My boss Liz and I had a discussion earlier this week about how (or if) PracticalESG should cover cyber security as an ESG matter, or whether it continues to fit better as a broader corporate governance topic covered by TheCorporateCounsel.net, where there is already an extensive Practice Area on the topic. She and I have seen arguments on both sides of the fence. Coincidentally, Advisory Board member Doug Chia wrote an article about this very thing yesterday.
Doug set the stage this way:
At its core, ESG stands for the principle that one should identify and consider environmental, social and governance factors when making business investment decisions. But this basic concept has morphed into something seriously flawed – elusive to those trying to objectively define it for constructive purposes and at the same time too easily contorted by those with less than constructive commercial and political interests. One of the biggest flaws of ESG is the subjective open-endedness of what counts as E, S, or G. What fits under each is no longer obvious.
An example of this is cyber security.
His view – which reflects my conversation with Liz and our own conclusion is this:
If forced to assign one letter of ESG to cyber security, the one most proximate is G on the notion that a company’s board of directors has a duty to oversee cyber security (and ERM [enterprise risk management] more generally) or under the concept of ‘data governance’ (which is not the same thing as ‘corporate governance’).
Doug ends with this pointed observation:
One could argue that the term ‘ESG’ is best used as shorthand for anything not typically measured with traditional financial metrics, or ‘externalities’ in general, and pedantic arguments over specific words and letters (like this blog post!) miss the point. But the possibilities for what is an ESG issue cannot be endless. What is not ESG? An undisciplined approach to what constitutes ESG will render it meaningless to those who need to understand its importance (e.g.,Warren Buffett), and an absence of boundaries makes ESG ripe for manipulation, co-option, and ridicule by those with ulterior motives (e.g., the Free Enterprise Project). Continuing down this path will undermine the concept of ESG as a critical component of business and investment decisions. ESG’s own biggest risk may be that it can be whatever you want or need it to be.
For PracticalESG.com, we will cover environmental & social strategy and data governance. The “Big G” is territory for TheCorporateCounsel.net which has a long history of being a go-to resource in that space.