ESG and Cybersecurity Compliance Are Every Employee’s Concern
The following opinion piece was written by Wharton legal studies and business ethics lecturer Leeza Garber, Esq., and Allison Jegla, global director of impact at 100 Women in Finance.
In late spring 2022, the Securities and Exchange Commission (SEC) charged an elite investment adviser for “misstatements and omissions” about Environmental, Social, and Governance (ESG) considerations related to its managed mutual funds. This same financial firm has also faced myriad cybersecurity problems over the past fifteen years, including a data breach and deficient cybersecurity practices. It’s not a unique scenario: companies large and small, public and private, are facing increased challenges in managing the requirements and responsibilities of ESG and cybersecurity. Both fields, besides maintaining a stronghold on news headlines and cutting-edge tech entrepreneurs, demand not just constant attention, but also transparency. As various federal agencies have demonstrated, audits and investigations will determine when quality reviews and compliance certifications are not accurate. Every level, from the C-Suite to the new entry hire, must be trained on ESG and cybersecurity as relevant to their work roles. Furthermore, corporate culture should strive to maintain awareness of the significance of ESG and cybersecurity: two buzzy sectors that cut across all work departments.
ESG refers to three types of factors: environmental (having to do with the natural world), social (pertaining to the lives of humans), and governance (involving countries, jurisdictions, or broad stakeholder groups). The concept evolved from John Elkington’s 1994 “triple bottom line” approach that recognized the importance of the three elements in generating sustainable financial returns in the world of investing. ESG is becoming increasingly significant within the world of finance and beyond, due in large part to pressure from clients and individuals who emphasize a desire for responsible investing.
With increased global attention comes an increased need for regulatory and compliance bodies to help prevent issues like greenwashing: the misrepresentation about how firms have assessed ESG elements in their business practices and investments. In 2021, the SEC organized its ESG task force to identify such misconduct. Firms accused or found guilty of misrepresenting the rigor of their ESG analyses have suffered the consequences: fines, falling share prices, and reputational damage from investors and prospective applicants (largely millennials and Gen Z) that have lost patience with previous generations’ laissez-faire approach to sustainability. To complicate things even further, there are very few clear guidelines about ESG standards in the United States, as legislation is being proposed and adopted in a piecemeal fashion. For example, Maine recently shifted the responsibility of non-recyclable material disposal onto the producing entity (environmental), California updated garment workers’ wage requirements to hourly from the antiquated piece-rate system (social), and the SEC has proposed new standards related to reporting on “funds’ and advisers’ incorporation of [ESG] factors.”
Cybersecurity, with a bit more history than ESG, has steadily climbed as a corporate necessity. Making cybersecurity a priority can be used for great PR (read: Apple’s privacy-centric ad spots), while any failings can simultaneously wreak brand chaos (read: Apple’s latest zero-day bugs). Legislation surrounding cybersecurity continues to evolve, just as with ESG; the Federal Trade Commission fights to keep companies honest in its enforcement role related to privacy policies, cybersecurity practices, and the like, just as other federal agencies uphold the sanctity of healthcare and finance data protections.
Still, despite recent state-level heightened consumer cybersecurity legislative amendments across the country, and the passage of the Strengthening American Cybersecurity Act of 2022, increased awareness across all sectors is necessary for true compliance. In fact, depending on the type of organization, certain pointed job roles must be created and staffed to even begin the process of cybersecurity compliance. Government agencies must adhere to relevant National Institute of Standards and Technology (NIST) requisites, which include designating and/or hiring certain employees for cybersecurity-specific roles; the Department of Labor set forth new cybersecurity best practice requirements for ERISA plan fiduciaries; and the FTC necessitated the designation of a “qualified individual” at all covered financial institutions to oversee and report on in-house infosec programs.
Rising to the Challenge
For the rapidly changing worlds of both cybersecurity and ESG, past performance cannot be considered an indicator of future success. Instead, companies need to train up existing employees, hire new talent, and bring in external consultants to develop and vet their plans for both regulatory compliance and how to showcase that hard work. New hires and specific employee designations are only one piece of achieving legal compliance (and, of course, great PR). Thoughtful training and awareness maintenance is key here as well. In cybersecurity, an organization is only as strong as its weakest link; in ESG, employees with multifaceted skill sets (namely, strategic plan evaluation and ability to analyze both qualitative and quantitative inputs) will be the ones who drive value in meeting this multifaceted and demanding acronym. The best training and awareness programs not only account for legal obligations, but they also consider employees’ specific responsibilities and how everyone interacts with cybersecurity and ESG sectors in differing ways.
Dynamic workshops, lecture sessions, and specialized training are solid paths to showcase compliance in both cybersecurity and ESG. However, without insight regarding what every work role handles and how it evolves, leadership cannot tailor the training to meet actual need. Analysis of how newly expanded job descriptions, and completely new roles or external consultants, will inform how each employee (or at least each type of employee) handles cybersecurity concerns and ESG deliverables. The in-the-weeds IT employee who handles firewall configuration will not only appreciate all cybersecurity best practices, but will also understand ESG goals such that any new tech being evaluated for implementation will also be reviewed for environmental gains or losses. The human resources manager will not only be thoroughly trained in the “S” of ESG compliance, but will appreciate how the handling of candidate and employee data is secured when entering personal information into any system. And the sales specialist is trained in a birds-eye view of both the cybersecurity and ESG-centric practices the organization has put in place to sell its forward-looking values to potential clients. This type of analysis will also illustrate to auditors that an organization has thoughtfully and thoroughly prioritized both cybersecurity and ESG.
Both ESG and cybersecurity are broad concepts that encompass a variety of factors across sectors. Furthermore, both represent significant collections of requirements by which companies, and government agencies, will be evaluated. All signs point to the future of the American workforce requiring cybersecurity and ESG overlays on top of most corporate roles. Common drivers, including legislation, international adoption, and social pressure prove that the need for secure and responsible systems — factoring in both cybersecurity and ESG concerns — are no longer simply nice-to-have elements in the 21st century. Companies that anticipate and prepare for the escalated essential nature of cybersecurity and ESG will find themselves standing out among a sea of business-as-usual peers.
Source: CPA Letter, AICPA & CIMA, 10/5/ 2022 and Knowledge@Wharton, 10/4/2022