Cybersecurity as Business Strategy: ESG & Investor Perspectives

Cyber risk is now a board level risk, not just an IT risk. In 2024, the global average cost of a data breach increased to nearly $4.88 million, which is the highest in a decade and a 10% increase year on year. Similarly, the costs of breaches in India amounted to a record ₹19.5 crore (around $2.35 million) which was a 7% increase year on year.

Those are significant costs, and they should remind us that cybersecurity risk is now a material ESG risk that can factor into the decision making of investors and the longevity of companies.

This post will follow the evolving risk landscape, the evolution of cybersecurity in ESG frameworks, how investors view and define cyber resilience (now that they are able to see it), and share best practices for integrating strategy, metrics and governance.

As you research peers or consider taking a cyber security course in India, this is a document on how to operate cyber work in terms of ESG and investor expectations.

The Rising Materiality of Cybersecurity in ESG

While ESG frameworks have continued to develop and change over time, cybersecurity has become a pivotal emerging area for ESG, on par with environmental and governance considerations. Investors and other stakeholders increasingly view digital resilience as indispensable to sustainable operations.

The economic risk is staggering: in 2021, global cybercrime damages reached $6 trillion, and are expected to range from to reach $10.5 trillion by 2025, based on rapidly increasing ransomware, fraud and nation-state disruptions. In fact, cybercrime has become a novel commodity. The average data breach now costs $4.35 million, and breaches of critical infrastructure systems average closer to $4.82 million. Alarmingly, in ransomware incidents payments can reach $5-10 million, and recovery costs exceeding $3.6 million.

Moreover, cyber incidents disrupt business continuity; they can target critical infrastructure, supply chains, and ultimately worker safety. In 2025, attacks on operational systems have triggered a wave of multi-million dollar revenue losses, and erosion of customer trust. Most troubling is that 60% of small businesses will fold within six months of a significant breach.

This combination of quantifiable financial loss, and widespread disruption, exemplifies why cybersecurity is now a material ESG issue – requiring consideration during risk frameworks, disclosures, and investor due diligence.

Investor Perspectives & ESG Scoring

From a governance perspective, cybersecurity is indeed increasingly perceived as a core corporate risk—on par with financial controls and operational resilience. Credit analysts look at weak cyber posture as a governance issue, which can then be grounds for debt-rating downgrades in the aftermath of a breach of large proportions, as in the cases of Princeton Community Hospital and SolarWinds.

Institutional investors are listening to this. Railpen, with £34 billion under management on UK railway pensions, has urged fellow pension funds and asset managers to place an even higher priority on cyber resilience, portfolio-level assessments, and heightened board engagement on cyber risk. It is reported that 29% of firms were materially affected by a cyber incident in 2024. The World Economic Forum and other international bodies also often rank cybersecurity as a top systemic threat, leading large funds to apply cyber metrics in their due diligence.

ESG rating agencies look at breach history, privacy policies, transparency in incident reporting, and third-party risk posture—where a failure to disclose or a mishandling of supply-chain exposures can negatively affect scoring.

When it comes to credit and debt, stronger cybersecurity hygiene is charged with lowering borrowing costs.

Cybersecurity in ESG Reporting Frameworks

Prominent ESG Standards, such as GRI and SASB, are now requiring all organizations to publicly disclose their processes to manage cyber risks and cyber incidents, including frequency of incidents, protocols for response, and data management policies. The GRI Universal Standards address “number of data breaches, nature of cyber-related incidents, and actions to remediate,” while SASB offers industry-specific metrics that can be related to financial materiality.

The emergence of rules guiding compliance is rapidly shifting: in the EU, NIS2 will require improvements in risk-management practices and to report incident management faster, affecting critical infrastructures. DORA (effective January 17 2025) will require financial firms to implement controls specific to their resilience. The UK Cyber Security & Resilience Bill was introduced by the Government in July 2024 and will require critical infrastructure firms to implement forms of standardized cyber security, regular controls, and disclose incidents to regulators.

Emerging markets are keeping up: India’s BEST now requires disclosures about data protection protocols, and the board’s oversight over cyber risk in alignment with global ESG trends. Moreover, agency lead role models like Deloitte now promote digitized ESG reporting frameworks that can be treated as a dashboard of real-time cyber metrics, which improves the quality of the data, removes manual inefficiencies and extracts strategic value.

Collectively, frameworks and regulatory functions are moving cybersecurity compliance from an activity of compliance to a strategic-level function of ESG reporting, where proactive disclosure builds stakeholder trust and ensures long-term resilience.

Framing Cybersecurity Through the ESG Lens

A. Environmental 🌱

Cyberattacks on industrial systems pose not only operational threats, but significant environmental risks. For example, an attack in 2000 in Australia caused 800,000 liters of raw sewage to be dumped into waterways because of compromised waste controls.

The risk is not theoretical: in 2024, the hacker group CyberAv3ngers did SCADA-level attacks on water and wastewater systems, triggering disruptions across multiple countries. The U.S. EPA similarly reported that vulnerable systems serving 193 million people either provide clean drinking water (or not) – and 97 critical systems that risk cyber-initiated contamination or chemical manipulation.

The recent pipeline attacks and the previous attack that got into a steel mill demonstrate how cyberattacks target process controls over resources – and emissions. And all these events illustrate a distinct point: cyber failures are not just failures but can lead to pollution and environmental pollution incidents/accidents.

B. Social 👥

Privacy data is a social good: breaches destroy public trust and also impact employee mental health and morale. Insurance analysts have documented “cyber incident fatigue” as a health claim by employees experiencing repeated disruptions to their work. A compromised supply chain also affects the safety of customers and third parties. Malicious third parties can compromise vendors and infect important services with malware/PII, which may lead to loss of life or dignity as we have seen in health care and environmental industries.

C. Governance 🏛

Strong oversight at the boardSUN will require comparable accountability at the board level, workgroups and broader cross-functional committees, and measurable metrics. Sustainability frameworks have begun to denounce board disengagement with cyber risks. Standard fellows have also described standard frameworks like ISO 27001, ISAE, and zero-trustum to build standard anchors for resilience and provide baseline compliance. Organizations that can communicate maturity with Medium writ large in any of the founding frameworks are better positioned to build partners with investors and underwrite systemic ESG risk.

Investor Behaviors & Market Signals

As a result of the most recent due diligence expansions: Cyber hygiene has emerged as a consistent and prevalent component of contracting and fundraising activity. Acquirers are doing cybersecurity assessments – assessing controls, threat preparedness, incident history and third-party risk – in order to determine deal value and the level of post-deal integration will take place. Research suggests strong cyber posture can retain value and mitigate post-acquisition shocks.

Cyber Insurance pressures: Premiums and coverage language are increasingly linked to a company’s ESG-aligned cybersecurity stance. S&P Global projects that global cyber insurance premiums will grow to $23 billion by 2026, increasing around 15 to 20% per year. Insurance carriers are withdrawing from poorly defended clients, while preferring clients with solid defensive processes. Underwriters have adopted these principles for issuing policies, too – now they are requiring risk posture assessments prior to issuing a policy.

Venture capital support: Investment capital is targeting ESG-linked “cybersecurity-as-ESG” plays, e.g., as an example, JP Morgan’s Growth Equity arm led Eye Security’s €36 million Series B round- the company is setting up mid-market cyber resilience in light of mindful upcoming NIS2 requirements. This is a signal that investors see potential to scale cyber solutions that are intrinsically linked to regulators’ demands.

Private credit scoring: Lenders like Nomura, are embedding cybersecurity into their credit-linked scoring. Nomura uses a proprietary credit-ESG model that adjusts spreads depending upon the cyber maturity of the counterparty and its sector vulnerability. The credit risk-adjusted scores provide a level of financial materiality to the concept of cyber posture.

Best Practices for Embedding Cyber into ESG Strategy

Governance & Leadership

Set up a Cyber–ESG stakeholder committee including the CISO, CRO, sustainability, legal and operations leads. This allows for cross-functional alignment.

Ensure accountability (normally CISO or CRO) clearly, and include cyber security KPI’s in board dashboards and annual ESG reports for executive scrutiny.

Risk Quantification & Metrics

Use financial risk modelling and scenario-based breach cost simulation with mapping potential losses to organizational impacts.

Diligently and transparently report metrics such as total number of incidents, mean time to remediate (MTTR), frequency of supply chain security assessment, and employee training completion.

Technology & Operational Controls

Use technology (e.g. certainly zero-trust, and AI-powered technologies to detections, SIEM, threat intelligence platforms) to enhance protections.

For supply chain security: have thorough vendor risk assessment processes, ask for ISO 27001 certification, and use tools for continuous monitoring.

Culture & Awareness

Embedding cybersecurity into the company values using training and phishing simulations is an essential part of aligning ESG with organizational messaging and culture.

Ensure diversity on cyber teams – this is important to ensure a wider range of perspectives, as diverse teams deliver better risk management outcomes.

Incident Preparation & Disclosure

Keep and review updated incident response (IR) plans, ensured by cyber insurance and aligned disclosure for ESG/reporting periods.

Make a commitment to publicize incident counts, threat response, and lessons learned, either quarterly or annually, in order to bolster stakeholder confidence.

Innovation & Continuous Improvement

Utilizing AI and threat intel to enable Continuous Exposure Management (CEM) – embedding resilience in real-time across cyber-ESG plans.

Continue to iterate on the ESG-cyber frameworks as regulations and best practices (i.e. NIS2, DORA) are established and enhanced.

Be sure to check out more on the topic of Ethical Hacking with ChatGPT: Real Use Cases, which complements the technology and operational controls described above.

Case Examples & Illustrative Investments

Eye Security: In March 2024, Dutch cybersecurity company Eye Security raised an impressive €36 million in Series B funding, led by JPMorgan Chase’s Growth Equity Partners, with the participation of Bessemer Venture Partners and TIN Capital.

Eye Security intends to use the funds to expand their protection from cyber security incidents to enterprise-level maturity and cyber insurance services to mid-market companies across Europe, to comply with the NIS2 directive in the EU.

Venture Capital Trend: Investors are having an increasing amount of interest in funding cybersecurity startups that improve governance metrics.

For example, just as an example of some strategic interest in companies that not only provide good cybersecurity protections but also go above and beyond the governance standards for today’s standards of governance, these companies are incorporating more and more ESG investments into their offers.

Business Responsibility and Sustainability Reporting (BRSR): In India, SEBI (Securities and Exchange Board of India) orders the top 1000 listed companies to include the BEAR in their annual report, which includes not only environmental and sustainability policies, but also data protection and diversity measures.

Companies like Tata Consultancy Services (TCS) were enhanced to examine their overall sustainability narratives too.

Challenges & Pitfalls

ESG Inconsistency: ESG rating people using different methodologies are assigning different ratings which leads to difficulty in comparing investment opportunities and informed decision-making.

Regulatory Fragmentation: Different cybersecurity regulations across geographic regions (e.g., the EU-NIS2, the UK’s Cyber Security & Resilience Bill, India’s BRSR) pose compliance challenges for international organizations.

Skill Scarcity: There is a growing lack of skilled cyber security people in India. There are approximately 40,000 vacancies in cybersecurity as of May 2023. This impacts an organization in establishing a strong cybersecurity presence.

In order to help close the resource gap, pursuing an Ethical Hacking Course in India will equip professionals with valuable skills needed to enhance Cybersecurity Resilience.

Conclusion

Cybersecurity has moved from simply a best practice to a must-have, a staple of ESG strategy – especially with regards to financial performance, operational resilience, and risk exposure for trust.

Investors now more actively seek when looking at cyber risk governance and oversight and public transparency as critical foundation areas for capturing extended non financial value creation. In order to be leaders in this arena organizations need to:

• Establish a Cyber – ESG governance committee
• Adopt robust cyber metrics and assessments
• Invest in contingency countermeasures and incident response frameworks
• Align disclosures to global ESG standards and frameworks.

Integrating cyber with ESG ideologies, organizations reduced their risk exposure and enhanced resiliency, and pursued and established investors’ trust also increased credible avenues for gaps to achieve sustainable outcomes.

Cyber Security Course in Mumbai | Cyber Security Course in Bengaluru | Cyber Security Course in Hyderabad | Cyber Security Course in Delhi | Cyber Security Course in Pune | Cyber Security Course in Kolkata | Cyber Security Course in Thane | Cyber Security Course in Chennai