Featured Product
This Week in Quality Digest Live
Management Features
Lisa Apolinski
Adding what customers want
Megan Wallin-Kerth
Thermo Fisher Scientific has a team that is primarily an IT department dedicated to quality
Sarah Burlingame
Coaching can keep management and employees on track
Michaël Bikard
Receiving outsized credit can encourage individuals to work together, even when it results in lower-quality output.
Gleb Tsipursky
How to reduce employee resistance

More Features

Management News
Former service partner provides honing and deep-hole drilling solutions
Connects people and processes across functional silos with a digital thread for innovation
Better manufacturing processes require three main strategies
Technical vs. natural language processing
Recognized as best-in-class industry technology by Printing United Alliance
It’s unethical for companies to use test tasks as free labor
Numerous new USB3 cameras added to product roster

More News


ESG and Cybersecurity Compliance Are Every Employee’s Concern

From the C-Suite to entry-level hires, everyone must train to meet new challenges

Published: Tuesday, November 8, 2022 - 12:02

In late spring 2022, the U.S. Securities and Exchange Commission (SEC) charged an elite investment adviser for “misstatements and omissions” about environmental, social, and governance (ESG) considerations related to its managed mutual funds. This same financial firm has also faced myriad cybersecurity problems during the past 15 years, including a data breach and deficient cybersecurity practices.

It’s not a unique scenario: Companies large and small, public and private, are facing increased challenges in managing the requirements and responsibilities of ESG and cybersecurity. Both fields, besides maintaining a stronghold on news headlines and cutting-edge tech entrepreneurs, demand not just constant attention but also transparency. As various federal agencies have demonstrated, audits and investigations will determine when quality reviews and compliance certifications aren’t accurate.

Every level, from the C-suite to the new-entry hire, must be trained on ESG and cybersecurity as relevant to their work roles. Furthermore, corporate culture should strive to maintain awareness of the significance of ESG and cybersecurity—two buzzy sectors that cut across all work departments.

ESG refers to three types of factors: environmental (having to do with the natural world), social (pertaining to the lives of humans), and governance (involving countries, jurisdictions, or broad stakeholder groups). The concept evolved from John Elkington’s 1994 “triple bottom line” approach that recognized the importance of the three elements in generating sustainable financial returns in the world of investing. ESG is becoming increasingly significant within the world of finance and beyond, due in large part to pressure from clients and individuals who emphasize a desire for responsible investing.

Corporate culture should strive to maintain awareness of the significance of ESG and cybersecurity—two buzzy sectors that cut across all work departments.

With increased global attention comes an increased need for regulatory and compliance bodies to help prevent issues like greenwashing—the misrepresentation about how firms have assessed ESG elements in their business practices and investments. In 2021, the SEC organized its ESG task force to identify such misconduct. Firms accused or found guilty of misrepresenting the rigor of their ESG analyses have suffered the consequences: fines, falling share prices, and reputational damage from investors and prospective applicants (largely millennials and Gen Z) who have lost patience with previous generations’ laissez-faire approach to sustainability.

To complicate things even further, there are few clear guidelines about ESG standards in the United States, as legislation is being proposed and adopted in a piecemeal fashion. For example, Maine recently shifted the responsibility of nonrecyclable material disposal onto the producing entity (environmental), California updated garment workers’ wage requirements to hourly from the antiquated piece-rate system (social), and the SEC has proposed new standards related to reporting on “funds’ and advisers’ incorporation of [ESG] factors.”

Cybersecurity, with a bit more history than ESG, has steadily climbed as a corporate necessity. Making cybersecurity a priority can be used for great PR (as, for example, Apple’s privacy-centric ad spots), while any failings can simultaneously wreak brand chaos (Apple’s latest zero-day bugs). Legislation surrounding cybersecurity continues to evolve, just as with ESG; the Federal Trade Commission fights to keep companies honest in its enforcement role related to privacy policies, cybersecurity practices, and the like, just as other federal agencies uphold the sanctity of healthcare and finance data protections.

Still, despite recent state-level heightened consumer-cybersecurity legislative amendments across the country, and the passage of the Strengthening American Cybersecurity Act of 2022, increased awareness across all sectors is necessary for true compliance. In fact, depending on the type of organization, certain pointed job roles must be created and staffed to even begin the process of cybersecurity compliance. Government agencies must adhere to relevant National Institute of Standards and Technology (NIST) requisites, which include designating and/or hiring certain employees for cybersecurity-specific roles; the U.S. Department of Labor set forth new cybersecurity best practice requirements for ERISA plan fiduciaries; and the FTC necessitated the designation of a “qualified individual” at all covered financial institutions to oversee and report on in-house information security programs.

Rising to the challenge

For the rapidly changing worlds of both cybersecurity and ESG, past performance can’t be considered an indicator of future success. Instead, companies must train up existing employees, hire new talent, and bring in external consultants to develop and vet their plans for both regulatory compliance and how to showcase that hard work. New hires and specific employee designations are only one piece of achieving legal compliance (and, of course, great PR).

Thoughtful training and awareness maintenance is key here as well. In cybersecurity, an organization is only as strong as its weakest link; in ESG, employees with multifaceted skill sets (namely, strategic-plan evaluation and ability to analyze both qualitative and quantitative inputs) will be the ones who drive value in meeting this multifaceted and demanding acronym. The best training and awareness programs not only account for legal obligations but also consider employees’ specific responsibilities and how everyone interacts with cybersecurity and ESG sectors in differing ways.

All signs point to the future of the US workforce requiring cybersecurity and ESG overlays on top of most corporate roles.

Dynamic workshops, lecture sessions, and specialized training are solid paths to showcase compliance in both cybersecurity and ESG. However, without insight into what every work role handles and how it evolves, leadership can’t tailor the training to the actual need for analysis of how newly expanded job descriptions, and completely new roles or external consultants, will inform how each employee (or at least each type of employee) handles cybersecurity concerns and ESG deliverables.

The in-the-weeds IT employee who handles firewall configuration will not only appreciate all cybersecurity best practices, but will also understand ESG goals so that any new tech being evaluated for implementation will also be reviewed for environmental gains or losses. The human resources manager will not only be thoroughly trained in the “S” of ESG compliance, but also will appreciate how the handling of candidate and employee data is secured when entering personal information into any system. And the sales specialist is trained in a bird’s-eye view of both the cybersecurity and ESG-centric practices the organization has put in place to sell its forward-looking values to potential clients. This type of analysis will also illustrate to auditors that an organization has thoughtfully and thoroughly prioritized both cybersecurity and ESG.

Both ESG and cybersecurity are broad concepts that encompass a variety of factors across sectors. Furthermore, both represent significant collections of requirements by which companies, and government agencies, will be evaluated. All signs point to the future of the U.S. workforce requiring cybersecurity and ESG overlays on top of most corporate roles. Common drivers, including legislation, international adoption, and social pressure prove that the need for secure and responsible systems—factoring in both cybersecurity and ESG concerns—are no longer simply nice-to-have elements in the 21st century. Companies that anticipate and prepare for the escalated, essential nature of cybersecurity and ESG will find themselves standing out among a sea of business-as-usual peers.

First published Oct. 4, 2022, on Knowledge at Wharton.


About The Authors

Leeza Garber’s picture

Leeza Garber

Leeza Garber is a consultant and attorney specializing in cybersecurity and privacy law. She is a lecturer in the legal studies and business ethics department at Wharton, where she teaches internet law, privacy, and cybersecurity. She is also an adjunct law professor at Drexel University’s Kline School of Law, focusing on information privacy.

Allison Jegla’s picture

Allison Jegla

Allison Jegla is global director of impact at 100 Women in Finance.