K-ESG Management: Can Sustainability Be Discussed Without Security?
Recently, companies have been focusing their ESG (Environment, Social, Governance) strategies primarily on environmental (E) factors, such as carbon neutrality, eco-friendly businesses, and renewable energy adoption. Given the importance of climate change response and sustainable management, it is natural for attention to be concentrated in this area. However, the social (S) and governance (G) aspects—particularly security—are often insufficiently addressed in ESG discussions. Despite being a critical component in maintaining corporate trust and achieving sustainable management, cybersecurity continues to be overlooked in ESG strategies.
K-ESG, Focused Only on the Environment (E)?
A review of domestic ESG evaluation criteria and policies reveals a strong emphasis on reducing carbon emissions, expanding renewable energy, and developing eco-friendly products. In contrast, cybersecurity and information protection are not sufficiently highlighted in ESG reports. Many companies still perceive investments in security enhancements as mere IT operational costs rather than integral components of ESG management. This perception leads to the exclusion of cybersecurity from ESG strategies, ultimately resulting in inadequate security risk response systems.
In the social (S) domain of ESG, the primary focus is often on labor rights protection, diversity, and community contributions. However, cybersecurity is a fundamental factor in maintaining corporate social trust. Security incidents such as data breaches and ransomware attacks directly impact consumers and employees. A company’s security management level is directly linked to consumer protection, yet ESG-driven responses to such issues remain insufficient.
The governance (G) aspect of ESG typically evaluates factors such as ethical management, board independence, and internal controls. However, cybersecurity risk management is frequently omitted from key evaluation criteria. While global companies recognize cybersecurity risks as a core governance issue and implement structured security governance frameworks, domestic companies often settle for merely meeting the minimum legal requirements. Many organizations still lack robust security governance structures to prevent insider threats and data breaches.
A Balanced ESG Strategy Requires Security
To address these issues, it is essential to strengthen security-related criteria in ESG evaluations. Domestic ESG evaluation frameworks, such as those established by KCGS, should explicitly incorporate cybersecurity and data protection elements. Financial institutions and public sector organizations should also be encouraged to integrate security evaluation criteria into ESG reporting. Furthermore, companies must actively include security in their ESG strategies.
While global enterprises integrate cybersecurity as a core ESG component, many domestic firms still treat it as a separate issue. Recognizing security investments—such as security infrastructure development, penetration testing, and hiring cybersecurity professionals—as part of ESG strategies is a necessary shift in perception.
From a social responsibility (S) perspective, businesses should place greater emphasis on customer protection. Organizations must recognize that their level of information security directly affects consumer safety and ensure that privacy protection and security incident prevention are included in ESG policies.
In terms of governance (G), companies must enhance their cybersecurity risk management frameworks. Cybersecurity risks should be treated as a critical business risk at the executive level, and measures such as establishing a “Cybersecurity Committee” within the board of directors should be considered to facilitate security discussions.
Currently, domestic ESG policies and corporate ESG strategies remain overly focused on environmental (E) factors, while security (S) is insufficiently addressed. However, cybersecurity is not merely an IT operational issue—it is a crucial element that determines corporate sustainability and social responsibility. For ESG strategies to become more balanced, cybersecurity must be recognized as a core ESG component and managed systematically.
