January.31.2022
Environmental, social, and governance (ESG) factors are increasingly a key area of focus for investors and stakeholders. Businesses today are expected to have policies and strategies focused on long-term value creation and to give greater visibility into a broad range of topics outside of traditional financial metrics, allowing stakeholders to better understand a company’s ESG risks and growth opportunities.
The focus on ESG includes holding companies accountable for how they manage cybersecurity risk and protect consumer data. Cyberattacks and data theft are among the leading threats to businesses, risking long-term financial, legal, and reputational harm to the company. The impact these threats can have on customer privacy makes data privacy and security a human rights issue that falls squarely within the “Social” category. Additionally, existing regulatory requirements and security directives focused on how a company manages these risks and disclosures about them make data privacy and security a highly topical “Governance” factor as well.
Shareholders and consumers must be able to evaluate the controls and processes a corporation maintains on a variety of privacy and cyber topics in order to evaluate a Company’s ESG risk. We explain below five best practices that shareholders, customers, and ESG rating agencies focus on when assessing a company’s ESG fitness as it relates to data privacy and security, and the steps companies can take now to improve their compliance posture in this important area.
Transparency in how companies collect, protect, and use data can help address ESG concerns. To meet shareholder and other stakeholder expectations, companies should evaluate the amount and quality of their disclosures addressing data privacy and security risk and governance. This includes providing shareholders with more information about a company’s data privacy and security governance mechanisms, policies, and processes. For example, proxy advisor International Shareholder Services (“ISS”) grades company ESG programs, in part, on whether a company discloses things like the net expenses incurred from information security breaches, the length of time since the last information security breach, the use of insurance, certification to certain information security standards, and prevalence of information security training. It also considers governance factors like how often the board is briefed on information security issues and how many directors with experience in information security are on the board.
Given this interest in information security disclosure, companies should consider whether it is appropriate to further communicate how data privacy and security issues are addressed by management and to disclose more about the extent and nature of board oversight of cybersecurity risk. In addition to the sorts of topics of interest to ISS, ESG disclosures may also include topics like the nature and extent of access to consumer information by law enforcement, if any, and a description of the company’s approach to behavioral advertising and user privacy.
Companies also need to balance the advantages of disclosure against other concerns, however, including the protection of their trade secrets and maintaining needed flexibility in company processes.
The Securities and Exchange Commission and others have expressed heightened interest in the accuracy and completeness of disclosures. The SEC also has proposed rules that would require companies to disclose information on cybersecurity incidents and related policies and procedures.
Companies also need to be mindful of creating and following rigorous disclosure controls and procedures. The level of appropriate disclosure will by company, depending on its risk profile and internal needs.
How to get started:
Evaluate your current level of communication with both stakeholders and customers regarding privacy and cyber topics and determine if there is more that could be appropriately disclosed in line with ESG best practices.
To the extent they do not already, companies should implement intentional monitoring processes and policies that address each phase of data capture, including data collection, data processing and storage, data aggregation and analytics, and data usage, and that can be subject to potential additional disclosures.
As the international patchwork of laws and regulations regarding data privacy and security continues to emerge and evolve, companies must stay abreast of new compliance requirements and adapt their policies accordingly.
Companies should also consider their use of third-party cybersecurity standards, such as the ISO/IEC 27000-series or the National Institute of Standards and Technology’s “Framework for Improving Critical Infrastructure Cybersecurity.” Use of these standards can not only help manage information security risks, but also present opportunities for additional disclosure to address shareholder and stakeholder expectations.
How to get started:
On the privacy side, at a minimum, ensure you have a public-facing privacy policy that covers your full stack of data usage. On the security side, establish a comprehensive written information security program and incident management plan (including disaster recovery and business continuity). Reconsider your use of third-party cybersecurity standards.
Actions to mitigate information security risks should include regular inspections and audits of privacy and cybersecurity policies and systems both internally and with business partners, vendors, and suppliers. Data breaches are not limited to company systems—they can also be the result of security weakness in the systems of business partners, vendors, and suppliers. For this reason, companies need to conduct data security audits across their value chain.
It is important that companies provide training on privacy and cybersecurity requirements to all employees and make sure that participation is documented. By making employees aware of security threats and training them on procedures to follow when a threat is identified, companies strengthen their protection against cybersecurity threats.
Audits and trainings can also form the basis for ESG disclosures that address shareholder and other stakeholder interests.
How to get started:
Create a regular schedule to conduct audits on your data privacy and security policies and systems. Continually monitor the information security policies of your business partners, vendors, and suppliers. Assess your employees’ understanding of company data security processes and policies. Determine if there are gaps in their understanding and start to develop ways to improve current trainings and mitigate risk internally.
A company’s board needs to be apprised of and have oversight over the company’s data privacy and security strategy. There are many methods boards can employ to provide this oversight. Many companies delegate information security oversight to the audit committee or to other committees tasked more specifically with oversight of ESG or technology. Charters should clearly reflect this responsibility.
All companies should be asking themselves if, in addition to committee oversight, there should be a regular cadence of full board review of information security issues or if the existing full board review cadence is appropriate to the company’s risk and opportunity profile. Companies should also make sure the relevant committee and the board are receiving the information they need to effectively oversee information security issues, and then make adjustments where needed.
In addition, boards should consider where there is a need for directors with experience in information security (for instance, chief technology officers) on their boards and whether that skill set should be a focus of future board recruiting and/or disclosed as part of the director skill matrix.
How to get started:
Address your board’s involvement with the company’s data security strategy, assess if larger organizational opportunities exist to improve board and committee oversight of information security issues, and increase board expertise in data privacy and security.
Data and security breaches can happen to even the most prepared and well-fortified companies. If and when breaches occur, companies should follow a well-considered and documented process for determining when and how to disclose information about those incidents. Senior company decision-makers ought to be involved in determining whether, and how, to disclose significant incidents. Disclosures may include such information as the total number of substantiated complaints received concerning breaches and the total number of identified leaks, thefts, or losses of customer data. Consider disclosing the existence of this process, and some of its high-level features, to address the interests of shareholders and other stakeholders.
How to get started:
Create a thoughtful and well-documented disclosure controls process addressing both emergency incidents and nonurgent complaints that includes leaders with an appropriate level of seniority. Consider what disclosure may be appropriate about the company’s process.
This article was updated in September 2022.