Environmental, Social & Governance (ESG)
Cybersecurity & Privacy Implications For ESG
Environmental, Social & Governance (ESG) criteria are considerations of interest for "social responsibility" at the corporate level. ESG is traditionally used to screen potential investments as a way to support and maintain ethical conduct across organizations. However, with the evolving landscape of statutory, regulatory and contractual obligations, the SCF identified two significant points of intersection between the SCF's security and privacy controls with the "social" component of ESG factors:
Data protection / privacy; and
The social criteria component of ESG takes into account the human factor at the individual level, as well as what occurs within those organizations as part of normal business operations. This is where cybersecurity and privacy come into play with the social criteria of the ESG model with the real-world ramifications associated with access to sensitive data and critical systems.
ESG is inexplicitly intertwined with cybersecurity and privacy practices, since these functions have the ability to directly affect individuals, organizations, governments and society as a whole. Therefore, IT/cyber/privacy operations cannot merely “check the box” by providing access or data without understanding the real-world ramifications associated with compliance with a law, regulation or contractual obligation. How an organization responds to potentially hostile compliance requirements will determine its genuine adherence to ESG principles for corporate responsibility, since non-compliance might be the morally-correct path for an organization to take.
Sham Practices - Beware of "Garbage In Garbage Out" ESG
Fraud Magazine has a good article on concerns related to abusing ESG principles that is well worth reading. There are sham practices with ESG to make an organization look better than it is, such as buying carbon credits to offset manufacturing practices. However, on the cybersecurity and privacy side, an organization cannot make up for its own bad cybersecurity and privacy practices by buying goodwill from another organization that implements responsible cybersecurity and privacy practices. This means organizations need to step up and actually do what they should be doing to earn a good "social" rating, in the scope of ESG compliance.
SCF Controls For ESG
In 2021, the SCF added five (5) ESG-specific controls that were intended to identify potentially harmful compliance requirements that have profound, life changing implications and elevate those away from cybersecurity and privacy practitioners by directing those issues to the organization’s executive leadership to address the moral and legal ramifications of such actions. The implications include, but are not limited to:
Foreign government espionage
Intellectual property theft
Human rights abuses
These controls focus on bad corporate practices that organizations agree to in order to gain market access:
GOV-12: Forced Technology Transfer
Mechanisms exist to avoid and/or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property) to the host government for purposes of market access or market management practices.
GOV-13: State-Sponsored Espionage
Mechanisms exist to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities.
CPL-06: Government Surveillance
Mechanisms exist to constrain the host government from having unrestricted and non-monitored access to the organization's systems, applications, services that could potentially violate other applicable statutory, regulatory and/or contractual obligations.
DCH-26: Data Localization
Mechanisms exist to constrain the impact of "digital sovereignty laws," that require localized data within the host country, where data and processes may be subjected to arbitrary enforcement actions that potentially violate other applicable statutory, regulatory and/or contractual obligations.
PRI-16: Potential Human Rights Abuses
Mechanisms exist to constrain the supply of physical and/or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/or contractual obligations.
Integrated Controls Management (ICM) Approach To ESG
There are no "cookie cutter" controls that specifically apply for ESG, since every organization is unique. Therefore, when trying to figure "how to do ESG" from a practical approach, it is recommended to look at it through an Integrated Controls Management (ICM) perspective. ICM specifically focuses on the need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions.
To assist in this process, ICM helps an organization categorize its applicable controls according to
“must have” vs “nice to have” requirements:
Minimum Compliance Criteria (MCC) are the absolute minimum requirements that must be addressed to comply with applicable laws, regulations and contracts.
Discretionary Security Requirements (DSR) are tied to the organization’s risk appetite since DSR are “above and beyond” MCC, where the organization self-identifies additional cybersecurity and data protection controls to address voluntary industry practices or internal requirements, such as findings from internal audits or risk assessments.
Secure and compliant operations exist when both MCC and DSR are implemented and properly governed:
MCC are primarily externally-influenced, based on industry, government, state and local regulations. MCC should never imply adequacy for secure practices and data protection, since they are merely compliance-related.
DSR are primarily internally-influenced, based on the organization’s respective industry and risk tolerance. While MCC establish the foundational floor that must be adhered to, DSR are where organizations often achieve improved efficiency, automation and enhanced security.
You can read more about ICM by downloading this overview document: