Environmental, Social & Governance (ESG) criteria are topics of interest for "social responsibility" concerns at the corporate level. ESG is traditionally used to screen potential investments as a way to support and maintain ethical conduct across organizations. However, with the evolving landscape of statutory, regulatory and contractual obligations, the SCF identified two significant points of intersection between the SCF's security and privacy controls with the "social" component of ESG factors: (1) data protection and privacy and (2) human rights.
The social criteria component of ESG takes into account the human factor at the individual level, as well as what occurs within those organizations as part of normal business operations. Where cybersecurity and privacy come into play with social criteria are the real-world ramifications associated with access to sensitive data and critical systems. ESG is inexplicitly intertwined with cybersecurity and privacy practices, since these functions have the ability to directly affect individuals, organizations, governments and society as a whole. Therefore, IT/cyber/privacy operations cannot merely “check the box” by providing access or data without understanding the real-world ramifications associated with compliance with a law, regulation or contractual obligation. How an organization responds to potentially hostile compliance requirements will determine its genuine adherence to ESG principles for corporate responsibility, since an active decision to be non-compliant with certain compliance obligations might be the morally-correct path for an organization to take.
The addition of five (5) new controls to the SCF’s catalog is intended to identify potentially harmful compliance requirements that have profound, life changing implications and elevate those away from cybersecurity and privacy practitioners by directing those issues to the organization’s executive leadership to address the moral and legal ramifications of such actions. The implications include, but are not limited to:
- Foreign government espionage
- Intellectual property theft
- Human rights abuses
Those five (5) new controls are spread across four (4) existing SCF domains:
GOV-12: Forced Technology Transfer
Mechanisms exist to avoid and/or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property) to the host government for purposes of market access or market management practices.
GOV-13: State-Sponsored Espionage
Mechanisms exist to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities.
CPL-06: Government Surveillance
Mechanisms exist to constrain the host government from having unrestricted and non-monitored access to the organization's systems, applications and services that could potentially violate other applicable statutory, regulatory and/or contractual obligations.
DCH-26: Data Localization
Mechanisms exist to constrain the impact of "digital sovereignty laws," that require localized data within the host country, where data and processes may be subjected to arbitrary enforcement actions that potentially violate other applicable statutory, regulatory and/or contractual obligations.
PRI-16: Potential Human Rights Abuses
Mechanisms exist to constrain the supply of physical and/or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/or contractual obligations.