Cybersecurity – more than just a tech issue, it’s an ESG concern

Wendy Lim, Partner, Cyber, Advisory, KPMG in Singapore
Cherine Fok, Partner, Head of Our Impact Plan, KPMG in Singapore

Despite economic uncertainties, organisations continue to recognise cybersecurity and environment, social and governance (ESG) as top business and investment priorities. This is mirrored on the national level, with the Government’s recent proposal for a model artificial intelligence (AI) governance framework underscoring the need for a more robust and trusted ecosystem. There have also been concerted moves to offer businesses platforms more seamless and robust ESG data collection and access. 

However, thus far, most businesses have viewed the twin priorities in isolation and have at times, seen them as competing demands. As business challenges become more complex and interconnected, it may be inevitable for the two worlds to collide, and for cybersecurity to become a key consideration in ESG reporting.

That said, the ESG regulatory environment remains nascent, with stakeholders still finding it difficult to make sense of reported data. In Singapore and across the world, the market has also yet to mature to a point where investors are pricing ESG into business valuations, with ESG externalities properly reflected. However, rather than adopt a wait-and-see approach, businesses should act quickly to integrate their cybersecurity and ESG approaches ahead of their competitors, as this will enable them to leverage the synergies of both areas to build valuable trust. 

Business leaders have been keeping a close watch on the rapid growth of AI technologies and are strengthening their cyber posture against threats. KPMG’s 2023 CEO Outlook reveals that 64 percent of Singapore CEOs believe that generative AI could aid their cybersecurity strategy.

At the same time, the ESG agenda is also steadily gaining attention in boardrooms, as organisations navigate rising stakeholder expectations. Companies with a robust ESG strategy that can protect and create long-term value are being seen more favourably by investors, who are more discerning about maximising their returns in a volatile economic environment.

Hence, what companies may not yet realise is that to instil trust in today’s digital age, there needs to be a symbiotic relationship between ESG and cybersecurity, especially when it comes to ESG reporting.

Increasingly, the effectiveness of an organisation’s privacy, cybersecurity and data management practices will demonstrate how well they govern the data they process and share. This is likely to become a crucial ESG factor considered by investors in the coming years, especially as cybersecurity risks could have a direct impact on financial materiality.

The implications are also not limited to only affected companies but may also extend to the entire society, economy and marketplace.

As expectations evolve, more private and corporate customers are also holding businesses responsible for the accuracy of their ESG reporting and in safeguarding personal or financial information. Cybersecurity is a vital factor in ensuring that data collected and processed from various sources are reliable and protected. This is especially as data collection is increasingly involving more automated processes.

Today, businesses could also be handling huge amounts of data that may be used to analyse a country’s economic health and condition. Hence, firms can positively or negatively impact society in the ways they asses these risks and respond to them through their cybersecurity strategies. Businesses will be able to hold up against any scrutiny from stakeholders, from investors to customers and even regulators, and be in a stronger position to fulfil their ESG commitments.

As businesses continue to ramp up on their ESG and cybersecurity investments, it may be advantageous to consider how they can bridge stronger links between both aspects to gain a strategic differentiation. However, gaps remain in the market, particularly in the demand and maturity in adopting this approach.

For instance, the use of ESG metrics in financial analysis and valuations remains low, due to a lack of standard methodologies and right expertise.

Given shifting investor demands, businesses may not be able to afford to wait for existing information and skills gaps to close. For a start, businesses could focus on upskilling employees in ESG, including preparing them for reporting on cybersecurity risks and resilience as part of ESG and assessing ESG factors in valuation. Organisations could also look at blending the expertise of their cyber and ESG teams as opposed to current practices where these teams are commonly organised across different reporting lines.

The business landscape is evolving faster than ever. However, what is certain is that having transparency and trust can bring about important competitive advantages.

In a crowded marketplace, organisations can take the first step towards connecting cybersecurity and ESG efforts, as this will help them enhance trust, mitigate risks and unlock greater value and viability.