Our modern world runs on data. In the safety and sustainability context, it powers compliance, safety systems, supply chains, investor reporting — and the decisions that leaders make every hour. That’s why cybersecurity has moved from the server room to the boardroom: it’s now foundational to business resilience and sits squarely inside a well-balanced ESG strategy — the G for governance and disclosure, the S for people and trust, and (more than many admit) the E for environmental protection.
The stakes can be existential. Data makes up 90% of corporate intangible asset value, and the average breach costs $4.45 million. Global cyber losses are estimated in the tens of trillions.
But the real shift is this: cyber incidents no longer live only on screens — these now spill into physical safety, public health, environmental protection and societal trust.
Moreover, today, the question isn’t if you’ll face a cyber event — it’s whether your organisation can absorb the hit without cascading damage to people, the planet and your business.
So here’s the key question:
Are cyber crises just another operational risk to manage and insure against — or the defining ESG test of whether a company can protect people, the environment and its reputation when the lights flicker? Join our next live debate on October 23 to hear how experts are answering this question.
Cybersecurity is ESG — and it is material
Environmental pollution: Remote access to industrial controls or leak-detection can trigger releases and contaminate water or soil. A Florida water plant intrusion altered chemical dosing parameters — an immediate public-health risk.
Occupational health and safety: A German steel mill cyberattack forced a blast-furnace shutdown, causing physical damage and exposing workers to danger.
Care delivery and public health: A ransomware incident in Germany shut a hospital’s emergency room — and a patient died when care was diverted.
Aviation and critical infrastructure: A flawed software update (ironically from cybersecurity vendor CrowdStrike) caused outages across airlines worldwide in 2024— grounding flights, disrupting supply chains, stranding passengers and ultimately costing an estimated $5.4 billion.
Add in supply chain compromise, data integrity attacks (manipulating emissions or safety datasets) and misinformation that erodes trust — and cybersecurity clearly belongs in ESG materiality assessments.
More to the point, investors, regulators and ratings agencies increasingly treat cybersecurity as financially material and a proxy for organisational durability and resiliency. So, what does “good” look like when it comes to integrating cyber crisis management into ESG? Leaders who move beyond checklists tend to:
Put board-level ownership on cyber risk, tied to strategy and capital.
Align to recognised standards (ISO/IEC 27001; NIST) and test them cross-functionally with extensive education and audits
Disclose cyber governance and incidents in ESG reporting.
Track real metrics: speed of detection/response, supplier resilience and recovery of life-safety systems.
Challenge your thinking:
Where should cyber crisis management sit in corporate responsibility: owned by IT/security, or embedded across core operations and ESG so resiliency planning is everyone’s job? Add your voice to The Situation Room.
Defence isn’t enough: Build cyber resiliency like you mean it
Prevention matters: modern controls, 24/7 detection and response technologies, Zero Trust architectures and employee training. But treating cyber incidents as fully preventable in 2025 is as naive as believing you can altogether eliminate extreme weather or workplace safety incidents.
Organisations must approach cyber crisis management from both angles:
Defence: reduce likelihood and blast radius through tech, process and culture.
Resilience: assume compromise — plan to respond, recover and contain second-order harms (those that put people and environments at risk).
Of course, many organisations hesitate to tout their investments in resiliency: it can look like conceding defeat. But the reality is that boards, analysts, investors, regulators all recognise the growing inevitability of cyber incidents. They increasingly expect resilience — and reward organisations that demonstrate it. As major attacks stall (or sink) businesses, those with practised cyber crisis management will out-survive peers.
Challenge your thinking:
How should you weigh investment between cyber defense and cyber resiliency — and what evidence would convince your board the balance is right?
Unifying digital and physical crisis management
Too often, organisations treat cyber incidents as a separate universe of risk — with its own playbooks, escalation paths and crisis teams — distinct from how they handle extreme weather, supply chain shocks or workplace safety incidents. But in 2025, when virtually every operation depends on digital systems — and digital disruptions expose people to physical risks — the trajectory of a cyber crisis mirrors other disasters: sudden disruption, cascading impacts, and urgent pressure to restore trust.
That’s why cyber resilience can’t sit in its own silo. Just as mature cyber crisis response programs spread accountability beyond IT, crisis preparedness must become a shared domain. Operations, EHS, clinical leaders, finance, communications and ESG all need clear roles in cyber incident planning, drills and recovery.
The upside of unifying digital and physical crisis management?
Less redundancy and faster response — by converging communications protocols, escalation thresholds, stakeholder maps, and post-incident learning into a single resiliency manual.
Designing for failure — with manual overrides, offline procedures, paper fallbacks, segmented networks and tested backup power.
Challenge your thinking:
Who ultimately “owns” cyber resilience — the security team, or the whole business? What would it take to genuinely unify cyber and enterprise crisis management? Share your thoughts in our discussion forum.
Unifying digital and physical crisis management
The toughest call in cyber crisis management is knowing when an IT incident crosses into a true crisis. Many teams hesitate, worried about overreacting. Others escalate every alert. Both extremes erode trust:
Under-escalation: Lost hours in detection, muddled ownership, public silence that fuels rumors and regulatory ire.
Over-escalation: Alarm fatigue, leadership distraction and avoidable business disruption.
The human cost: Security and IT teams endure exhausting post-incident sprints; burnout and attrition rise just when talent is scarcest.
So, where’s the line? An IT incident becomes a cyber crisis when its impact threatens people, the environment, critical business operations, or trust.That’s the pivot point where governance, EHS, operations and comms all need to be in the room.
Here’s what good cyber crisis management looks like:
Impact-based severity tiers tied to business and safety outcomes, not just technical signals.
A standing cross-functional crisis cell (IT/security, operations, EHS, legal, comms, ESG, HR) with clear decision rights.
15-minute thresholds to classify severity, activate playbooks and notify accountable executives.
Standards + tooling: alignment with ISO/IEC 27001 (and NIST-aligned controls) and use of enterprise crisis tools (e.g., D4H) to turn chaos into cadence and capture after-action learning.
Challenge your thinking:
Think about the potential crisis-level impacts of a cyber incident in your organisation: When would an IT incident become a crisis in your organisation — and who has the authority (and confidence) to pull that trigger in real time? Join our next live debate on October 23.
The new frontlines: Beyond “hacking”
Not every cyber threat looks like malware. Increasingly, the real damage comes from mistrust: falsified emissions or safety data, misinformation campaigns about your products, deepfake executives, supplier compromises, or even insiders planting doubt.
You can be fully compliant and still get crushed — by corrupted ESG reports, viral falsehoods, or regulatory crossfire that erodes trust faster than you can correct it.
Challenge your thinking:
Are you only defending networks — or also defending trust? What would “good” look like when the attack is a falsified dataset or a viral rumor, and who in your organisation owns that response?
Cyber responsibility in the Age of AI
Many organisations are only now ramping up their focus and investments in cyber crisis management, recognising this as an essential corporate responsibility. But just as boards, regulators and investors begin treating digital trust as a pillar of ESG, AI is reshaping the threat landscape — and magnifying the cyber preparedness challenge.
AI is already being weaponised in many ways:
Supercharging phishing by generating compelling, localised messages at speed and scale.
Generating deepfakes of leaders’ voices and faces to authorise fraudulent transactions or announce false product recalls.
Scan for vulnerabilities and auto-generate exploits at machine speed.
Fabricating ESG data (from emissions reports and safety metrics to supply-chain attestations) eroding trust in disclosures.
These AI-powered threats don’t just target systems — they’re targeting trust, forcing companies to defend their credibility as much as their networks.
Which brings us back to the central provocation:
Are you only defending networks — or also defending trust? What would “good” look like when the attack is a falsified dataset or a viral rumor, and who in your organisation owns that response?
Where your organisation lands on that question may determine not just your resilience in the next crisis, but your credibility in the eyes of stakeholders for years to come.
Join the live debate — Cyber crises: The next test of corporate resilience
Data drives today’s compliance, supply chains, safety, and ESG reporting. But when a cyber crisis hits, the impact extends far beyond IT.
Join experts in cyber and crisis management as they examine when a cyber crisis becomes an ESG or safety issue, how to balance defence with resilience, and what accountability across the enterprise should look like.
Thursday, 23 October at 10:00 AM EDT | 3:00 PM BST | 30 minutes
