Leveraging Cybersecurity as a Business Growth Enabler

June 5, 2023

While there are countless benefits to investing in cybersecurity, from protecting sensitive information to mitigating risks, one not often highlighted is the positive impact cybersecurity has on a company’s ESG profile. As ESG is used as a means to identify and take action on material areas of risk and opportunity, cybersecurity emerges as an important area of exposure for many companies, especially those with access to large amounts of confidential, sensitive information. A strong ESG program reflects not only relevant topics to a company’s industry but also areas of concern to its key stakeholders, which often includes customers, investors, regulators, and employees. Cybersecurity regularly arises as a key consideration for many of these groups, as each has an interest in proactively mitigating risks related to cybersecurity incidents. Companies can send a strong signal to all of these stakeholder groups by involving their Chief Information Security Officers (CISOs) in ESG assessments, strategy, and improvement projects.

How Does Cybersecurity Contribute to ESG?

Data is a company’s most critical asset – 90% of S&P 500 Companies’ asset values are intangible, meaning there would be serious consequences should a cybersecurity incident cause data to be stolen or leaked.[1] Cybersecurity incidents can also disrupt business operations or impact the safety of people and the environment. Because the potential damage from a cybersecurity incident is significant, strong cybersecurity practices are a core pillar of ESG programs. In fact, for many of our clients, it is one of the most material areas of risk in the governance category (the “G” of ESG). Most ESG reporting frameworks and rating agencies, including S&P Global and Sustainalytics, already consider cybersecurity when evaluating a company’s governance structure, standards, and practices.[2],[3]

What Can CISOs Do to Contribute to ESG Efforts?

Once a company conducts a materiality assessment with cybersecurity defined as one of the key issues to address, incorporating strong cybersecurity practices into an organisation’s ESG program benefits the company by making cybersecurity both more integrated into the larger governance program and allowing the cybersecurity team and the CISO to engage with the broader employee base. CISOs should ideally be a part of a defined ESG Executive Leadership Committee—an entity at the top of the organization with decision making power and the ability to meaningfully integrate ESG into business strategy decisions. Through this committee, the CISO should engage with the defined ESG/sustainability team to understand their work to date, including materiality assessments and stakeholder communications, frameworks, and targets, and how cybersecurity can be integrated further. CISOs should also proactively contribute to ESG and Corporate Sustainability reports to demonstrate to shareholders the value that cybersecurity is adding to the organisation. Including CISOs in these reports will demonstrate cybersecurity processes and controls maturity, resulting in better stakeholder alignment and higher scores during independent sustainability assessments.

How Will Cybersecurity and ESG Integration Add Value?

Cybersecurity teams are often considered a risk management function within an organisation, helping to identify and manage cybersecurity-related risks. Effective cybersecurity measures also have an overlooked role in creating value for a firm, as strong cybersecurity programs can help companies achieve better external ESG ratings, engage more meaningfully with investors, and decrease operating costs and volatility. As ESG evaluations become more nuanced—whether from investors, peers or third parties—companies should expect to receive an increasing number of inquiries about what they are doing to protect the intangible assets on their balance sheets. A strong cybersecurity program, including clear stakeholder communication around the program’s value, is essential to both mitigating risk as well as receiving credit for action taken.

This article was authored by Head of Cybersecurity for Australia, Wouter Veugelen, and Global Leader of ESG and Sustainability, Miriam Wrobel.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals. FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.

©2023 FTI Consulting, Inc. All rights reserved.

[1] Jarzebowski, Martin, “As Intangible Assets Grow, So Does The Role Of ESG Standards,” Forbes (29 December, 2020),

[2] “What sets S&P Global ESG Scores apart?,” S&P Global (2023),

[3] “The ESG Risk Ratings: Material ESG Issue – Data Privacy And Security,” Sustainalytics ( January 2022),