In early 2005, the then United Nations Secretary-General Kofi Annan invited a group of the world’s largest institutional investors to join a process to develop the Principles for Responsible Investment. The Principles were launched in April 2006 at the New York Stock Exchange.By January 2016, the Principles for Responsible Investment (PRI) and the United Nations Environment Programme Finance Initiative (UNEP FI) set out to clarify investors’ obligations and duties in relation to the integration of environmental, social and governance (ESG) issues in investment practice and decision-making. They defined a set of principles that helped better align investors with broader objectives of society. In 2017, PRI guidelines now state that ESG investment principles have become a fiduciary duty for asset managers and qualified investors in public finance markets. Impact on Venture Backed Start-Ups For venture backed start-ups, ESG investment principles are manifesting themselves in the due diligence phase for funding rounds. Request for GDPR adherence and SOC-2 attestations by investors are becoming more common place as security governance standards for SaaS companies to do business in the modern economy and are identified as significant business risk issues. Failure to have a proper InfoSec plan in place, attested to by a recognized third-party authority, could put your next funding round or M&A event at risk. by venture investors for their portfolio companies. Where does Cybersecurity come in?
Cybersecurity is increasingly being viewed not as just an IT risk, but is rather a business risk that requires an integrated approach to policy and controls and that engages all key stakeholders across the enterprise. In addition, Limited Partnerships - the fund managers behind venture capital who are also signatories to the PRI - have a fiduciary duty that requires them to document how their venture investor partners scrutinize portfolio companies on the status of ESG policy and how implementation of ESG is mapped to business risk.
Where ESG converges with cybersecurity and governance is in two key areas of an investor’s risk assessment of any enterprise:\
In the Social (the “S”) aspect of ESG based responsible investing, a company’s cybersecurity strategy and its controls implementation must be documented and available to investors. The Security and Compliance policy must explain how they identify and manage their data vulnerabilities and then describes their action plan in detecting and responding to data breaches and recovering compromised data.
For the Governance (the “G”) aspect of ESG based investing, enterprises are expected to focus on an organization’s governance and risk oversight boards and how they identify the principal people responsible for the implementation of remedial actions and to how executives and board members are engaged in the oversight of this process.Cyber Security Considerations for Enterprises While there are many cyber threats to the enterprise, it is instructive to look at a non-vendor threat report to focus ESG policy development efforts to address key issues. In 2018, The European Union Agency for Network and Information Security (ENISA) identified notable cyber threats in its 2018 threat landscape report. These include:
In conclusion, no investor wants to invest in a company that does not take cybersecurity and governance seriously. With government regulators stepping up oversight protocols and Limited Partners facing a fiduciary duty of responsible investing, the burden falls on the enterprise executive team to implement a robust ESG-principled cybersecurity program.