The cybersecurity factor hidden in ESG impacts the investment risk management framework : interview with Marc Riel

The cybersecurity factor hidden in ESG impacts the investment risk management framework : interview with Marc Riel

Over the past years, investments that consider environmental, social and governance (ESG) factors have reached new heights. When we think of good reasons to invest in ESG, we often stop at the environment, while cybersecurity is another component that various experts say should be considered in any investment thesis.

Croesus met with Marc Riel, sustainable investment professional certification (SIPC) graduate from the John Molson School of Business, who offers a fresh perspective on incorporating the cybersecurity factor into investment evaluation.

The World Economic Forum’s latest Global Risks report once again ranks cybersecurity as one of the top five risks facing individual companies and governments. This issue is costing them billions of dollars each year, reaffirming the need for the board level to adopt a proactive approach.

“Institutional investors are now taking security breaches and their long-lasting effects much more seriously. Just like a few decades ago, when they began to pull out of socially and environmentally harmful companies, such as tobacco companies, sin stocks and those with a reputation for being big polluters,” says Riel.

The rise of ESG investments

The rise in ESG investing, which means investments that take into account environmental, social and governance factors, in recent years has been staggering, growing 42% from 2018 to 2020, and raking in over $21 billion in the first quarter of 2021 alone. These results are all the more impressive given that some misguided views, which claim that investments that include ESG factors underperform, have long been dominant in the financial markets.

Investors’ motivations for incorporating ESG criteria into their investment choices are no longer limited to aligning their portfolios with their personal values for environmental, social and governance improvements. Proven research has disproved this view and shown that companies that integrate ESG factors directly into their business model achieve better or equivalent financial results over the long term than those that do not. This is one reason why more and more investors are now demanding that ESG factors be integrated into the companies underlying their investments.

Social and governance factors become increasingly important

The speed and scope at which communication is now transmitted, especially due to the democratization of social media, is forcing companies to increasingly consider social and governance factors.

“These factors are linked, since governance influences a company’s social policies. As problematic corporate actions and decisions are quickly exposed and go viral, governance policies must constantly be adapted to avoid situations that could negatively affect the value of a company and its stakeholders,” Riel says.

He therefore warns that it is far more damaging to be attacked on the side of poor governance than it is to release a defective product, for example.

“Any defect in a product can be corrected, whereas it is difficult to change the reputation of a company that has been labeled as a rogue. Talk to the textile companies that had to spend millions of dollars on advertising to let people know they had stopped exploiting their workers. That’s a good example of where prevention is better than cure,” he says.

“That is why today, investment policies are more tailored to include companies with socially responsible policies (SRI). These investment policies favor companies in the clean renewable energy industry, that are environmentally friendly, treat their people and supply chains with respect and have strong governance policies. These include cybersecurity policies to avoid investing in companies that are risky and reactive rather than preventative,” he adds.

How does cybersecurity fit into ESG?

Cybersecurity has historically been viewed as a technology issue, but it is now seen as part of ESG considerations. Primarily as part of a governance standards framework in terms of operational risk management and the protection of data and personal information, but also social factors in terms of reputational risks and managing communications following a cyberattack.

However, as a major operational risk that can have a significant impact on an entity’s brand, reputation and profile, cybercrime is increasingly worthy of attention.

It is estimated that a serious digital security incident results in an average permanent decline of nearly 2% in a company’s stock price, according to a 2017 study by CGI-Oxford Economics. It is therefore critical for investors that companies recognize cybersecurity risks and demonstrate, through their reporting, that they are taking robust steps to mitigate those risks.

Companies across the market reporting on this topic often fall short of these expectations, making it difficult for investors to draw conclusions about how well companies are positioned to identify, manage and remediate a potential cybersecurity breach.

The growing importance of cyber risk management

Riel believes that there is still a lot to be done and that businesses and governments are not doing enough to protect their staff and their clients, especially since many people are unaware of the dangers, even to themselves. Given the acceleration of digital adoption since the start of the pandemic (i.e. the widespread use of home offices), cybercrime threats are a growing phenomenon across all industries. This is especially true in information technology, consumer discretionary, financial and communication services.

“Today everybody knows a neighbour or a friend who has had their identity stolen or their computer hacked. There are indeed more and more virtual crimes and new types are emerging all the time. In corporate governance, cybersecurity will become increasingly important and there will be a need for dedicated specialists and committees. At the moment, we can’t turn to anyone when a crime is committed, because even law enforcement is not sure how to react”, says Riel.

In this increasingly digital economy, cybersecurity has become a key ESG concern, presenting a huge risk factor to the value of companies across markets and, ultimately, the stability of investment portfolios.

That is why implementing a good security strategy, including audit & risk oversight, is now a major concern for company management, investors around the globe, and players from all walks of life who are increasingly exposed to cyber technology, and therefore, at increased risk for cyber attacks.

How poor ESG decrease the safety of your investments?

Poor ESG management can have a direct impact on the stability of companies, communities and governments. Financial crime alone costs individual companies and governments billions of dollars each year. These diverted funds are then used to further illegal activities. The opportunity cost to society is also significant, as this money could instead be used by legitimate organisations to raise environmental awareness, have a positive social impact and achieve key governance objectives.

“The difference between the risk created by a defective product, for example, and the risk created by cybersecurity breaches is that it is very difficult to estimate how much an attack will cost the company. It’s not only the direct damage of the attack that needs to be considered, but also the risks of rejection from the investment community, the danger of negligence lawsuits and the damage to the company’s reputation and image,” says Riel.

Cybersecurity should therefore be a priority in the ESG strategy of investee companies, who must now be transparent with their investors about potential cyber threats and how they are mitigating these key risks.

In addition to its societal impact, making (ESG)-Oriented Investments is a strategy that investment advisers can use to improve risk-adjusted returns. Companies with good ESG protocols tend to have lower risk profiles. While investors may not yet see the positive correlation between returns and ESG risk rating, ESG information is still useful for understanding and assessing the reputational, legal and regulatory risks of investee companies. It is therefore necessary that ESG information be readily available to all investors.

How technology can help advisors

This is where technology can help investment advisers meet their clients’ needs. Using a portfolio management software, advisers can easily build customized model-based portfolios from reliable and relevant information, including ESG data, gathered in a meaningful way. As a result, they are able to make relevant investment decisions. Throughout the process, they also need technology that reviews compliance and guides them to stay aligned with investment policies and objectives. Another benefit of this type of tool is the ability to effortlessly generate tailored reports to inform investors about the financial and ESG performance of their portfolio.

As investment criteria, including ESG preferences, become increasingly complex, the amount of time required to manually rebalance a portfolio can greatly increase. To ensure optimal rebalancing in a short timeframe and without requiring considerable resources, it is best to use an automated rebalancing tool. To be relevant in today’s environment, this tool must at least allow rebalancing with ESG criteria. Better yet, software that provides a high degree of customization will help portfolio managers to not only incorporate ESG criteria into rebalancing, but also to add criteria specific to each investor. That way, they will be able to avoid industry sectors that have a higher rate of cybersecurity risk.

What is an ESG investment?

ESG investing has evolved from socially responsible investment approaches into a distinct form of responsible investing. While ESG investment decisions once chiefly entailed exclusionary screening and value judgments, it today focuses principally on greater long-term financial performance and a better alignment with one’s values.

Indeed, when analyzing investments, those who value ESG factors take into account both traditional fundamental materiality analysis – identifying stocks offering strong future growth potential at a good price; examining the underlying company’s business; surveying conditions within the industry or in the broader economy – as well as a broader range of non-financial metrics to have a better understanding of the environmental, social and governance risk profile of investee companies.

And just as ESG is an inextricable part of a company’s business model, its individual elements (environmental, social and governance) are interdependent. Indeed, each component can create momentum to fuel the others, build trust, and ultimately deliver sustained financial performance to investors.

What are the types of cyber threats?

Beyond the obvious role of cybersecurity in protecting systems, networks, programs, and data, security experts will tell you that it is also important for institutional investors to evaluate data protection and information security policies as a regular part of their investment strategy to assess a company’s cybersecurity risks.

Some of the key risks types include:


Malware or malicious software includes viruses and ransomware attacks that sabotage an operation’s computers.


Phishing is a fraud in which an attacker pretends to be someone else using an email or other forms of communication.

SQL injection attack

An SQL injection attack is a hacking technique that gives unauthorized access to sensitive data, such as passwords, credit card details, or personal user information, using a web form, form of cookies, and others.

Cross-site scripting (XSS) attack

This is an attack in which malicious scripts are injected into otherwise benign and trusted websites.

Denial of service (DoS) attack

This attack aims to shut down a network, making it inaccessible to its intended users.

Negative comment attacks

These are attacks by trolls that can have a direct impact on financial performance.

What are the impacts of a security breach?

Beyond the initial direct costs associated with cyber attacks and security breaches – regulatory fines, technical investigation, customer breach notification, post-breach customer protection costs, cybersecurity improvements, attorney fees and notification, and public relations costs – there are a range of other potential costs arising from a cyber incident for a company.

These include increased insurance premiums and debt costs, lost contractual revenues, and client relationships. Other adverse impacts, although intangible, can persist for years, including reputational damage, operational disruption and loss of intellectual property or other strategic assets.

Company safety: How to protect against cyber attacks?

Cyber risk is one of the most immediate material concerns facing organizations today. Unfortunately, these attacks have multiplied in recent months, resulting in an ever-increasing number of breaches on critical infrastructure, healthcare, financial networks and other network systems across a range of industries.

To mitigate cyber threats, companies must begin to place cybersecurity at the heart of their environmental, social and corporate governance strategies, employing cybersecurity teams, investing in security policies and adopting a standard framework to measure cyber risk, all in an effort to help organizations and regulators manage these security risks.

Regular inspections, routine data verification and privacy audits should be adopted to ensure that companies continue to meet regulatory standards and adhere to responsible business practices, in addition to uncovering hidden risks. Cybersecurity standards and audits of suppliers should also be implemented to further mitigate potential third-party risks related to employee and customer data, including financial information and operations from the organization’s supply chain and other direct suppliers or service providers.

A great place to start is with the MSCI ACWI IMI Global Cyber Security Index which is a leading global equity index that tracks the performance of a wide range of securities that are intended to represent the entire global stock market. It covers 9,200 stocks, throughout 23 developed and 24 emerging markets. Its aim is to identify companies that could benefit from increased investment in systems, products, and services that provide protection against cyberattacks in a broad range of markets.

To help companies maintain their competitive advantage by complying with the new ESG requirements, Marc Riel urges all decision makers, whether corporate or political, to make (ESG)-oriented investments continuing education. An accreditation such as the SIPC (from Johns Molson School of Business) provides awareness of the devastating effects of human actions on society and our planet.

Another hidden risk in the governance Factor

Hidden forced labour used in the supply chains of companies in developed economies is in direct opposition to responsible business conduct, corporate governance practices and governance standards. This is especially problematic when it comes to ESG, as it directly involves human rights abuses. Indeed, although forced labour is a social issue that is widely believed to have been eradicated in developed countries, a recent study by the International Labour Organization (ILO) indicates that it is very much still prevalent.

Indeed, almost all European countries have reported an increase in incidences of forced labour in recent years. Hidden forced labour has, of course, the potential to cause real reputational damage to stakeholders, including investors, clients, business partners, regulators and employees of companies across markets. Yet, this is nothing compared to the social impact that these social issues have on the forced labourers themselves.


Experience it yourself, see the difference