Cybersecurity is a material ESG issue – here is how to make the case
The disclosure question that is now unavoidable
Sustainability and ESG reporting frameworks have, for the most part, treated cybersecurity as an afterthought – a footnote in the governance section, a disclosure obligation in technology-sector specific standards, but rarely a first-order materiality concern in the way that climate, labour practices or board diversity are. That is changing fast and ESG professionals who have not yet built cybersecurity into their materiality assessment and disclosure practice are increasingly exposed to that gap.
The reasons are not difficult to understand. Cyber incidents are now among the most commonly reported material events in corporate risk disclosures. The financial consequences of significant breaches – regulatory fines, operational disruption, litigation costs, reputational damage and loss of customer trust – can be substantial and rapid. The human consequences – exposure of personal data, disruption of essential services, harm to vulnerable populations – are genuine social impacts. And the governance failures that typically precede major cyber incidents – inadequate oversight, unclear accountability, insufficient investment, poor third-party management – are precisely the kinds of governance failures that ESG frameworks are designed to surface and address.
What materiality means in this context
Materiality, in ESG terms, refers to the significance of an issue relative to its potential impact on the organisation and its stakeholders. Different frameworks apply different tests. The GRI Standards apply a stakeholder-centric test: is this issue important enough to stakeholders that not reporting on it would omit information they need to assess the organisation's sustainability performance? The ISSB and TCFD frameworks apply a financial materiality test: could this issue reasonably affect the organisation's financial position, performance or prospects? The EU's ESRS applies a double materiality test that combines both.
Cybersecurity passes all of these materiality tests for a broad range of organisations. From a financial materiality perspective, the potential for a major cyber incident to cause material financial harm is well established and increasingly quantified in risk disclosures. From a stakeholder materiality perspective, customers, employees, investors and regulators all have a direct interest in how organisations manage cyber risk. And from a double materiality perspective, cyber incidents both affect and are affected by the organisation's broader social and environmental impacts – the loss of environmental monitoring data, the exposure of employee or customer personal information, the disruption of services on which communities depend.
Cybersecurity is not a niche technical issue. It is a business risk with financial, social and governance dimensions that map directly onto the materiality criteria of every major ESG reporting framework.
What NIST CSF 2.0 offers for disclosure
For ESG professionals building the case for cybersecurity materiality – or developing the disclosure content once materiality is established – NIST CSF 2.0 provides both a practical assessment tool and a disclosure structure.
As an assessment tool, the six CSF 2.0 functions – Govern, Identify, Protect, Detect, Respond, Recover – provide a complete map of the cybersecurity risk management activities that an organisation should be conducting. An ESG professional can use this map to assess current practice against expectations: does the organisation have the governance structures the Govern function requires? Does it have a current and comprehensive asset and risk inventory as the Identify function requires? Does it have tested incident response procedures as the Respond function requires? The gaps between current practice and CSF 2.0 expectations are the disclosure-relevant risks.
As a disclosure structure, CSF 2.0's outcomes and categories provide a framework for organising narrative disclosure about cybersecurity governance and risk management. Rather than writing a generic paragraph about how seriously the organisation takes cybersecurity, ESG professionals can structure disclosure around specific CSF-aligned outcomes: what governance processes are in place, how supply chain risks are managed, what the incident response capability looks like and how the organisation monitors and improves its cybersecurity posture over time.
The regulatory backdrop
The regulatory environment is increasingly reinforcing the materiality of cybersecurity for disclosure purposes. The US SEC's cybersecurity disclosure rules, which came into effect for large accelerated filers in December 2023, require listed companies to disclose material cybersecurity incidents within four business days and to include annual disclosures on cybersecurity risk management, strategy and governance. The EU's NIS2 Directive, which EU member states were required to transpose into national law by October 2024, imposes significant obligations on organisations operating in a broad range of sectors and includes reporting requirements for significant incidents.
Beyond sector-specific regulation, the ESRS – the sustainability reporting standards that apply to large EU companies under the Corporate Sustainability Reporting Directive – include governance disclosure requirements that encompass cybersecurity risk management for organisations where it is material. The GRI Universal Standards revision process has flagged technology governance, including cybersecurity, as an area of increasing relevance to stakeholder reporting.
For ESG professionals managing disclosure obligations across multiple frameworks, NIST CSF 2.0 provides a way to develop the underlying governance and risk management content once and use it across multiple disclosure outputs. The framework is sufficiently recognised and respected that referencing it in disclosure documentation adds credibility and specificity to what can otherwise be generic narrative.
Integrating cyber into your materiality assessment
The practical starting point for ESG professionals is to include cybersecurity explicitly in the next materiality assessment process. This means engaging with IT security, risk management and compliance functions to understand the current risk profile and risk management posture. It means assessing the financial exposure from potential incidents – using publicly available incident cost data as a reference point where internal estimates are not available. And it means surveying stakeholder expectations on cybersecurity governance, which are increasingly articulated in investor questionnaires, customer due diligence requests and regulatory guidance.
Once cybersecurity is established as material, the NIST CSF 2.0 Govern function provides the governance framework for ensuring that the organisational response to that materiality is proportionate – with clear accountability, documented policy, defined risk appetite and a credible oversight process that can be reported on with confidence.
The organisations that make this connection now – between cybersecurity materiality and ESG governance rigour – will be better prepared for the disclosure landscape ahead than those that continue to treat cyber as someone else's problem.
Key takeaway: Cybersecurity passes the materiality test under every major ESG framework. NIST CSF 2.0 provides both the assessment tool and the disclosure structure to integrate it into ESG reporting with credibility and specificity.