applicable regulations, and protect sensitive information. Strong governance practices include establishing policies and procedures, conducting risk assessments, implementing security controls, evaluating third parties, and providing cybersecurity training and awareness programs for employees.

GRF Can Help

Organizations that prioritize cybersecurity and privacy concerns demonstrate their commitment to responsible governance, risk management, and stakeholder protection – enhancing their overall ESG performance. To learn more, visit our page on GRF’s Cybersecurity and IT Risk Auditing Services, contact us online, or reach out to Melissa through the contact info below.

Melissa Musser, CPA, CIA, CITP, CISA

Partner and Director, Risk & Advisory Services

Email Call

Risk & Advisory

Mitigate Online Donation Risks with PCI Compliance and Third-Party Risk Management

Risk Management is on the Rise at Not-For-Profit Organizations

ESG and Third Parties

Third parties play a significant role in cybersecurity and privacy as part of an organization’s ESG considerations. When organizations engage with third parties and partners, they often share sensitive data and access to their systems, making it essential to ensure that these third parties maintain adequate cybersecurity and privacy measures. A data breach or privacy incident involving a third party can have severe consequences for the organization, including reputational damage, financial losses, and potential legal and regulatory implications.

To address this concern, organizations can leverage open-source scanning technology as part of their third-party risk management strategy. Open-source scanning tools such as the GRF Cyber Risk Assessment and Scorecard allows organizations to assess the security posture of third-party software and applications by identifying vulnerabilities, security flaws, and potential privacy issues in the open-source code used by those third parties. This transparency can facilitate constructive discussions between organizations and their third parties and the findings can be used as a basis for suggesting improvements and encouraging collaborative efforts to enhance security and privacy.

Cybersecurity and Privacy Become Key ESG Imperatives

COSO ICSR ESG Topics

GRF Can Help

Melissa Musser, CPA, CIA, CITP, CISA

Next

Previous

ESG and Third Parties