How cyber relates to responsible investing in ESG programmes

April 2022  |  SPOTLIGHT | FINANCE & INVESTMENT

Financier Worldwide Magazine

April 2022 Issue

With the rise of the conscientious investor came the rise of environmental, social and governance (ESG) reporting. This investment strategy seeks to consider a company’s wider societal impacts, beyond merely its stock price, in determining appropriate investment opportunities.

But there is a new factor to this analysis that has recently come to the forefront: cyber security. New technologies that utilise various personal data and rely on various cyber security safeguards, such as advertising tactics and even blockchain technologies, have flourished in recent years. As a result, a company’s cyber security posture and data privacy practices are a more important consideration for investors and are factoring into investment strategies, as well as a company’s own development goals, evidenced by the increased presence of cyber- and privacy-related topics in companies’ ESG reporting. But how does cyber security fit within the traditional ESG elements?

Environmental

While at first glance, cyber security may not seem to be particularly relevant to a company’s environmental footprint or environmental sustainability efforts, the coronavirus (COVID-19) pandemic has caused these two issues to become more greatly intertwined than ever before.

Fewer workers in the office translates to less energy consumption and less commuting translates to fewer emissions. However, while remote working strategies have allowed some companies to reduce operating expenses, employees are still active and have shifted their energy use from the office to their homes. In addition, companies have had to fortify and expand their cyber security infrastructure to facilitate working from home. Establishing and running cloud-computing infrastructure, as well as other data-focused equipment, such as data centres and data storage facilities, are notoriously energy-hungry.

Social

The social aspects of ESG cover a broad range of behaviours, but primarily relate to how a company interacts, externally, with the public and the relationships it establishes between not only itself and its customers but also its employees. For example, a company’s support of LGBTQ+ rights, ethical production practices and philanthropic projects will all have an impact on a company’s social score.

In addition to these factors, companies’ use of the data they acquire, whether that data be from its customers, employees, service providers or any other source, is rapidly becoming a major factor in the analysis of a conscientious investor. As people become more conscious of their own personal data, as well as the uses to which that data is being put, they have become increasingly aware of, and in some cases critical of, companies that use their data improperly. We can see this trend in the increasing amount of criticism levied against data-harvesting practices.

This trend is also increasingly being recognised by governments, as data privacy legislation surfaces in states and countries across the globe. Beginning with the General Data Protection Regulation (GDPR) in the European Union (EU) and then the passage of the California Consumer Privacy Act (CCPA) in California, governments have begun to take a firmer stance against the limitless collection and use of personal data. These pieces of legislation presaged a bundle of new data privacy laws in 2021. Within the US, Colorado, Nevada and Virginia all passed data privacy legislation reminiscent of the CCPA, and California passed an update act, the California Privacy Rights Act (CPRA), which is set to go into effect in January 2023. In addition, China’s newest regulation, the Personal Information Protection Law, came into effect on 1 November 2021, while India is in the process of drafting its own data protection law, which is expected to be voted on in early 2022.

At least one trend is apparent from these developments: consumers are becoming increasingly aware of how their data is used. So, when considering data in an ESG context, it is unsurprising that consumers are looking to not only the types of data that are being collected, but also the purpose of that collection. As a result, investors are becoming increasingly suspicious of data practices that may alienate the public and risk the ire of government regulators.

Of the traditional ESG pillars, privacy intersects the most with social metrics, since data processing is at least a source of income for many companies, if not one of their primary sources. Companies may face growing social pressure to modernise and create transparent data use and protection practices, if only so that they do not miss out on this potent revenue stream. Of course, this is not to say that companies cannot ethically collect, process and share the data of their customers. Rather, that ESG investing is placing a greater emphasis on the proper and compliant treatment of personal data to attract investors.

Governance

There is more to cyber security than merely the collection and use of personal information. Cyber security (as opposed to data privacy) relates to a company’s own infrastructure, both in how it protects the personal information in its possession, as well as how it defends against hostile actors.

Cyber security in its truest form usually falls within the governance metric because it requires a united strategy and internal consistency that extends throughout the organisation, and which is practiced from the top levels of leadership down to entry level positions. Such a strategy requires an understanding of the risks, as well as the infrastructure’s role in a company’s overall business goals.

The company (and its governance organisation) must understand the true risks it faces before an appropriate strategy can be implemented. But these risks, especially in the modern digital economy, are ever changing and require a leadership that can learn and adjust to these changes. It was not long ago that large technology companies were seen to be at greatest risk of a cyber incident, due not only to the value of the data they held but also for the prestige of hacking the biggest names in the tech world. However, in recent years, cyber criminals have shifted to medium-sized businesses, whose cyber security infrastructure may be easier to infiltrate than larger, better prepared targets. If a company’s governance cannot appropriately recognise and respond to these risks, either because they do not understand the threat or underestimate it, these companies may be left exposed.

Moreover, leadership must also understand cyber security enough to implement policies that can provide an actual benefit. Buzzwords abound in the modern digital economy, with managers and even chief executives hounded by various terms that provide the potential for great gains but which may actually provide little benefit. These terms, like ‘blockchain’ or ‘the cloud’, or even more recently ‘crypto’ and ‘NFTs’, are thrown around as the natural evolution of various companies. But while they certainly offer some benefits (to the right companies), they incur significant costs and require considerable investment. Even when implemented correctly, these technologies might provide little benefit to those companies whose business does not really relate to them in any meaningful way.

It takes strong leadership and well-informed governance to resist the urge to implement the most recent trend, yet such choices, when supported by consistent logic, can provide investors with confidence in a company’s governance and improve its overall ESG score.

Conclusion

Whether considered alone or as part of the larger ESG framework, cyber issues are becoming an increasingly important consideration for investors and companies. Companies must embrace this topic and understand its influence on all aspects of its business model. Where a company cannot inspire confidence in the public, including investors, in these ever-changing areas, few conscientious investors may be willing to take a risk. But by understanding these issues, and not merely bowing to popular trends, a company can show these investors that it is not only a safe, but a wise investment.

 

Matthew Baker is a partner and Nick Palmieri is an associate at Baker Botts. Mr Baker can be contacted on +1 (415) 291 6213 or by email: matthew.baker@bakerbotts.com. Mr Palmieri can be contacted on +1 (212) 408 2640 or by email: nick.palmieri@bakerbotts.com.

© Financier Worldwide

BY

Matthew Baker and Nick Palmieri

Baker Botts

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.