Does a Poor ESG, Social Responsibility Rating Affect Cyber Risk? – The National Law Review

Friday, January 7, 2022

With ransomware and other cyber threats top of mind for most in the c-suite these days, a question frequently raised is whether a particular organization is a target for hackers. Of course, nowadays, any organization is at risk of an attack, but the question is whether some organizations are targeted more than others. A recent Insurance Journal article discusses a paper published in September 2021 that identifies a factor that could elevate the risk of being targeted, a factor many in cyber might not have expected, “greenwashing.”

Around this time of year, many offering commentary on cybersecurity issues (including us!) postulate on what lies ahead for the year, trends to watch, and emerging risks. For example, Embroker Insurance Services published comprehensive report in December 2021, outlining a wealth of cyberattack statistics and trends, including a view on the types of organizations most vulnerable to cyberattacks:

Banks and financial institutions

Healthcare institutions

Corporations

Higher education

It is not difficult to see why entities in these industries (and others) are thought of most frequently. They typically have thousands, sometimes millions of customers, many locations, hundreds of employees, and lots and lots of personal information. They maintain increasingly complex information systems amid an ever-expanding regulatory environment, sometimes without commensurate budgetary support.

However, according to the University of Delaware paper cited by the Insurance Journal, an organization’s “corporate social performance” or “CSP” can affect its likelihood of being subject to a cyberattack. Specifically, according to the paper, organizations that have CSP strengths outside of their core business with a less than stellar record in other areas are at increased risk of a data breach.

“The increased likelihood of breach for firms with seemingly disingenuous CSP records suggests that perceived “greenwashing” efforts that attempt to mask poor social performance make firms attractive targets for security exploitation.

An organization’s CSP, as measured by its environmental, social and corporate governance (ESG) rating, is an emerging metric for evaluating organizations, even if its impact on corporate financial performance (CFP) remains unclear. For example, a proposed rule issued in October 2021 by the Department of Labor would help pave the way for increased consideration of ESG factors by plan fiduciaries when selecting investment options for retirement plan assets.

The greater attention to CSP and ESG shared by many, however, evidently may include a segment of people willing to take more extreme measures to achieve their goals. In 2008, according to reports, fires that severely damaged at least five luxury homes in a Seattle suburb were suspected to have been started by “ecoterrorists,” angry that developers marketed the subdivision as “built green.” This is not unlike the motive identified by the Univ. of Del. paper for launching cyberattacks against certain organizations – that is, stopping organizations from using ESG to appeal to customers without also making meaningful changes to core business practices.

Of course, it is not clear whether the paper has captured what motivates cyberattacks more often than not, or whether in fact organizations engaged in greenwashing are being targeted at a higher rate than others, if they at “targeted” at all. At the same time, it is certainly not unprecedented for individuals to take extreme measures to advance their desires for social, environment, and other changes. Either way, organizations should be considering all potential risks and appropriately weighing them when developing their information security policies, incident response plans, and other safeguards for protecting systems and information.