Data Privacy and ESG Risk: 7 Key Questions Every Company Needs to Address

Ivan Rumynin

Senior Analyst, Corporate Solutions

Data privacy and cybersecurity-related issues have become significant drivers of business risk as companies digitize and business models shift toward complex, data-driven products and services. The widespread collection and use of personal data means that data privacy and cybersecurity have become material ESG issues (MEIs) for companies across a broad range of subindustries.

Here is a list of seven questions every organization should address to effectively manage data privacy and cybersecurity-related ESG issues.

Question One: Digitization is one of the key drivers of the transition to a greener economy. How can my company balance digitization with data privacy and cybersecurity risks?

For most companies, management of cybersecurity as a MEI involves strong performance across three key elements:

Data privacy and security policy: A company’s public-facing statement which signals its high-level commitments to privacy and cybersecurity.
Data privacy program: Provides evidence that a company has implemented controls that reflect applicable privacy laws, regulations, and industry standards.
Cybersecurity program: Provides evidence that a company has implemented industry-standard security safeguards to mitigate the risk of incidents and breaches.

Best practice dictates that organizations looking to build robust cybersecurity programs should align with the standards outlined in ISO/IEC 27001, which provides requirements for an information security management system. For some companies, such as telecoms, banks, and tech companies, a robust data request management program is also considered best practice for dealing with government data requests.

Question Two: How can my company act now to position privacy as an ESG priority?

Companies can take immediate action on ESG issues related to cybersecurity by setting a few achievable short-term goals related to employee training and governance.

Where cybersecurity is concerned, a company’s employees are both one if its greatest assets and one of its greatest vulnerabilities. One study showed that 82% of breaches in 2021 involved “the human element” such as stolen credentials, employees falling victim to phishing, and misuse errors. With that in mind, one step companies can take to make cybersecurity an ESG priority is to educate employees at all levels of the firm about common risks and how to report them, as well as conduct ongoing awareness exercises to maintain vigilance.

In addition to employee training, companies should also focus on developing and implementing

governance structures for data privacy and cybersecurity, creating the necessary policies and structures for data subjects, and conducting risk assessments.

These assessments should continuously review, document, assess, and mitigate the company’s risks related to privacy policies, contractual privacy obligations, dataflows within the organization, potential threats and vulnerabilities, and safeguards for data and organizational protection.

Question Three: What key questions should our leadership be asking about our organization’s cybersecurity?

Cybersecurity is ranked as the top threat to growth by global CEOs,¹ yet many organizations still aren’t sure how to manage this MEI in a world of rapidly evolving technology. Corporate leaders should start by asking questions related to their organization’s exposure to threats, governance practices, and plans in the event of a breach or other cybersecurity incident. Below is a short list of questions as a starting point.

Exposure to Threats

Questions related to vulnerability might include, “How exposed is our organization to cybersecurity threats? Where are our key weak points? And which of our peers have had incidents related to data privacy and cybersecurity, and what was the impact?” The answer to these questions will vary by business model, sector, and region.

Governance Practices

Where governance is concerned, corporate leaders should ask questions such as, “How does our data program and cybersecurity program implement best practices? What is our leadership’s role in the event of an incident?” As outlined in question four below, governance plays a significant role in the management of cybersecurity as an MEI, and leaders should aim to create a culture of data privacy and protection.

Incident Response

With cybersecurity and data privacy threats only continuing to grow in number and complexity, corporate leaders cannot afford to ignore implementing a pre-emptive response plan. Some key questions to ask include, “What are our business recovery plans in the event of a cyber incident? And what are the layers of protection we have put in place?”

Question Four: What is the role of corporate governance in managing cybersecurity risks?

Fostering a culture of data privacy and protection means building strong cybersecurity and cyber resilience programs from the top. Companies following best practices will establish a dedicated role for assuming responsibility for privacy issues and cybersecurity. The role should be at the C-level or someone directly reporting to a C-level executive, such as a chief privacy officer or chief information security officer.

It is important for boards of directors and senior management to understand technology, develop a practical knowledge of cybersecurity best practices, and act as leaders in supporting and advocating privacy and cybersecurity risk management. Additionally, they need to understand how the cybersecurity strategy of the firm fits into its overall business risk management.

Furthermore, corporate leadership needs to ensure that their employees are empowered to spot and respond to cybersecurity threats. This involves establishing a formal process for reporting incidents, developing a robust response plan, and ensuring employees at all levels understand how breaches will be dealt with.

Question Five: What are some key elements of effective privacy, data and cybersecurity policies and programs?

As outlined in question one, effective management of cybersecurity and data privacy issues consists of a strong data privacy and security policy, data privacy program, and cybersecurity program.

Data Privacy and Security Policy

An effective data privacy and security policy demonstrates a commitment to notify data subjects in a timely manner when there has been a data breach or policy change. Collection and processing of user data should be limited to the stated purpose, and there should be clear terms involving the collection, use, sharing, and retention of user data. Corporate leaders should ensure their data privacy and security policies also demonstrate a commitment to implementing the latest data protection standards, obtaining user data only through lawful and transparent means, and ensuring third parties with whom data is shared comply with the company’s policy.

Data Privacy Program

A robust data privacy program should implement governance structures for privacy management, regular employee training on data privacy management, and clear and accessible mechanisms for data subjects to raise concerns about data privacy. This includes implementing mechanisms that allow data subjects to access their accounts and erase, rectify, complete or amend personal information. Additionally, all data privacy programs should include regular privacy risk assessments or audits on your company’s technologies and practices affecting user data.

Cybersecurity Program

Aside from aligning with the standards outlined in ISO/IEC 27001 as mentioned in question one, strong cybersecurity programs should include governance structures for cybersecurity management and operational measures to monitor and respond to data breaches and cyberattacks. These elements should be subject to regular internal and external security audits, assessments, and penetration testing. Additionally, all employees should receive regular training on cybersecurity issues.

Question Six: What are the long-term risks of a data privacy breach or cyberattack and how can my company recover after experiencing one?

A growing number of companies are acknowledging that they will inevitably experience cyberattacks, whether directly to their own data infrastructure or through their supply chains.

As with other controversies, risks from data breaches and cybersecurity incidences range from operational and business interruptions to reputational damage and legal ramifications. Recovery usually takes time and requires investing resources into the policies and programs outlined in question five. Organizations that prioritize creating this essential infrastructure will be able to more effectively manage the fallout from heightened cybersecurity and data privacy risks.

Question Seven: How does cybersecurity impact my ESG risk profile?

In general, Morningstar Sustainalytics considers approximately 20% of the risks related to cybersecurity to be unmanageable, due to the fact that part of the risk pertains to actions taken by individuals external to the company, such as hackers.

chart showing the unmanaged esk risk related to data privacy and security by industry Source: Morningstar Sustainalytics. Data as of January 26, 2022. For informational purposes only.

Some industries, such as banking, have a heightened risk to cybersecurity threats. Companies operating in such industries will be given a higher default exposure score which will be added to their ESG Risk Rating assessment.

Some organizations will have their exposure scores raised above default levels for their industry due to operational factors, such as processing a large volume of personally identifiable information (e.g., mobile gaming companies), high levels of revenue generated from user data monetization (e.g., social media companies), or processing financial transactions (e.g., credit card companies). For certain industries that have few risk areas or MEIs, such as commercial services or banks, cybersecurity becomes very important and makes up a large portion of their risk assessment.

Interested in learning more about the management practices companies can use to address ESG risks related to data privacy and cybersecurity? Download our recent ebook, Data Privacy, Cybersecurity and ESG: Managing Risks in a Changing Business Environment, or learn from our experts about the ESG ecosystem.

References

^{1 PwC. 2022. "PwC's 25th Annual global CEO Survey." https://www.pwc.com/gx/en/ceo-agenda/ceosurvey/2022.html}

Recent Content

Biodiversity is the foundation of our natural capital and at risk from business activities. However, while there is regulatory and market momentum to mitigate biodiversity loss, businesses are generally not acknowledging or addressing the risks.

Risk and Opportunity in Biodiversity: How Sustainable Finance Can Help

This article outlines how biodiversity loss poses material risks to business and how it connects to many other issues that companies can’t ignore. In addition, it covers how biodiversity conservation presents substantial economic opportunities, and how businesses can address and access these opportunities by issuing linked instruments that integrate biodiversity considerations.

Today’s Sustainable Bond Market: Boosting Confidence in Sustainable Bond Issuances

In this article, we examine the kinds of sustainable bonds offered in the market, some of the key regulations being developed in different markets and the current initiatives to improve the quality and credibility of issuances.

Morningstar Sustainalytics’ 2nd Annual Global Survey of CSR and Sustainability Professionals

We invite corporate social responsibility and sustainability professionals around the world to participate in the second edition of the Morningstar Sustainalytics Corporate ESG Survey.

Webinar Recap: How Integrating ESG Can Drive Opportunity for Private Companies

Recently, Morningstar Sustainalytics hosted a webinar – ESG in the Lifecycle of a Private Company: How Stakeholder Demands Drive Sustainability in Private Markets – to address some of the questions private companies might have surrounding ESG and how it could impact their business.