In early 2005, the then United Nations Secretary-General Kofi Annan invited a group of the world’s largest institutional investors to join a process to develop the Principles for Responsible Investment. The Principles were launched in April 2006 at the New York Stock Exchange. By January 2016, the Principles for Responsible Investment (PRI) and the United Nations Environment Programme Finance Initiative (UNEP FI) set out to clarify investors’ obligations and duties in relation to the integration of environmental, social and governance (ESG) issues in investment practice and decision-making. They defined a set of principles that helped better align investors with broader objectives of society. In 2017, PRI guidelines now state that ESG investment principles have become a fiduciary duty for asset managers and qualified investors in public finance markets.
Impact on Venture Backed Start-Ups For venture backed start-ups, ESG investment principles are manifesting themselves in the due diligence phase for funding rounds. Request for GDPR adherence and SOC-2 attestations by investors are becoming more common place as
security governance standards for SaaS companies to do business in the modern economy and are identified as significant business risk issues. Failure to have a proper InfoSec plan in place, attested to by a recognized third-party authority, could put your next funding round or M&A event at risk. by venture investors for their portfolio companies.
Where does Cybersecurity come in?
Cybersecurity is increasingly being viewed not as just an IT risk, but is rather a business risk that requires an integrated approach to policy and controls and that engages all key stakeholders across the enterprise. In addition, Limited Partnerships - the fund managers behind venture capital who are also signatories to the PRI - have a fiduciary duty that requires them to document how their venture investor partners scrutinize portfolio companies on the status of ESG policy and how implementation of ESG is mapped to business risk.
Where ESG converges with cybersecurity and governance is in two key areas of an investor’s risk assessment of any enterprise:\
In the Social (the “S”) aspect of ESG based responsible investing, a company’s cybersecurity strategy and its controls implementation must be documented and available to investors. The Security and Compliance policy must explain how they identify and manage their data vulnerabilities and then describes their action plan in detecting and responding to data breaches and recovering compromised data.
For the Governance (the “G”) aspect of ESG based investing, enterprises are expected to focus on an organization’s governance and risk oversight boards and how they identify the principal people responsible for the implementation of remedial actions and to how executives and board members are engaged in the oversight of this process.
Cyber Security Considerations for Enterprises While there are many cyber threats to the enterprise, it is instructive to look at a non-vendor threat report to focus ESG policy development efforts to address key issues. In 2018, The European Union Agency for Network and Information Security (ENISA) identified notable cyber threats in its 2018 threat landscape report. These include:
Malware, one of the most frequently encountered cyber threats, is malicious software that is designed to exploit a computer or mobile device without consent. Web-based attacks use web-enabled systems and services such as browsers, websites and the IT components of web services and web applications. They are commonly combined with malware campaigns. Examples include web browser vulnerabilities and malicious URLs. Web application attacks are directed at web applications, web services and mobile apps. Phishing attacks use social engineering to trick end users into clicking on a malicious link or download an attachment, which then allows the attacker to access credentials and install malware. Spam has been one of the most prevalent means for delivering malware. Denial of Service (DoS) attacks overwhelm servers, systems or networks with traffic, preventing it from being used by legitimate users. A distributed denial of service (DDoS) attack uses multiple infected devices to flood a targeted system. Ransomware is a type of malware which is designed to block access to user files or the computer until a ransom is paid. Botnets consist of interconnected devices that have been infected with malware and controlled remotely by a cyber criminal. They are used for spam campaigns and DDoS attacks. Insider threats can arise when an insider uses his/her authorized access to jeopardize the security of their organization deliberately or inadvertently. Physical manipulation/damage/theft/loss of devices can cause a data breach, such as drilled ATMs and stolen smartphones. For every enterprise, part of having a robust ever-green system of record that anticipates the risks noted above is critical. The resulting “Information Security Policy” should roll up to also include an ESG policy. Guidelines on how to create an ESG Policy Statement can be found here. Tugboat Logic’s Virtual CISO Platform can help assess the risks of your business to help shape the right policies and controls to be implemented based on your industry and scope of business activity.
In conclusion, no investor wants to invest in a company that does not take cybersecurity and governance seriously. With government regulators stepping up oversight protocols and Limited Partners facing a fiduciary duty of responsible investing, the burden falls on the enterprise executive team to implement a robust ESG-principled cybersecurity program.