The integration of corporations’ environmental, social, and governance (ESG) practices in investment decisions has transformed financial markets over the past two decades. Global ESG assets could exceed $50 trillion by 2025, one-third of anticipated total assets under management, according to Bloomberg Intelligence. Credible information for investors is the holy grail for ESG proponents, who often contend that responsible companies are less likely to risk reputational loss, lawsuits, and regulatory fines, all of which are important to investors.
Until recently, digital responsibility was alien to ESG communication, marginal in comparison with familiar corporate responsibility topics such as greenhouse gas emissions, anti-bribery practices, or child labor. But since the 2010s, digital issues such as cybersecurity, privacy, data protection, and content moderation have taken hold in ESG communication, partly as a result of pressures among companies, NGOs, standard-setting bodies, governments, and other stakeholders. This shift makes sense, since these digital issues often present harms or externalities to communities and society that fall outside traditional financial accounting, yet fall within new forms of social accounting and risk management.
A recent survey of 800 institutional investors found that cybersecurity was the top ESG concern overall, with 67 percent reporting that they were “concerned” or “very concerned.” As an example of how reporting on digital security can help investors, in 2016, consumer credit agency Equifax received the lowest possible ESG score from MSCI ESG Research, which noted that the company’s “data security and privacy measures have proved insufficient in mitigating data breach events.” A year later, Equifax exposed the personal information of 147 million people — a data breach that resulted in a legal settlement of roughly $700 million. In the years following, new leaders at Equifax overhauled the company’s ESG disclosure practices, including by publishing a standalone Security Annual Report alongside its other ESG reports.
Yet despite progress in ESG investing in recent years — and despite the importance of cybersecurity, privacy, data protection, content governance, and other digital issues to the global economy and society — it remains difficult to be an “ethical” investor in companies based on their practices for managing and securing data, even as mismanagement of data can result in significant financial costs.
Envisioning Data Practices in ESG
Imagine a world where investors are empowered to reward firms that responsibly manage and report on risks related to their data collection, analysis, sharing, maintenance, disposal, and reuse. In this world, firms would have incentives to reduce digital externalities like data breaches and discriminatory profiling. In addition, the social risks of data practices and security would be reported in standardized ways, resolving information asymmetries that lead investors to accept risk without being suitably informed or compensated.
How could digital security sit beside climate and workplace safety as mainstay elements of corporate responsibility? The UC Berkeley Center for Long-Term Cybersecurity (CLTC) has been exploring this question with a focus on ESG reporting among companies, investors, and NGOs.
A central premise of this research is that investors and NGOs are increasingly active at the nexus between business and society. They are no longer satisfied with companies’ opaque practices and hidden agendas, as the past two decades of change in attitudes toward corporate social responsibility have shown. They demand information about social and environmental externalities, and have sparked a sustained focus on corporate transparency. ESG communication is a medium for this exchange of information.
In Fall 2022, CLTC convened a pair of working groups to explore the rapidly evolving norms for communication between companies and their stakeholders on ESG issues related to digital technology, with an eye toward shaping a future research agenda.
The working groups identified key questions that could be better understood through interviewing professionals on the ground at the interplay of companies, NGOs, and investors in ESG communication. The groups created two initial designs for interview studies by combining members’ insights and experiences from diverse perspectives — including ethical innovation, consulting, risk and advisory, investing, investor advocacy, security, civil society, and academia.
Below are the key takeaways that emerged from each working group and their contributions to a broader research agenda.
Working Group on ESG Reporting for Cybersecurity (WGERC)
In recent years, ESG reporting standards have focused on a limited number of issues in cybersecurity, such as data breaches and high-level descriptions of cybersecurity management, oversight, and policies. Significant gaps remain that prevent adequate ESG communication about a reporting organization’s cyber resilience, that is, its capacity to withstand, recover from, and adapt to shocks caused by cyber risks. Institutional and social processes — such as organizational change and inertia, or engagements between investors and companies — can enable or impede cyber resilience disclosures in ESG reporting. Why do producers and consumers of ESG reporting vary in their ways of understanding these processes?
Critical Knowledge Gaps
Members of the WGERC noted a number of knowledge barriers that, if resolved, could sharpen the view on how ESG reporting on cybersecurity could advance or stall over time.
- To what extent have market attention or public attention on cyber risks to society — rather than cyber risks to a business — gained traction in organizations that shape ESG reporting norms, such as the Global Reporting Initiative, IFRS Foundation, and large-cap companies?
- Which organizations see value in ESG reporting on cyber resilience?
- How mature or immature are investors’ evaluation and communication structures for engagement with companies on cybersecurity?
- Which are the perceived possible upsides and downsides of cyber resilience disclosures for producers and consumers of ESG reporting?
Key Research Questions
The WGERC created a targeted set of questions for corporations, investors, and NGOs, including:
- To what extent does current emphasis on breach reporting in cybersecurity ESG disclosure fail to address significant firm responsibilities, societal impacts, and proactive measures? In what ways is a wider view of an organization’s cyber approach and preparedness needed to inform investors of risk?
- Which cybersecurity reporting topics are top priorities in ESG assessment, and for whom? (For example, how do different stakeholders rank the importance of reporting on cyber risk to the board of directors or participating in industry knowledge-sharing?)
- Which downside risks of ESG disclosure on cybersecurity are emphasized in institutional and social processes within and between organizations?
- To what extent are organizational processes and capacities for ESG reporting on cybersecurity inadequate compared to other ESG issues?
- Is fear of overdisclosure impacting the veracity of cyber resilience disclosures? If so, why?
- In what ways are corporate ESG leaders’ differing levels of hesitation, comfort, and planning for ESG reporting on cyber resilience based on their organization’s experience with cyber risk communication and breach reporting? How does breach reporting, an adjacent type of reporting in a highly contested arena involving insurance and government actors, affect ESG reporting on cybersecurity?
CLTC would like to thank the participants of the WGERC: Andrea Bonime-Blanc, GEC Risk Advisory; Anna Sarnek, SecurityScorecard; Audrey Mocle, Open MIC; Cristina Dolan, RSA NetWitness; Dunstan Allison-Hope, Business for Social Responsibility (BSR); Eric Meerkamper, CyberPeace Institute / Montreal Institute for Genocide and Human Rights Studies; Francesca Bosco, CyberPeace Institute; John Mattison, Arsenal Capital Partners; Olena Liakh; and Sekhar Sarukkai, Center for Long-Term Cybersecurity External Advisory Committee.
Working Group on ESG Reporting for Data Ethics (WGERDE)
Institutional investors and their advocates are pushing companies for accountability on data ethics, which encompasses a range of issues from surveillance and racial equity to responsible use of artificial intelligence. Investor ethos is embodied in collective declarations such as the Investor Statement on Facial Recognition and the Investor Statement on Corporate Accountability for Digital Rights, and by shareholder advocacy organizations focused on tech companies, such as Open MIC. Amplifying the effort are civil society initiatives that engage investors on data ethics issues, such as World Benchmarking Alliance’s Collective Impact Coalition for Digital Inclusion and New America’s Ranking Digital Rights.
The results of investor engagement and societal pressure on companies’ data ethics performance are just beginning to take shape in ESG reporting. Thus far, standard-setting bodies that influence disclosure norms have focused on a limited number of issues, such as customer privacy complaints and third-party requests for customer information. But other salient topics in data ethics, such as intrusive data collection, opaque data selling and sharing with third parties, and flawed data analytics, are nascent and underdeveloped in the ESG reporting landscape.
This dynamic moment in the history of reporting on digital issues presents a chance to examine institutional forces at play. Organizational and social processes — such as partnership-building between civil society and investors, and internal workflows for producing ESG information — can shape possible futures of ESG reporting on data ethics. Why do producers and consumers of ESG reporting vary in their ways of envisioning these processes?
Critical Knowledge Gaps
Members of the WGERDE perceived a wide range of potential enablers and impediments for ESG reporting on data ethics. The considerations are both technical and social. Technical factors relate to practical knowledge or technique within organizations, for example:
- Firms have inadequately tested methods to produce ESG reporting on data ethics without exposing the organization to liability from regulators or litigants.
- There are few known quantifiable measures that, when disclosed by an ESG reporting organization, help the firm adopt strengthened AI and data ethics practices.
- There is a lack of international norms and principles for data ethics to which ESG reporting organizations may link their policies, practices, and targets.
The group also observed social factors that can enable or impede ESG reporting on data ethics:
- There is a perception among consumers of ESG reports that the reporting is unreliable, and firms may be “greenwashing” their practices.
- Divergent meanings for key terms, including data ethics, are barriers to mutual understanding between reporting organizations and their stakeholders.
- There is an unclear model of shared responsibility among companies of different capabilities and sizes in ESG reporting for data ethics.
- There is a perceived lack of penalty for companies that are inconsistent or highly selective (“cherry-picking”) in their ESG reporting.
- Roles of ESG rating agencies are unstandardized and opaque.
Key Research Questions
The WGERDE developed a set of core questions for corporations, investors, and NGOs, including:
- What is the nature of social tension between corporate ESG leaders and employees in the same organization who develop products or implementations that are subjects (or potential subjects) of data ethics reporting?
- In what ways do corporate ESG leaders find that their organization has an interest in ESG reporting on specific topics in the purview of data ethics, but zero instrumentation for reporting on them, with a perceived high cost to creating that instrumentation?
- How do recent rapid shifts in traditionally regulated industries toward bringing technology companies in-house (for example, through acquisition or partnerships) present distinct enablers and constraints for ESG reporting on data ethics?
CLTC is grateful to the participants of the WGERDE: M. Alejandra Parra-Orlandoni; Craig Shank, CES.World / Responsible AI Institute; Dana Floberg, Open MIC; Jodi Masters-Gonzales, Humble Science, PBLLC; Joe Toscano, DataGrade; Laura Sherren, Meta; Morgan Clark, Anti-Defamation League; Olena Liakh; Parinati (Pari) Sarinot, Blueprint Technologies; Rob Grosvenor, Alvarez & Marsal; Sam Lowe, Alvarez & Marsal; Samita Patel, Alvarez & Marsal; Samita Thapa, World Benchmarking Alliance; Stephen (Stevie) Rea, Anti-Defamation League; Steven Tiell, DataStax; and Theresa Miedema, Ontario Tech University.
Sharpening a Research Agenda
CLTC’s distinctive working groups highlighted the diversity of research questions that have emerged — and will continue to emerge — as NGOs, regulators, companies, and public dialogue drive attention on corporate digital responsibility and associated reporting through the medium of ESG.
The next phase of the project will build on the working groups’ contributions and undertake two studies based on interviews with subject-matter experts in corporations, investment communities, and civil society.
Norms around ESG disclosure for digital topics are subject to institutional and social dynamics from different directions. To glean insight into these dynamics, the groups identified a target population for interviews that form a groundwork for a research agenda. Though more than one study is needed to capture them all, priority interviewee groups include:
- Consumers of ESG reporting: Investors, civil society practitioners.
- Producers of ESG reporting: Corporate responsibility, sustainability, and ESG executives and officers; corporate legal teams who vet ESG disclosure; cybersecurity/InfoSec teams; investor relations teams; chief privacy officers; chief data officers and data ethics groups; and boards of directors.
CLTC invites researchers to join us in leveraging the perspectives of these professionals to develop a richer picture of current practices that affect the present and future of ESG reporting on corporate digital responsibility.
We thank Omidyar Network for generous support of this project.