We no longer support this browser. Using a supported browser will provide a better experience.

Please update your browser.

Close browser message

Why is Cybersecurity Important to ESG Frameworks?

August 19, 2021

On top of cybersecurity’s critical role in protecting systems, networks, programs and data, it is equally as important to investors, who typically examine data protection and information security policies to assess a firm’s cybersecurity risks. While cybersecurity has mainly been viewed as a technology issue, it is now also regarded as a key environmental, social and governance (ESG) concern, falling under the “Social” pillar.

ESG frameworks are a tangible means of evaluating corporate behavior; by incorporating cybersecurity, a new dimension is added, giving insight into cyber behaviors and risks which form a critical part of the bigger ESG picture. J.P. Morgan Global Research takes a closer look at the current cyber risks and why cybersecurity is fast becoming a core consideration in ESG frameworks.

Why is Cybersecurity Now Important to a Broader Demographic?

2020 was a challenging year for global organizations, with the adjusted average total cost of a data breach reaching $4 million per company. This was compounded by remote workforces, increasing the average total cost of a data breach by nearly $137,000. In a booming digital economy, cybersecurity is no longer just a software industry concern. It is becoming a major topic for company management, global investors and players from all industries with exposure to cyber technology and customers’ private information. A far broader demographic is becoming increasingly concerned with cybersecurity’s social impact as well as technological implications.

Cybersecurity - A Key Metric Under the Social Pillar

Cybersecurity has gained wider attention as the global workforce has pivoted to working from home and as data breaches occurred to companies in various industries. Companies can be fined and/or suffer reputational damage if they do not adequately protect their information networks. The sectors most relevant to this theme are Information Technology, Consumer Discretionary, Financials, and Communications Services. It could also have material impact on industries which have conventionally spent lower budgets on cybersecurity issues.

Increasing Data Security Regulations: Reshaping Corporate Behavior

Additional data security regulations have been introduced globally to enhance the protection of personal information, reshaping corporate behavior towards data usage and security. In May 2018, the General Data Privacy Regulation in Europe (EU GDPR) was introduced and in June 2018, the California Consumer Privacy Act (CCPA) was passed. Growing compliance requirements will likely drive corporate spending higher and may lead to financial losses if companies commit misconduct.

Cybersecurity Industry Growth

As cybersecurity becomes a broader concern, the industry is growing. Core security spending reached $68 billion in 2020, consisting of major spending in:

Security services spending reached $64 billion in 2020. The fastest-growing segment was cloud security, with further increased demand expected in a post-COVID world. Global revenue for the security software segment is expected to see consistent growth.

Looking at cybersecurity through a global lens, the U.S. led the way, accounting for ~65% of the global market. This was followed by Asia, accounting for 27%.

Pie Chart displaying market capitalization of global public companies Pie Chart displaying market capitalization of global public companies

Global Cybersecurity: Why is it a Worldwide Social Concern?

Cybersecurity is becoming a worldwide social concern, with growing interest from around the globe. Taking a global view is important: information regarding a firm’s cybersecurity risks is incomplete without factoring in geographical and geopolitical data. Foreign territories can initiate cyberattacks on organizations and these risks are not captured in conventional analysis.

Reasons behind these scores differ. According to Next Peak, China has a strong national cyber strategy, an established cyber emergency response team and a sophisticated internet content management system. However, China topped the Next Peak index for state cyber threat risk, driven by alleged hacking activities, weak cybercrime laws and poor intellectual property protections. India experiences high cybercrime risk despite a low percentage of the population having internet access, driven by the high number of malicious IP addresses registered there, according to Next Peak. Frequent nationwide internet shutdowns contributed to a high dissident cyber risk.

On the other hand, the U.S. has high cyber capabilities as significant resources have been invested in by the government. However, the U.S. remains a prime target for cybercrime, contributing to its relatively low Geo Cyber risk score, based on Next Peak’s analysis.

All contents, sources and opinions from this section are solely provided and contributed by Next Peak.

Cybersecurity Matters as an ESG Concern

The MSCI ACWI IMI Global Cyber Security Index aims to represent companies that could potentially benefit from increased investment in systems, products and services that provide protection against cyberattacks. While the index underperformed the Information Technology Index, it outperformed the broad market.

There are clearly considerable factors at play which are making cybersecurity an interesting prospect for businesses, investors and the general public. Considering cybersecurity as an ESG metric is still a relatively new stance but all evidence points to continued interest across the board. The future of cybersecurity as an ESG concern looks set to expand: it is fast becoming so much more than a technology issue.

Back to top button Back to top

This communication is provided for information purposes only. Please read J.P. Morgan research reports related to its contents for more information, including important disclosures. JPMorgan Chase & Co. or its affiliates and/or subsidiaries (collectively, J.P. Morgan) normally make a market and trade as principal in securities, other financial products and other asset classes that may be discussed in this communication.

This communication has been prepared based upon information, including market prices, data and other information, from sources believed to be reliable, but J.P. Morgan does not warrant its completeness or accuracy except with respect to any disclosures relative to J.P. Morgan and/or its affiliates and an analyst's involvement with any company (or security, other financial product or other asset class) that may be the subject of this communication. Any opinions and estimates constitute our judgment as of the date of this material and are subject to change without notice. Past performance is not indicative of future results. This communication is not intended as an offer or solicitation for the purchase or sale of any financial instrument. J.P. Morgan Research does not provide individually tailored investment advice. Any opinions and recommendations herein do not take into account individual client circumstances, objectives, or needs and are not intended as recommendations of particular securities, financial instruments or strategies to particular clients. You must make your own independent decisions regarding any securities, financial instruments or strategies mentioned or related to the information herein. Periodic updates may be provided on companies, issuers or industries based on specific developments or announcements, market conditions or any other publicly available information. However, J.P. Morgan may be restricted from updating information contained in this communication for regulatory or other reasons. Clients should contact analysts and execute transactions through a J.P. Morgan subsidiary or affiliate in their home jurisdiction unless governing law permits otherwise.

This communication may not be redistributed or retransmitted, in whole or in part, or in any form or manner, without the express written consent of J.P. Morgan. Any unauthorized use or disclosure is prohibited. Receipt and review of this information constitutes your agreement not to redistribute or retransmit the contents and information contained in this communication without first obtaining express permission from an authorized officer of J.P. Morgan. Copyright 2021 JPMorgan Chase & Co. All rights reserved.

MSCI: The MSCI sourced information is the exclusive property of MSCI. Without prior written permission of MSCI, this information and any other MSCI intellectual property may not be reproduced, redisseminated or used to create any financial products, including any indices. This information is provided on an ‘as is’ basis. The user assumes the entire risk of any use made of this information. MSCI, its affiliates and any third party involved in, or related to, computing or compiling the information hereby expressly disclaim all warranties of originality, accuracy, completeness, merchantability or fitness for a particular purpose with respect to any of this information. Without limiting any of the foregoing, in no event shall MSCI, any of its affiliates or any third party involved in, or related to, computing or compiling the information have any liability for any damages of any kind. MSCI and the MSCI indexes are services marks of MSCI and its affiliates.