Virtualization Technology News and Information
ESG: Why it Should Matter to Cybersecurity Leaders

By Brad Hibbert, Chief Strategy Officer and Chief Operating Officer, Prevalent, Inc.

Environmental, social and governance (ESG) matters may seem like foreign concepts to cybersecurity leaders. However, with growing ESG regulatory reporting requirements - especially in third-party vendor and supplier relationships - boards of directors will begin to examine ESG with greater focus. Considering their role of protecting the company against risks, CISOs should therefore see ESG as driving alignment to the company's broader enterprise risk management strategy.

In this article, we examine ESG in greater detail to help improve the security leader's fluency in this critical risk domain. To do this, we look at each ESG domain and identify specific IT-related issues that can be exposed if a third-party vendor or supplier does not demonstrate a commitment to sound ESG practices.

Environmental risks: Supplier resilience and business continuity

The "E" in ESG includes reporting and monitoring of initiatives related to climate change, waste management, pollution, resource use and depletion, and greenhouse gas emissions. In a third-party risk management context, consider a cloud provider with a large data center hosting your systems and data. Sound power consumption and an acceptable carbon footprint means that the organization is presumably wisely managing its resources and presents less of a disruption or reputational risk. Excessive power consumption and a failure to meet carbon offset goals, however, could lead to a re-structuring of their data centers and potential service disruptions, putting the confidentiality, integrity and availability of your systems and data at risk.

Although understanding a third party's carbon footprint or emissions rating can head off potential cost and reputational concerns, the greater issue is understanding how the third-party vendor or supplier is adapting to changing local environmental factors. This is called supplier resilience, and requires enterprises to understand where vendors and suppliers are geographically located and whether they have the backup, recovery, and business continuity procedures in place to mitigate acute environmental challenges.

There are several regulations that will require organizations to report on their third-party vendor's and supplier's environmental footprint, and what steps they are taking to address any concerns. Legislation includes:

  • The German Supply Chain Due Diligence Act: Requires organizations to proactively detect and eliminate forced labor and modern slavery, employee exposure to hazardous waste, and environmental contamination in supply chains. Companies must update their processes for supply chain due diligence and align their activities with the Act's provisions.
  • The US Securities and Exchange Commission (SEC) Proposed ESG Disclosures: Applicable to investment funds, these rules would require them to provide investors with information about what ESG factors and metrics they consider, along with the strategies they use. For example, funds may be required to report the greenhouse gas emission metrics of their portfolios and annual progress toward its ESG goals.

A third-party vendor or supplier that does not consider environmental factors important presents more than a reputational risk, but a business continuity risk as well.

Social risks: Insider threats

The "S" in ESG is all about how a company impacts society - for example addressing income inequality, lack of diversity, workplace discrimination, and worker protections. Several governments have enacted legislation to enforce labor protections in supply chains, including:

  • The Modern Slavery Act of 2015: Focused on preventing human trafficking, modern slavery, and forced labor in UK supply chains. Organizations are required to annually communicate their practices to ensure that forced labor and other forms of involuntary servitude are not taking place in their businesses or supply chains.
  • The European Corporate Due Diligence Draft Directive: Aimed at promoting transparency and ESG into EU supply chains.
  • The California Transparency in Supply Chains Act: One of the first laws created to enable consumers to hold companies responsible for modern slavery and human trafficking in their supply chains.

Law enforcement has been very active in this area. For example, in 2010, investigations found that Foxconn - a supplier to Apple, Dell, HP and Sony - was using illegal student labor and substantiated reports of forced overtime and unsafe conditions.

Similarly, Amnesty International and multiple news organizations reported that cobalt mines in the Democratic Republic of Congo were using child labor. This spurred a lawsuit against Alphabet (Google's parent), Apple, Dell, Microsoft, and Tesla. The lawsuit alleged that the companies were, "knowingly benefiting from and aiding and abetting the cruel and brutal use of young children" in mining a primary element used in the production of lithium-ion batteries.

Although the companies in question were not directly responsible for these crimes, they faced potential monetary penalties and reputational damage stemming from their third-party relationships. More than just a reputational risk of doing business with an unequitable organization, a diverse, well-educated, fairly compensated workforce increases employee productivity and happiness, and reduces the likelihood that a company would be impacted by insider threats and physical risks such as theft.

Governance risks: Information security and data protection policies

The final ESG domain is governance, which is defined as the policies, processes and procedures in place to conduct business ethically and act responsibly and with integrity. Gaining visibility into a third-party vendor's or supplier's internal codes of conduct, anti-bribery and corruption policies, whistleblower procedures, and information security training and enforcement processes, can shed light on whether they are maintaining high security standards, transparency in case of a data breach, and behaving ethically in business transactions.

Legislation in this area includes:

  • U.S. Foreign Corrupt Practices Act (FCPA): Prohibits organizations from bribing or otherwise unduly influencing foreign officials or candidates for office in order to gain or retain business.
  • Bribery Act of 2010 (UK): Corporate offenses can entail serious consequences including debarment from contracts, disqualification of company directors, and asset confiscation.

Third-party vendors and suppliers with strong governance programs invest in the people, processes and technologies necessary to actively defend their organizations against cyber-attacks.

The future of ESG regulations and their impact on cybersecurity leaders

Regulatory requirements and their accompanying best practices can be a forcing function to examine internal policies and procedures. For example, consider how HIPAA has transformed healthcare provider security and data privacy. It could be the same with ESG - a uniform set of policies and requirements to report on will drive organizations to examine the risk that third parties pose to their enterprises. However with a patchwork of ESG requirements and inconsistent geographic coverage, adoption will be slow. In essence, outside of Europe, there is a lot of talk about ESG, but little movement.

We believe that within the next two years, the current state-by-state, industry-by-industry fragmented approach to ESG reporting in the US will give way to more uniform requirements applicable to more industries in response to ongoing social and climate changes. To accommodate this shift, organizations must understand the impact that a third-party vendor's or supplier's ESG risks has on their businesses. For the security leader this could mean greater scrutiny on supplier resilience, insider risks, and third-party information security governance programs.



Brad Hibbert 

Brad Hibbert brings over 25 years of executive experience in the software industry aligning business and technical teams for success. He comes to Prevalent from BeyondTrust, where he provided leadership as COO and CSO for solutions strategy, product management, development, services and support. He joined BeyondTrust via the company's acquisition of eEye Digital Security, where he helped launch several market firsts, including vulnerability management solutions for cloud, mobile and virtualization technologies.

Prior to eEye, Brad served as Vice President of Strategy and Products at NetPro before its acquisition in 2008 by Quest Software. Over the years Brad has attained many industry certifications to support his management, consulting, and development activities. Brad has his Bachelor of Commerce, Specialization in Management Information Systems and MBA from the University of Ottawa.

Published Wednesday, November 23, 2022 7:44 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2022>