Week 31: The missing P and C in ESG
In this issue: ▸ Do you own your data? ▸ Who’s listening right now? ▸ Cybersecurity is no. 1 external concern ▸ The Pegasus case ▸ New book coming soon! ▸ And much more...
Dear all,
This week we start with something powerful, grand and dangerous.
We dive into an area of ESG where society’s machine meets humans on all levels, in professional and everyday life.
It’s also a topic that the ESG community has not really addressed at all. There’s very little written about it, and very few ESG funds that address these transboundary risks related to more or less all investments done around the world.
I’m talking about cybersecurity and data privacy.
Have you ever invested in an ESG cyber and data-secured fund or stock? Neither have I. There are no such funds out there.
Do you own your data?
We are more heavily dependent, controlled, steered and influenced by our own digital identity (data) than ever before in human history.
Do we own the data? Do we have the right to own it? Your data belongs to you, or? Do we get paid for how it is used and misused? How is it used?
Since corporations treat personal data as a commodity, should we demand that individuals be given a way to take part in the distribution of the material benefits from the use/selling of such data? Or should we demand a change in the underlying practice of data commodification?
Would you “donate” personal data for some specific purposes (say, medical research), even if you are not willing to do so for others (say, targeted advertising)?
And what are the ethical considerations underlying such a decision?
As you can see, there are many questions and there are not really many clear answers.
In this piece you can read more about the ethical angle on this. Please go through the steps – and see where you end.
Who’s listening right now?
Another question: Are my apps tracking my activity and selling information about me? Have you tried to leave your phone on the table when you meet with friends and talk about say fishing gear?
The next morning most of those who were there will receive adverts on fishing gear. Spooky, but very true. Those small microphones on your phone, they collect things even when you don’t think about it.
One could argue that we need to own our data as a human right—and even be compensated for it. Here’s a very telling story on this topic. The best-known case of the recent past is Facebook who acknowledged that Cambridge Analytica had harvested data from 87 million customer accounts without users’ clear consent.
Data privacy has many faces. When investors analyse companies they consider investing in, they conduct thorough reviews of the companies’ finances, internal and external processes, hiring procedures, data management protocols, market position adherence to regulations such as GDPR and more. The list is almost endless.
At a time when cyber-attacks and data breaches are happening more frequently than ever before, ensuring effective data management safeguards are in place is crucial to a company’s performance, especially one that is likely to receive increased investment. Investment firms must discern how the organization safeguards its system against an attack or fraud. How an organization safeguards its data against such attacks could set it apart as a waste of an investment, or a high profit deriving enterprise with sustainability at its core.
The missing P and C in ESG
So there is a P and there is a C in ESG. Data Privacy (P) and Cybersecurity (C) have been in a focus before but are now becoming new frontiers of G and S in ESG.
This is also clear when we take a look at the numbers. Almost two-thirds of the world’s institutional investors are concerned about the impact of cyber security threats on their investments, making it investors’ foremost ESG risk, according to the 2019 RBC Global Asset Management Responsible Investment Survey.
Of the nearly 800 investors surveyed in the United States, Canada, Europe and Asia, 67% reported concerns about cyber security. Anti-corruption was the second most prevalent concern, followed by water. Cyber threats weighed heaviest on U.S. investors, at 71% of respondents. In Canada, 65% of investors cited cyber security as a concern, on par with a number of other ESG risks including climate change and executive compensation but slightly trailing anti-corruption.
In Europe and the UK, 59% of investors expressed concern about cyber security, the lowest of any region. Still, this put cyber security higher than any concerns in the region except climate change (88%) and water (84%).
Cybersecurity is clearly the next big ESG trend.
Cybersecurity is CEOs no. 1 “external concern”
The technology and communications services sectors are booming. But since the pandemic hit, and the world was forced into lockdown over and over again in some places, the demand for Big Tech products and services only accelerated to new heights.
Work from home quickly transitioned into living at work, and when people weren’t working, they were binging Netflix shows and celebrating the holidays with their Zoom family.
Simply, we have all become increasingly technology-dependent in our daily lives. Try going 24 hours without turning on your smartphone, TV or computer, and you will likely experience some form of digital relapse. Try one hour for instance.
Behind these platforms is a cyberspace ecosystem that continues to expand in demand and capacity, bolstered by the growth in the internet of things, 5G and automation.
All of this has a profound environmental impact and climate footprint, and you would be surprised about the size of it, I think. Essentially, these risks are underestimated in the ESG context.
On the cybersecurity front, there is no shortage of chilling news. Cybersecurity continues to be the number one “external concern” for American CEOs, regardless of their industry. That’s because the number of cyberattacks is increasing every year – with hackers attempting to break into a computer “every 39 seconds on average.”
Read more about the cybersecurity and data privacy trends here.
Two very material risks
So, cybersecurity is not only a concern for investors. It’s also top of every corporate executive’s mind. Companies have thus already started increasing investments in data privacy.
Research has found that cybersecurity budgets have increased by 141 per cent from 2010 to 2018. The annual costs of these attacks is expected to reach an incredible $6 trillion by 2021.
Cybersecurity failure ranks as the fourth likeliest critical threat to the world within the next two years, behind infectious diseases, livelihood crises, and extreme weather events, according to the World Economic Forum’s Global Risks Report 2021.
Given the far-reaching potential impacts of cyber incidents, ESG investors will soon be forced to add cyber issues and data privacy to their assessments.
Technology companies and their data protocols are affected by financially material risks in two distinct ways:
First, tech companies must ensure the privacy of data for all customers (business and personal). Beyond good business practice, government regulators are increasingly scrutinizing business strategy on issues related to data privacy and the responsible use of artificial intelligence and machine learning.
In 2018, the GDPR came into effect, which required all European Union-based businesses to comply with new data regulations regarding how they process and store customer information. To this end, industry leaders will need to establish far better disclosure and transparency on their overarching data governance strategy and investors will need to take this into account when they invest from an ESG perspective.
A second long-term risk factor is with regards to the threat of cyber attacks, which are on the rise according to various forecasts by security companies, which reported more intrusion attempts during the first six months of 2020 compared to all of 2019. Think of cases like Equifax or the latest high-profile cyber-attack on SolarWinds and several branches of the United States government. The cybersecurity landscape is so volatile that the Biden administration may adopt the view that data safety is an issue of national security.
Within this evolution, data security becomes paramount. When one considers the vast amount of personal, confidential and business-critical information at risk across a variety of platforms, the need for more robust cybersecurity and data privacy infrastructure by businesses, governments and individuals worldwide.
Any organization without a clear strategy in place to safeguard the most valuable commodity in a knowledge-based economy faces the risk of commercial repercussions and the big question is how will transformation to a more sustainable future happen in a world where you data is not yours and people that tell you it is protected are not prepared to do so.
Read more in this piece from Forbes.
The Pegasus case
We end this piece with a very real life cyber attack that cost people their lives.
As it turns out, military-grade spyware, licensed by an Israeli firm to governments for tracking terrorists and criminals, has been used in attempted and successful hacks of hundreds of smartphones belonging to journalists, human rights activists and business executives.
Pegasus sounds as a nice horse, but is in reality something very different. Read more about who the victims were here – and do see Guardian’s coverage here.
New book coming soon!
Some big news from my side too. Together with my dear friend Karim Sayyad, I have written a book entitled Where The Moneytree Grows.
The book is, of course, about ESG and sustainable investments. It offers many different perspectives as well as practical and real examples of how ESG analysis is done – and how you can identify the winners and losers.
I can promise you this much: It’s both entertaining and insightful!
The book will soon be published, and for now you can follow it on Instagram:
That would be all for this week.
Yes, Mother Earth is warmer than ever before, and the Gulf Stream might soon collapse, but the stock markets are booming…
Best regards,
Sasja