Cybersecurity & ESG Investing

An Overview of Implications, Materiality, and Current Thinking

Cybersecurity is a universal investing concern. Cyber attacks can have dire financial and economic consequences as well as societal and environmental impacts. When assessing cybersecurity investors must consider the full scope of risks. For example, major cyber attacks on electricity infrastructure will impact all portfolios regardless of direct utility ownership.

I. Summary

This is the first in what will be a series of articles on cybersecurity vis-à-vis SRI/ESG investing, the energy and utilities sectors, or both. As an introductory piece this is more text-heavy than my typical data-centric, analytically-driven work but it lays out an important contextual foundation for future posts. The key points in this article are:

  • Cybersecurity is a sustainability issue relevant to all SRI/ESG investing. Cyber attacks can have major business, financial, and capital markets implications as well as impact a broad array of Environmental, Social, and Governance issues.
  • Cyber risks and preventative cybersecurity are increasingly recognized as material investment considerations (generally and specific to SRI/ESG investing) and are a growing presence in various investing-related agendas.
  • The SEC and FASB issued guidance on cybersecurity disclosures and sustainability-focused organizations are including cybersecurity in investing strategies, investment products, and reporting and accounting standards.
  • Almost all of the current SRI/ESG dialogue focuses on Governance, a good near-term prioritization that reflects urgency and probability; cyber risk management is mostly a Governance issue and attack prevention is a priority.
  • However, balance is needed long term. The most probable cyber events (e.g., consumer data breaches) have big Social impacts and low probability/high impact attacks with dire Environmental consequences are a matter of when, not if.
  • Greater emphasis is needed on full-scope cyber risks. Current views lean myopic, often focusing on a single company in a vacuum. It’s also important to consider collateral impacts, such as attacks a company’s supply chain partners.

II. Context

Cybersecurity is Material to SRI/ESG Investing

Cybersecurity is a sustainability issue and highly relevant to all SRI/ESG investing. Cybersecurity and related cyber risks have financial implications across sectors, industries, companies, and asset classes, are material to all legs of ESG, and are increasingly prominent in regulatory and sustainability/ESG agendas.

Cyber Risks Have Clear Financial Implications

SRI/ESG investing is, first and foremost, investing. As such I espouse a Triple Bottom Line (TBL) approach and first want to emphasize cybersecurity as a general business and risk concern. To be clear, it’s not all doom and gloom. Effective cybersecurity has some upside (trust, reputation) but costs and risks are more immediate and tangible:

  • Preventative Investments: Prevention is far less expensive than remediation but is still costly. Amounts vary but oft-quoted numbers put annual cybersecurity spending at 6-14% of IT budget, another states 3% of capital expenditures.1
  • Incident-Driven Impacts: Cyber attacks can lead to temporary but substantial business disruption and loss of revenue as well as costs associated with incident recovery, remediation, regulatory fines, litigation, and legal liabilities.
  • Recurring Consequences: Effects can extend beyond “one-time” to include long-term reputation damage and loss of customers, lower recurring revenues, increased operating expenses, and protracted legal and regulatory proceedings.
  • Capital Markets Aftermath: The above can trigger a vicious capital markets cycle: lower equity valuations and credit ratings, higher cost of capital, reduced access to funding, and hindered ability to grow or otherwise execute strategy.2

Cybersecurity Impacts Every Component of ESG

Most of the current cybersecurity/ESG dialogue focuses on Governance, followed by Social, and rarely Environmental. This order of priority is understandable and perhaps even appropriate in the near-term for reasons I’ll address later. However, it’s important to keep in mind that cybersecurity and related risks affect all legs of ESG.

  • Environmental: Cyber incidents — particularly regarding cyber-physical systems (e.g., power plants, pipelines, water treatment facilities) — can have real-world environmental consequences such as pollution, flooding, and wildfires.
  • Social: Preventative cybersecurity benefits employment and workforce skill levels but cyber events can adversely affect everything from basic privacy to access to water, food, and shelter as well as emergency services and health care.
  • Governance: Effective cybersecurity entails specialized board and executive oversight, risk management, regulatory compliance, reporting and disclosure policies, and investor communications; all affecting trust and reputation.

Cyber Risk is Increasingly on Investing Agendas

Cybersecurity as an investment consideration is nothing new but its prevalence and import have grown dramatically in recent years. This is largely due to the nature of recent cyber attacks — they’re high-profile, affected millions of average consumers, caused real disruption in business and government operations, and caused material financial damage. So it’s no surprise that cybersecurity is firmly on general and ESG-specific investing agendas, and with growing urgency.

General Finance Watchdogs are Marking Their Territory

My main focus is cybersecurity as it relates to SRI/ESG investing but it’s important to first note the views of two general investing regulatory bodies whose decisions affect all investing, including SRI/ESG. Specifically, the Securities and Exchange Commission (SEC) and the Financial Accounting Standards Board (FASB).

SEC Issues Cybersecurity Disclosure Guidance3

The SEC views cybersecurity as a material investor concern, evidenced by a series of statements and guidance on disclosure issued by its Division of Corporation Finance (2001), Division of Investment Management (2015), and the Commission itself (2018). The SEC hasn’t yet established formal rules but its guidance is detailed. Key points are:

  • The SEC echoes US-CERT stating cyber risks pose “grave threats” to investors, capital markets, and national security
  • Risks affect issuers and securities, investment accounts with financial services firms, and all global financial markets
  • Issuers are currently obligated to disclose material cyber risks and incidents under existing disclosure requirements
  • Language should be detailed re: typical investor concerns (financial, legal); generic language is explicitly discouraged
  • Disclosures should be in annual (10-K, 20-F, 40-F) and quarterly (10-Q) filings; material events should be in 8-Ks/6-Ks
  • PART I, Item 1A (Risk Factors) is the best section for disclosure; others are Legal, MD&A, Financials, and Governance

FASB Highlights a Unique Cybersecurity Risk4

FASB — which governs financial accounting standards — points out a risk I haven’t seen elsewhere. It pertains to cyber defacement. Defacements take many forms but typically a hacker of the hacktivist sort “re-designs” a target website to display a socio-political message. Think of it as electronic graffiti. Considering the spectrum of cyber threats typical defacements are relatively benign. FASB, however, contemplates a more serious scenario.

“The fact that financial statements can be changed in cyberspace adds a whole new wrinkle.” — FASB Steering Committee

What if a defacement is of financial data? Or if hackers add misleading information to a website? FASB opines that lax cybersecurity leading to material defacements could equate to negligence and violate Rule 10b-5 of the Securities Exchange Act of 1934 which governs securities fraud and warns of making “untrue statements of a material fact.”

This is simultaneously fascinating and disconcerting to me. Here are a few of my thoughts:

  • From a hacking skill level standpoint defacing can be easy; light damage can be done with basic cross-site scripting or SQL-injection and even DNS hijackings are often aided by weak DNS infrastructure and domain management practices.
  • Subtle, strategically altered numbers or text are much harder to detect than, say, a full screen banner declaring “You’ve Been Hacked by Anonymous” and are potentially far more damaging. Sometimes, less is more.
  • Defacing can include documents. Imagine a hacker with financial knowledge edits an annual report PDF, perhaps re-wording the CEO’s letter to shareholders or a footnote under Litigation, adding a few zeros to the potential liability.
  • Even worse than defacing of issuer websites or documents would be defacing/altering of financial statements and other filings in the SEC’s EDGAR system. It’s a stretch but not inconceivable; the SEC has been hacked before.

Sustainability/ESG Organizations are Also Weighing In

Cybersecurity is front-and-center for many prominent organizations involved in sustainability reporting and accounting standards, sustainable and responsible investing advocacy, and sustainability/ESG investment products (research, ratings, indexes). The following are representative (but by no means exhaustive) examples.

Sustainability Accounting Standards Board5

The SASB’s sustainability standards cover 77 industries in eleven sectors. More than half of the 77 industry-specific standards address cybersecurity-related issues to some degree and twenty-one standards (representing eight sectors) address cybersecurity directly and in detail. Importantly, standards with the greatest level of cybersecurity detail include some (though not all) of the most critical sectors and industries.

Global Reporting Initiative6

Cybersecurity and semantic-equivalent language is noticeably absent from GRI’s current (2016) standards. However, GRI-related cybersecurity discussions appear with increasing frequency (albeit in very generic terms) since 2016. This include third-party articles and web pages, interviews with GRI, and a few formal reports.

Given the relative absence of cybersecurity I was reluctant to include GRI under the heading “Sustainability Organizations are Weighing In” but decided to because: 1) GRI would be a glaring omission and 2) I sense that we’ll be hearing a lot more on the issue from GRI.

United Nations Principles for Responsible Investment7

UNPRI (aka PRI) clearly takes cybersecurity very seriously. PRI has Cyber Security Advisory Committee dedicated to cybersecurity and related risk management, finance, and personnel. Moreover, last year established a PRI-coordinated group of 53 institutional investor signatories to engage portfolio companies on major cybersecurity topics.

Investor Responsibility Research Center Institute8

In 2014 the IRRCi and PwC published a report addressing cybersecurity from governance, disclosure, and investment risk perspectives. It concluded: 1) disclosures are generic and rarely provide actionable insight, and 2) there’s a severe gap between cyber threats and corporate board preparedness. A 2016 report by IRRCi and EY noted that companies are providing increasingly better information on cyber, physical, and data security risks and management.

MSCI ESG Research/MSCI ESG Indexes9

MSCI includes cybersecurity in its ESG analysis and effectively predicted the Equifax data breach a year early and with decisive action. In August 2016 MSCI downgraded Equifax to its lowest ESG rating citing poor data security and privacy. In December 2016 MSCI removed Equifax from the MSCI ESG Leaders Index. Equifax was then hit with a series of lawsuits and fines leading up to the September 2017 news of a massive data breach impacting 143 million people.

RobecoSAM/Dow Jones Sustainability Index10

RobecoSAM — which performs corporate sustainability/ESG assessments underlying the DJSI — announced a new cross-industry criteria group to its assessment methodology. Titled “Information Security & Cybersecurity” it focuses on cyber incident preparedness and privacy protection (mostly governance and quality control) as well as the financial impacts of past and potential incidents.


More Focus Needed on Full-Scope Cyber Exposure

I’m encouraged by the discourse on cybersecurity in SRI/ESG investing; it exists, is reasonably pervasive, generally on target, and seemingly headed in the right direction. However, it’s still vague in detail and narrow in perspective.

Current Cybersecurity/ESG Dialogue is Governance Heavy

Almost all of the discussion on cybersecurity and ESG focuses on Governance, some on Social, and virtually none on Environmental. To be fair, that ESG prioritization makes some near-term sense as it reflects urgency and probability.

  • Cyber risk management is mostly a governance issue and attack prevention is a first priority
  • More probable cyber events (e.g., consumer data breaches) tend to have big social impacts
  • Major environmental damage is by and large limited to cyber incidents with low probabilities

Governance will always influence Social and Environmental cyber risks but in the long term greater balance in focus is warranted. Low probability–high impact scenarios with real Environmental consequences are a matter of when, not if.

Current Views Don’t Account for Full Scope of Cyber Risks

My bigger concern is that current views on of cyber risk lean toward the myopic, often neglecting to account for the full scope of possibilities. They rightly consider what an attack on Company A could do to Company A, but rarely what an attack on Company B could to to Company A. I’m mainly referring to the supply chain, especially critical infrastructure companies in the supply chain, and most notably energy suppliers for several reasons.

As stated earlier this is the first in what will be a series of articles on cybersecurity pertaining to SRI/ESG investing, the energy and utilities sectors, or both. If you have question or want to discuss email me at

  1. Preventative/proactive cybersecurity includes IT and physical security, cyber insurance, and personnel and training among other things. Costs vary by sector, industry, and company and are affected by variables like attack surface (sum of network, software, and physical vulnerabilities), attack vectors within that surface, incident probabilities and impact scenarios, industry-specific compliance, etc. Costs cited above are annual ongoing spends; numbers are much higher for initial cybersecurity investments.

  2. A 2017 study by Centrify and the Ponemon Institute analyzed stock performance around data breaches. For 113 publicly-traded companies data breaches caused an average 5% decline in stock value. Moreover, companies with poor cybersecurity measures experienced the highest decline (4% greater than average) and a much longer recovery period (90 days versus a week). This study is limited to data breaches; lower probability but higher impact incidents (e.g., an electricity grid outage) are likely to have much more significant market consequences. See The Impact of Data Breaches on Reputation and Share Value for details.

  3. See Commission Statement and Guidance on Public Company Cybersecurity Disclosures for the SEC’s 2018 guidance, which is based on prior guidance issued by its Division of Corporation Finance in Disclosure Guidance: Cybersecurity and Division of Investment Management in Cybersecurity Guidance. The SEC’s 2018 guidance expands on statements by its divisions and addresses two new topics: 1) cybersecurity policies and procedures, and 2) insider trading in the cybersecurity context.

  4. See Electronic Distribution of Business Reporting Information. The Financial Accounting Standards Board (FASB) is a private non-profit organization that governs the Generally Accepted Accounting Principles (GAAP) used by companies in the United States.

  5. See SASB Industry Standards: A Field Guide for general background and SASB’s downloads page for details on its industry-specific standards.

  6. Current GRI Standards are available on GRI’s Download Center page. See Sustainability and Reporting Trends in 2025 and Making the connection: The real effect of ESG on Corporate Financial Performance for example of more recent mentions of cybersecurity.

  7. See Terms of Reference – Cyber Security Advisory Committee, Stepping Up Governance on Cybersecurity: What is Corporate Disclosure Telling Investors?, and Engaging with Companies on Cyber Security.

  8. See What Investors Need to Know About Cybersecurity: How to Evaluate Investment Risks by IRRCi/PwC and Corporate Risk Factor Disclosure Landscape by IRRCi/EY.

  9. See MSCI ESG Ratings Help Identify Warning Signs for more on MSCI/Equifax.

  10. See RobecoSAM 2016 Sustainability Methodology Update.

Kyle Rudden
About the Author
I am a sustainability analyst, author, and consultant. My focus is SRI/ESG investing and sustainable finance. I combine subject knowledge with a hacker mindset and eclectic technology stack to uncovering original ESG insights along roads less traveled. A core area of expertise is energy sustainability and related environmental and technology issues (e.g., grid cybersecurity). My experience includes running a global Equity Research practice at a Fortune 500 investment bank and founding an ESG investment research firm. I'm intensely inquisitive and obsessed with coding so be forewarned of my occasional 'experimental ESG' posts.