Environmental, Social & Governance (ESG)
Beware of "Garbage In Garbage Out" ESG Practices
Environmental, Social & Governance (ESG) is a concept that is easily abused, where ESG is only as good as the leadership team involved in enforcing those self-imposed mandates to be a good corporate citizen. Any critical review of an ESG program should evaluate exceptions management practices to determine if ESG is merely "virtue signaling" to promote the organization through fraudulent marketing purposes or if the organization is willing to operationalize difficult decisions that could lead to lost profits in the pursuit of being a good corporate citizen.
Fraud Magazine has a good article on concerns related to abusing ESG principles that is well worth reading. The very real existence of sham practices associated with ESG puts the entire concept of ESG on shaky ground, such as making an organization look better than it is through the purchase of carbon credits to offset manufacturing practices or selectively enforcing prohibitions on choosing supply chain partners (e.g., Uyghur forced labor).
On the cybersecurity and privacy side of ESG, unlike buying carbon credits, an organization cannot make up for its own lacking cybersecurity and privacy practices by buying goodwill from another organization that implements its own responsible cybersecurity and privacy practices. This means organizations need to step up and actually do what they should be doing to earn a good "social" rating, in the scope of ESG compliance. In cybersecurity, "a standard is a standard for a reason" and that concept needs to be enforced, even if it means making difficult choices that could negatively affect profits. Without that intestinal fortitude by an organization's leadership, ESG is not only meaningless, but fundamentally dishonest and indicate fraudulent business practices that are driven from the highest levels of the organization's leadership team.
Cybersecurity & Privacy Implications For ESG
ESG criteria are considerations of interest for "social responsibility" at the corporate level. ESG is traditionally used to screen potential investments as a way to support and maintain ethical conduct across organizations. However, with the evolving landscape of statutory, regulatory and contractual obligations, the SCF identified two significant points of intersection between the SCF's security and privacy controls with the "social" component of ESG factors:
Data protection / privacy; and
The social criteria component of ESG takes into account the human factor at the individual level, as well as what occurs within those organizations as part of normal business operations. This is where cybersecurity and privacy come into play with the social criteria of the ESG model with the real-world ramifications associated with access to sensitive data and critical systems.
ESG is inexplicitly intertwined with cybersecurity and privacy practices, since these functions have the ability to directly affect individuals, organizations, governments and society as a whole. Therefore, IT/cyber/privacy operations cannot merely “check the box” by providing access or data without understanding the real-world ramifications associated with compliance with a law, regulation or contractual obligation. How an organization responds to potentially hostile compliance requirements will determine its genuine adherence to ESG principles for corporate responsibility, since non-compliance might be the morally-correct path for an organization to take.
SCF Controls For ESG
In 2021, the SCF added five (5) ESG-specific controls that were intended to identify potentially harmful compliance requirements that have profound, life changing implications and elevate those away from cybersecurity and privacy practitioners by directing those issues to the organization’s executive leadership to address the moral and legal ramifications of such actions. The implications include, but are not limited to:
Foreign government espionage
Intellectual property theft
Human rights abuses
These controls focus on bad corporate practices that organizations agree to in order to gain market access:
GOV-12: Forced Technology Transfer
Mechanisms exist to avoid and/or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property) to the host government for purposes of market access or market management practices.
GOV-13: State-Sponsored Espionage
Mechanisms exist to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities.
CPL-06: Government Surveillance
Mechanisms exist to constrain the host government from having unrestricted and non-monitored access to the organization's systems, applications, services that could potentially violate other applicable statutory, regulatory and/or contractual obligations.
DCH-26: Data Localization
Mechanisms exist to constrain the impact of "digital sovereignty laws," that require localized data within the host country, where data and processes may be subjected to arbitrary enforcement actions that potentially violate other applicable statutory, regulatory and/or contractual obligations.
PRI-16: Potential Human Rights Abuses
Mechanisms exist to constrain the supply of physical and/or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/or contractual obligations.
Integrated Controls Management (ICM) Approach To ESG
There are no "cookie cutter" controls that specifically apply for ESG, since every organization is unique. Therefore, when trying to figure "how to do ESG" from a practical approach, it is recommended to look at it through an Integrated Controls Management (ICM) perspective. ICM specifically focuses on the need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions.
To assist in this process, ICM helps an organization categorize its applicable controls according to
“must have” vs “nice to have” requirements:
Minimum Compliance Criteria (MCC) are the absolute minimum requirements that must be addressed to comply with applicable laws, regulations and contracts.
Discretionary Security Requirements (DSR) are tied to the organization’s risk appetite since DSR are “above and beyond” MCC, where the organization self-identifies additional cybersecurity and data protection controls to address voluntary industry practices or internal requirements, such as findings from internal audits or risk assessments.
Secure and compliant operations exist when both MCC and DSR are implemented and properly governed:
MCC are primarily externally-influenced, based on industry, government, state and local regulations. MCC should never imply adequacy for secure practices and data protection, since they are merely compliance-related.
DSR are primarily internally-influenced, based on the organization’s respective industry and risk tolerance. While MCC establish the foundational floor that must be adhered to, DSR are where organizations often achieve improved efficiency, automation and enhanced security.
You can read more about ICM by downloading this overview document: