By Richard Ford, Group CTO, Integrity360

ESG discussions in South African boards generally default to carbon, community impact and governance process. While those remain essential, they don’t tell the full story of organisational sustainability. A business that can’t protect its data and recover quickly from cyber disruption in a modern digital economy has to take a second look at what it defines (and should define) sustainability as. That is why cyber maturity, too, is now such an important disclosure within the ‘S’ and the ‘G’ of ESG.

Cybersecurity already maps onto existing reporting structures, including the JSE’s Sustainability Disclosure Guidance, which outlines why sustainability-related risks are tied to enterprise value and to the quality of information available to investors and other stakeholders.

In this way cyber risk is very much a business continuity, governance as well as a valuation criteria.

Investors are watching

Investors are paying closer attention to whether companies can withstand operational shocks, protect sensitive information and manage digital dependencies responsibly. Global investor sentiment points in the same direction. PwC’s 2025 Global Investor Survey found that 55% of investors and analysts saw cyber risk exposure at investee companies as high or extreme.

Additionally, 88% of investors are calling on executives to increase their capital allocation to cybersecurity.

Then there are the financial consequences of being on the wrong side of the cyber sustainability and resilience equation. IBM’s Cost of a Data Breach Report 2025 put the global average cost of a breach at $4.4 million (in Mzansi-bucks, that’s almost R75 million), while also warning that AI adoption without proper governance increases both exposure and cost.

Even where an organisation can absorb the cost of a breach, the second order effects of increased regulatory scrutiny, shaky customer confidence, reputational damage and the cost of rebuilding trust can be far more enduring.

Expanding the 'S' and 'G' in the cyber context

While the 'E' in ESG often takes centre stage, a breach is also, fundamentally, a failure of 'Social' and 'Governance' responsibility.

In the Social (S) pillar, a cyberattack is a breach of the social contract between a company and its stakeholders. When customer data is leaked, it causes immediate harm to individual privacy and can lead to financial loss or identity theft for thousands of citizens.

For a company, the "social" cost is the permanent erosion of brand equity and the loss of the de facto "licence to operate" that comes from public trust. In a South African context, where consumer trust is hard-earned, the social impact of a breach can be far more persistent than the immediate financial recovery costs.

From a Governance (G) perspective, cybersecurity is now a test of fiduciary duty. Robust governance requires that a board has clear visibility of digital risks and a demonstrated ability to respond to them.

It isn't enough to have a firewall; governance demands "cyber-integrity" – transparent reporting on how data is handled, who has access to it, and how the company ensures the resilience of its third-party supply chains. If the board cannot explain its cyber-risk posture to shareholders, it is lacking in its governance mandate.

Boardroom responsibility

The King IV Report on Corporate Governance already highlights the board’s role in overseeing technology and information, and the importance of its integration in setting and achieving its strategic objectives. This is taken further by POPIA which expects responsible parties to notify the Information Regulator and affected data subjects in the event of a cyber breach.

Taken together, this means boards are not only expected to oversee cyber risk internally; they are also increasingly exposed externally through disclosure and accountability.

Cyber to the centre of the ESG story

The organisations responding best are those breaking down the old silos between cyber, compliance, risk and sustainability with a more rigorous understanding of their own exposure and the resilience of the third parties they depend on. Cyber maturity is part of modern corporate resilience because more than ever before, it directly influences governance quality, stakeholder confidence and an organisation’s ability to absorb shocks without long-term value destruction.

Over time the conversation will undoubtedly mature as cybersecurity moves from being an appendix of reporting to the front and centre of responsible and sustainable corporate governance and disclosure.

For South African companies, especially those operating in highly regulated or data-intensive sectors, the shift is already well underway since cybersecurity and ESG are tied together as indicators of long-term organisational sustainability and resilience. After all, a company cannot credibly claim to be future-fit, well governed or sustainable if its digital foundations are fragile.