Cybersecurity

in ESG
It’s time to view ESG and
cybersecurity through the
same lens.

KPMG International | kpmg.com/cybersecurity

 Environmental Social Governance Conclusion — Creating How KPMG
Introduction
considerations considerations considerations new links between ESG professionals can help
and security

Contents
Introduction...............................................3
Environmental considerations...................4
Social considerations.................................6
Governance considerations.......................9
Conclusion — Creating new links�����������12
between ESG and security
How KPMG professionals can help.........13
 Environmental Part 2: Being digital
Social Part 3: Governance
Advancing Part 4: Shopping for Part 5:—
Conclusion Holding to the
Creating Part 6: Prioritizing
How KPMGConclusion: How
Executive Part 1: Delivering
Introduction
IntroductionForeword in thought, word analytics from insight talent — building heading — how to wellbeing and to position for the
considerations
summary strategic flow considerations
and deed
considerations talent marketplaces
to action… safely
new links between ESG
make purpose real
professionals can help
feeling good unknown
and security

Introduction
In today’s digital economy, businesses face challenges
in simultaneously meeting their environmental, social,
and governance (ESG) targets and ensuring robust
cybersecurity and privacy measures. Concerns relating
to these areas have been at the forefront of global risk
maps for several years.1
According to the KPMG 2022 CEO Outlook survey,2
ESG and cybersecurity are crucial for corporate
success. While environmental aspects of the ESG
agenda have received significant attention, other
elements such as cybersecurity and privacy have not
been as well-developed. This is concerning as cyber
threats are soaring in frequency — impacting business
operations, continuity and reputations.
This paper aims to explore the connection between
ESG and cybersecurity. It will discuss the expected
benefits of managing these issues together and
how an integrated approach can help safeguard an
organization’s health, business future, and the interests
of their customers, clients, and business partners.

1
www3.weforum.org/docs/WEF_Global_Risks_Report_2023.pdf
2
CEO Outlook, KPMG, 2022

© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity in ESG 3
 Environmental Part 2: Being digital
Social Part 3: Governance
Advancing Part 4: Shopping for Part 5:—
Conclusion Holding to the
Creating Part 6: Prioritizing
How KPMGConclusion: How
Executive Part 1: Delivering
Introduction
Foreword in thought, word analytics from insight talent — building heading — how to wellbeing and to position for the
considerations
summary strategic flow considerations considerations talent marketplaces
new links between ESG professionals can help
and deed to action… safely make purpose real feeling good unknown
and security

Environmental
considerations

© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity in ESG 4
 Environmental
EnvironmentalEnvironmental Part 2: Being digital
Social Part 3: Governance
Advancing Part 4: Shopping for Part 5:—
Conclusion Holding to the
Creating Part 6: Prioritizing
How KPMGConclusion: How
Executive Part 1: Delivering
Introduction
Foreword in thought, word analytics from insight talent — building heading — how to wellbeing and to position for the
considerations
considerations
summary strategic flow considerations
considerations and deed
considerations talent marketplaces
to action… safely
new links between ESG
make purpose real
professionals can help
feeling good unknown
and security

Critical infrastructure faces significant new opportunities for cybercrime and demand a high
new risks level of cybersecurity and data protection.
Similarly, introducing new technology solutions to
When it comes to ESG, environmental factors support the circular economy when those systems
are a key consideration. However, ESG’s link to involve significant financial transactions to incentivize
cybersecurity, although less obvious, is becoming green behaviors, can raise concerns over new fraud
increasingly important. According to the 2022 KPMG patterns.
survey, 64 percent of companies acknowledge climate
change as a risk to their business.3 KPMG professionals Embedding cyber into these programs can help
are starting to see cyberattacks that endanger the anticipate the cyber threat and ensure safe and
environment by targeting critical infrastructure such secure operations. At the same time, adhering to data
as power plants and water-processing facilities. protection principles such as data minimization can
Additionally, these attacks on industrial control reduce the risk of data breaches and ensure regulatory
systems can cause equipment malfunctions, compliance.
environmental damage and hazards. Organizations The digital economy has led to a surge in data processing,
need strong cybersecurity to protect their critical resulting in the construction of data centers worldwide.
infrastructure against threats to their sophisticated Criminals have found opportunities to exploit weaknesses
and interconnected operational technology. As these in the security of data centers and cloud services to steal
incidents become more common, we anticipate greater computing resources, including cryptocurrency mining
regulatory focus. at scale. Unfortunately, the use of these systems has a
Connect security to decarbonization, CO2 negative impact on energy consumption and the carbon
reduction and the circular economy footprint, for example, implementing the required or
best-practice cyber controls like having a secondary data
Most plans for decarbonization and CO2 reduction rely center for improved resilience can lead to higher use of
on digital transformation and the application of smart resources and energy.
technologies and automated systems that monitor
and manage energy production, distribution and Organizations today need to consider both the pros
consumption. However, these solutions can create and cons of cyber resilience, striking a balance with
cybersecurity and ESG targets.
3
'Big shifts, small steps' Survey of Sustainability Reporting, KPMG, 2022

© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity in ESG 5
 Environmental Part 2: Being digital
Social Part 3: Governance
Advancing Part 4: Shopping for Part 5:—
Conclusion Holding to the
Creating Part 6: Prioritizing
How KPMGConclusion: How
Executive Part 1: Delivering
Introduction
Foreword in thought, word analytics from insight talent — building heading — how to wellbeing and to position for the
considerations
summary strategic flow considerations
and deed
considerations talent marketplaces
to action… safely
new links between ESG
make purpose real
professionals can help
feeling good unknown
and security

Social
considerations

© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity in ESG 6
 Environmental Part 2: Being digital
Social Part 3: Governance
Advancing Part 4: Shopping for Part 5:—
Conclusion Holding to the
Creating Part 6: Prioritizing
How KPMGConclusion: How
Executive Part 1: Delivering
Introduction
Foreword in thought, word analytics from insight talent — building heading — how to wellbeing and to position for the
considerations
summary strategic flow considerations
and deed
considerations talent marketplaces
to action… safely
new links between ESG
make purpose real
professionals can help
feeling good unknown
and security

Impacts on society's digital landscape they should have robust incident response plans to technologies can ensure that only intended recipients
minimize the impact of a cyberattack on critical services. can access information without fear of eavesdropping
Social considerations are also a critical aspect of
or surveillance. Cybersecurity can also help mitigate
ESG, and cyber risk can significantly impact society, Ransomware attacks are soaring the effects of disruptive attacks targeting websites
particularly as global cyberattacks become more
Lucrative ransomware attacks continue to increase and online platforms that facilitate free speech and
frequent and impactful. Digital applications and
globally and can quickly cripple an organization’s expression.
systems are now integrated into every aspect of our
operations and reputation. Amid the severe
lives, from the personal devices we rely on and the Protect customer information to foster trust
consequences, many organizations are tempted to pay
social media we interact through to the sophisticated
the ransom. Unfortunately, ransomware payments only Privacy controls can also play a key role in limiting the
automated platforms and systems that support digital
encourages more crime and creates a costly cycle. To exploitation and misuse of personal information without
workplaces and lifestyles. The 2022 KPMG survey
combat ransomware attacks, modern cybersecurity consent or knowledge. This is vital in maintaining the
found that 49 percent of companies acknowledge
measures should be put in place to minimize their public trust in organizations.
social elements as a risk to their business.4
social and financial impact.
Before regulations such as the EU General Data
Data protection is critical Protection Regulation, many organizations believed
Freedom of speech faces new threats
This integration can make you vulnerable to cyber risks they had ownership over the public’s personal data.
Privacy and cybersecurity also play vital roles in This changed with the introduction of these regulations.
that can lead to the theft of personal and sensitive
protecting freedom of speech and securing today’s Individuals now have the right to their own personal
information resulting in identity theft, financial fraud and
proliferating digital communications channels. Legal data, including the right to know what data a company
other social harms. Cyberattacks can also disrupt critical
protections, promoting digital and media literacy, holds and the right to have it deleted.
healthcare, transportation and emergency services. To
and supporting diversity and inclusion in online
address these risks, organizations need strong privacy and
spaces are also important measures. Encryption
cybersecurity measures to protect their data. Additionally,
4
'Big shifts, small steps' Survey of Sustainability Reporting, KPMG, 2022

© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity in ESG 7
 Environmental Part 2: Being digital
Social
Social Part 3: Governance
Advancing Part 4: Shopping for Part 5:—
Conclusion Holding to the
Creating Part 6: Prioritizing
How KPMGConclusion: How
Executive Part 1: Delivering
Introduction
Foreword in thought, word analytics from insight talent — building heading — how to wellbeing and to position for the
considerations
summary considerations
strategic flow considerations
and deed
considerations talent marketplaces
to action… safely
new links between ESG
make purpose real
professionals can help
feeling good unknown
and security

New concerns on AI and data ethics

Using artificial intelligence (AI) tools can speed up
data collection but raises questions about ethical data
usage by algorithms and machine learning. Biases
can unfairly affect individuals or society as a whole.
Organizations can positively or negatively impact
society based on how they assess risks and safeguard
the data they process. New regulations, like the EU AI
Act, aim to ensure that AI is used in a way that does
not harm.
Raising cyber awareness and literacy
Many organizations are emphasizing their purpose and
social responsibility. They recognize that they have a
role to play in promoting cybersecurity literacy and
awareness, whether across their customer base or
supplier ecosystem. These actions can help prevent
fraud, encourage brand loyalty and reduce exposure to
supply chain attacks.
Some organizations also pursue altruistic aims of
building societal awareness of cyber threats, helping
develop skills and promoting cybersecurity as a
profession while supporting organizations such as
charities that may not have the capacity and capability
to fully secure their own systems. October is
Cybersecurity Awareness Month, an annual campaign
aimed at raising awareness about cybersecurity and
providing resources for individuals and organizations
to improve their cybersecurity practices. KPMG,
among other organizations, are actively participating
in this campaign to enhance security for all.

© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity in ESG 8
 Environmental Part 2: Being digital
Social Part 3:Governance
Advancing
Governance Part 4: Shopping for Part 5:—
Conclusion Holding to the
Creating Part 6: Prioritizing
How KPMGConclusion: How
Executive Part 1: Delivering
Introduction
Foreword in thought, word analytics from insight talent — building heading — how to wellbeing and to position for the
considerations
summary strategic flow considerations
and deed
considerations talent marketplaces
considerations
to action… safely
new links between ESG
make purpose real
professionals can help
feeling good unknown
and security

Governance
considerations

© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity in ESG 9
 Environmental Part 2: Being digital
Social Part 3:Governance
Advancing
Governance Part 4: Shopping for Part 5:—
Conclusion Holding to the
Creating Part 6: Prioritizing
How KPMGConclusion: How
Executive Part 1: Delivering
Introduction
Foreword in thought, word analytics from insight talent — building heading — how to wellbeing and to position for the
considerations
summary strategic flow considerations
and deed
considerations talent marketplaces
considerations
to action… safely
new links between ESG
make purpose real
professionals can help
feeling good unknown
and security

Keeping regulations in focus amid change put into ESG reporting and reporting assurance, but
can you trust that the data is accurate and reliable?
Governance is the third aspect of ESG as cyber
Cybersecurity is a critical factor in ensuring
risks can pose significant governance implications.
trustworthy ESG reporting. It works to protect data
There are various industry or market-specific cyber
at its sources while being collected,
regulations, such as the US’ Cybersecurity Risk
in transit, and after it has been analyzed and
Management for Investment Advisers, Strategy,
reported. In addition, data privacy compliance is
Governance and Incident Disclosure, Investment
also required when personal data is processed in
Company Names Disclosure, and Nasdaq’s Board
generating ESG reports.
Diversity Rule. In the EU regulations include the
General Data Protection Regulation (GDPR), Digital ESG compensation models, reporting and data
Operational Resilience Act (DORA) and the revised collection can involve automated processes, as well
Network and Information Systems Directive (NIS2). as data modeling and analysis. It is vital that these
processes are not manipulated or biased to ensure
ESG-related regulations include the European Union
accurate reporting.
Sustainable Finance Disclosure Regulation (SFDR)
and Corporate Sustainability Reporting Directive Cybersecurity is relevant to all three ESG dimensions,
(CSRD). In the US, obligatory disclosure regulations so organizations at any stage of their ESG journey
include commission guidance regarding disclosure should consider reporting cyber posture as part of
related to climate change, enhancement and their ESG reporting. This helps to develop and sustain
standardization of climate related disclosures, rule trust with their customers, employees and external
ammendments to reg S-K Items 101, 103, 105 and stakeholders.
enhanced disclosures by certain investment advisers
SASB and other standards focus on
and investment companies about environmental,
social, and governance investment practices. transparency

Measuring the effectiveness of an organization’s The Sustainability Accounting Standards Board

privacy, cybersecurity and data management (SASB) provides industry-specific standards
practices can help to determine how well they for reporting on sustainability factors, including
govern the data they process and share both environmental, social and governance. The standards
internally and across borders. are financially important and aim to increase
transparency and comparability in corporate
ESG data and reporting need to be accurate reporting, which can help investors make more-
informed investment decisions. However, fewer
ESG data comes from four main sources: third party
than half of companies have leadership level
data, reported data, derived and functional data, and
representation for sustainability.5
firm-owned raw data. Significant efforts are being

5
'Big shifts, small steps' Survey of Sustainability Reporting, KPMG, 2022

© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity in ESG 10
 Environmental Part 2: Being digital
Social Part 3:Governance
Advancing
Governance Part 4: Shopping for Part 5:—
Conclusion Holding to the
Creating Part 6: Prioritizing
How KPMGConclusion: How
Executive Part 1: Delivering
Introduction
Foreword in thought, word analytics from insight talent — building heading — how to wellbeing and to position for the
considerations
summary strategic flow considerations
and deed
considerations talent marketplaces
considerations
to action… safely
new links between ESG
make purpose real
professionals can help
feeling good unknown
and security

One of the sustainability factors that SASB covers

is cyber risk, which falls under the technology and
However, fewer than half of companies have
leadership level representation for sustainability.6 By addressing cyber
communications industry, but many other sectors
mention it too. Cyber risk is a factor that companies Customers expect trustworthy services risks within the context
should consider disclosing in their public filings and
is included under the Data Security disclosure topic,
This topic covers a range of cyber threats that could
Customers are more likely to do business with a
company they trust to protect their personal and of ESG, companies
compromise sensitive information and provides
guidance on cyber risk management.
financial information. This is especially true for
corporate customers, who value the safeguarding
of their confidential data and intellectual property.
can safeguard their
A similar standard, the Global Reporting Initiative Many industries have regulatory requirements for
cybersecurity, and organizations that comply with
operations, customers
(GRI), is widely used for sustainability reporting.
GRI standards include guidance on how companies these regulations are preferred by stakeholders. The
KPMG survey found that less than half of companies
and reputation while
should disclose their management of cybersecurity
and data privacy issues. disclose their governance risks.7 fulfilling their broader
By including cyber risk as a material sustainability
factor, SASB and GRI both recognize that cyber
Both private and corporate customers want to ensure
that the services they purchase meet their ESG and social and environmental
threats can significantly impact a company’s financial
performance, reputation and long-term sustainability.
cybersecurity expectations. A company’s commitment
to ESG can be a sales enabler — enhancing its
reputation, driving innovation, managing risks,
obligations.
Companies that disclose their cyber risk management
practices and provide information about their data ensuring compliance and improving access to capital.
security policies and procedures can improve their Therefore, it is important to consider how sustainable
transparency and accountability to stakeholders, a company’s privacy and cybersecurity practices are
including investors, customers and regulators. when doing business.

6-7
'Big shifts, small steps' Survey of Sustainability Reporting, KPMG, 2022

© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity in ESG 11
 Environmental Part 2: Being digital
Social Part 3: Governance
Advancing Part 4: Shopping for
Conclusion
Conclusion
Conclusion Part 5:—
Holding
— to the
Creating
Creating
Creating Part 6: Prioritizing
How KPMGConclusion: How
Executive Part 1: Delivering
Introduction
Foreword in thought, word analytics from insight talent — building heading — how to wellbeing and to position for the
considerations
summary strategic flow considerations
and deed
considerations talent marketplaces
to action… safely
new
new new links
links between
links
between
between ESG
ESG
make purpose real
professionals can help
feeling good unknown
andand
ESG
and security
security
security

Conclusion — creating
new links between ESG
and security
Organizations can benefit greatly by exploring the close connection between
cyber and ESG risks. Both areas focus on identifying and managing risks and
opportunities, leading to enhanced products and solutions and a better society.
This connection is being increasingly recognized by markets, including ESG rating
providers who strive for greater transparency and fairness in measuring and
comparing organizations.
To protect their critical infrastructure, industrial control systems, and customer
data, companies should have robust privacy and cybersecurity measures in place.
Good news is many companies already do, which should positively impact their
ESG performance. Additionally, companies should invest in sustainable technology
solutions to help reduce environmental impact and minimize exposure to cyber risks.
Finally, companies should have strong governance structures to oversee privacy and
cybersecurity risk management and ensure compliance with legal and regulatory
requirements. By addressing cyber risks within the context of ESG, companies can
safeguard their operations, customers and reputation while fulfilling their broader
social and environmental obligations.

© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity in ESG 12
 Environmental Part 2: Being digital
Social Part 3: Governance
Advancing Part 4: Shopping for Part 5:—
Conclusion Holding to the
Creating Part 6: Prioritizing
How KPMGConclusion: How
How
Executive Part 1: Delivering
Introduction
Foreword in thought, word analytics from insight talent — building heading — how to wellbeing and to position for the
considerations
summary strategic flow considerations
and deed
considerations talent marketplaces
to action… safely
new links between ESG
make purpose real
professionals
professionals
feeling good
can
can help
help
unknown
and security

How KPMG professionals can help

There’s growing pressure for businesses to be And whether you’re entering a new market,
transparent on their corporate commitment activities launching products and services, or interacting with
in cybersecurity and ESG. Cybersecurity is on the customers in a new way, sustainable growth is the
agenda for many regulators with growing demands only way to build a successful and resilient business.
for timely and comprehensive incident notification
KPMG professionals are committed to working with
and disclosure of cyber security control maturity. And
you to enhance trust, mitigate risk and unlock new
its connection to the ESG agenda is playing a huge
value as you build a resilient business for a more
role in the future of corporate social responsibility.
sustainable future. With access to industry-leading
KPMG firms’ have experience across the continuum — experience, data-driven technology, and global
from the boardroom to the data center. In addition to alliances, you can turn insight into opportunity for
assessing your cybersecurity and aligning it to your your business, your people, and the planet. KPMG
business priorities, KPMG professionals can help professionals can help you anticipate tomorrow,
you develop advanced digital solutions, implement move faster, and get an edge with secure and trusted
and monitor ongoing risks, helping you respond technology.
effectively to cyber incidents. No matter how you
KPMG. Make the difference.
engage, you can expect to work with people who
understand your business and your technology.

© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity in ESG 13
Contacts
Mika Laaksonen Prasad Jayaraman Matt O’Keefe
Global Cyber Security ESG Leader Americas Cyber Security Leader ASPAC Cyber Security Leader
and Partner and Principal and Partner
KPMG in Finland KPMG in the US KPMG Australia
mika.laaksonen@kpmg.fi prasadjayaraman@kpmg.com mokeefe@kpmg.com.au

Akhilesh Tuteja Dani Michaux Nadine Hönighaus

Global Cyber Security Leader EMA Cyber Security Leader Global ESG Governance Lead
KPMG International and Partner and Partner and Partner
KPMG in India KPMG in Ireland KPMG in Germany
atuteja@kpmg.com dani.michaux@kpmg.ie nhoenighaus@kpmg.com

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

kpmg.com/socialmedia

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there
can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after
a thorough examination of the particular situation.

© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.

KPMG refers to the global organization or to one or more of the member firms of KPMG International Limited (“KPMG International”), each of which is a separate legal entity. KPMG International Limited is a private
English company limited by guarantee and does not provide services to clients. For more detail about our structure please visit kpmg.com/governance.

The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organization.

Throughout this document, unless otherwise indicated by quotation marks, “we”, “KPMG”, “us” and “our” refers to the global organization or to one or more of the member firms of KPMG International Limited (“KPMG
International”), each of which is a separate legal entity.

Designed by Evalueserve.

Publication name:Cybersecurity in ESG | Publication number: 138862-G | Publication date: July 2023