The ESG Mirage: How Corporate Sustainability Ratings Can Mask Systemic Cyber Risk

The ESG (Environmental, Social, and Governance) framework was designed to give investors a holistic view of corporate responsibility, extending beyond financial metrics to include a company's impact on the world and its internal governance structures. However, a critical blind spot has emerged: cybersecurity. While ESG reports increasingly tout sustainability initiatives—from smart logistics to carbon neutrality—they often gloss over or completely omit the cyber resilience that underpins these very operations. This creates what we call the 'ESG Mirage,' where a high sustainability score can mask significant systemic cyber risk.

Recent events highlight this disconnect. The release of J&T Express's 2025 ESG Report, for example, focuses heavily on its 'smart logistics' transformation and social responsibility programs. While these are commendable efforts, the report, as is typical in the industry, provides little to no detail on the cybersecurity architecture protecting the vast digital supply chain and data flows that enable its operations. A logistics company handling millions of parcels daily, with a digital backbone connecting warehouses, delivery personnel, and customers, is a prime target for ransomware, data breaches, and supply chain attacks. A glowing ESG score that does not account for the maturity of its security operations center (SOC) or its incident response plan presents a dangerously incomplete picture.

Similarly, the push for 'Smart City' models, such as the Din Daeng Smart City initiative in Bangkok, illustrates the same problem on a municipal scale. These projects promise efficiency, sustainability, and improved quality of life through integrated digital systems. Yet, the public discourse, as seen in promotional materials, focuses on the benefits without adequately addressing the expanded attack surface. A smart city is a massive Internet of Things (IoT) network, managing everything from traffic lights and power grids to public Wi-Fi and surveillance systems. Without a robust, publicly verifiable cybersecurity framework, a smart city is a cyber vulnerability waiting to be exploited. The ESG metrics used to evaluate such projects rarely, if ever, include a rigorous assessment of cyber resilience.

This systemic issue has profound implications for the cybersecurity community. First, it creates a false sense of security for investors. Capital is being allocated based on incomplete data, potentially rewarding companies with weak cyber defenses. Second, it pressures companies to prioritize the appearance of sustainability over substance. Resources may be diverted to ESG reporting and green initiatives while critical security infrastructure remains underfunded. Third, it leaves critical infrastructure—like smart cities and logistics hubs—exposed. A successful cyberattack on a 'highly-rated ESG' company could cause cascading failures, disrupting supply chains, compromising personal data, and eroding public trust.

To close this gap, the cybersecurity industry must advocate for a new standard. ESG rating agencies should be pressured to include cybersecurity maturity as a core governance metric. This includes evaluating a company's adherence to frameworks like the NIST Cybersecurity Framework, its track record of vulnerability disclosure, the existence of a dedicated CISO, and the results of independent penetration testing. Furthermore, companies must be transparent about their cyber risks in their ESG disclosures, moving beyond boilerplate language to provide specific, actionable data.

The 'ESG Mirage' is not just a reporting failure; it is a governance failure. As we build more connected, data-driven enterprises and cities, the security of these systems is not a separate technical issue but a fundamental component of sustainable and responsible governance. Until cybersecurity is treated as a core pillar of the 'G' in ESG, investors, regulators, and the public will remain vulnerable to a hidden world of systemic risk.