Global ransomware attacks surged by 45% in 2025, with over 9,200 incidents recorded worldwide – the highest volume on record. This dramatic rise underscores that cybersecurity threats are no longer just IT issues; they are now central to companies sustainability and ESG performance. Investors and boards are increasingly treating cyber risks as ESG concerns, recognising that strong cybersecurity can bolster an organisation’s Environmental, Social, and Governance goals, while poor cybersecurity can undermine them.
Cybersecurity’s Across the ESG Pillars
> Environmental Impact
Cyber-attacks can trigger environmental harm. Hacks on critical infrastructure — such as power grids, pipelines, and water treatment facilities – can lead to real-world environmental damage.
For example, the 2021 attack on Colonial Pipeline disrupted fuel supply across the United States, highlighting how a cyber incident can have environmental and public safety implications.
> Social Impact
Data breaches routinely expose personal data and disrupt essential services. In 2025, healthcare and education sectors remained key targets, with attacks on hospitals leading to cancelled procedures and even patient harm. These incidents erode public trust and raise serious social concerns about privacy, safety, and access to critical services.
>Governance Impact
Good governance now includes cyber-resilience. Regulators and shareholders expect boards to oversee cybersecurity as diligently as any enterprise risk. The U.S. Securities and Exchange Commission (SEC), for instance, now mandates prompt disclosure of significant breaches and stronger reporting on cyber-risk management and board oversight. Companies with robust cyber governance not only avoid regulatory pitfalls but also demonstrate accountability and transparency to investors.
Cybersecurity as a Strategic ESG Lever
Cybersecurity can positively influence ESG performance when treated as a strategic priority.
Firms that invest in strong cyber defences and “cyber hygiene” – including continuous security monitoring, employee training, and incident response planning – build resilience that protects all stakeholders. Extending cybersecurity standards to third-party vendors and supply chains promotes broader ethical practices, aligning with ESG values across the business ecosystem.
Conversely, neglecting cybersecurity can negatively impact ESG outcomes. A major breach can cause financial and reputational damage that undermines governance credibility and social capital. In ESG ratings and investor evaluations, such incidents signal weak risk management. As cyber incidents grow in scale, insurers are tightening coverage and regulators are levying fines, meaning a laissez-faire approach to cybersecurity can directly hit the bottom line and a firm’s sustainability prospects.
Conclusion:
Integrating Cybersecurity into ESG
Cybersecurity’s relevance to ESG is clear: it touches every pillar of sustainability, from preventing environmental catastrophes to protecting social values and upholding strong governance. For board members and cybersecurity professionals alike, the takeaway is to bring cyber risk into the heart of ESG planning. This could mean reporting cybersecurity readiness in annual sustainability reports, setting cyber resilience targets alongside climate or diversity targets, and educating leadership on cyber risks as an ESG issue.
“In an era of mounting digital threats and rising stakeholder expectations, companies that weave cybersecurity into their ESG fabric will be better equipped to protect their value, their customers, and their future.”
References
- NordStellar (2026). “Ransomware Attacks Soar with a 45% Increase in 2025.” Markets
Insider. - World Economic Forum (2022). “Cybersecurity is an Environmental, Social and Governance Issue. Here’s Why.”
- Telesto Strategy (2024). “Six Reasons Why Board Members Should Manage Cyber Risk as an ESG Issue.”
- KPMG (2022). “Cybersecurity in ESG.”