In the book, we argue that organizations that demonstrate good governance are more likely to reduce risks throughout their organizations than those that don’t. Frameworks like ISO 27001 and the NIST Cybersecurity Framework include controls that companies can implement to improve their security posture. Many of the best-run organizations require third parties to complete risk assessments before connecting to their ecosystems and networks.

Yet this is not enough. Cybersecurity defense should be an active process involving detection, response, and solid plans for incident response. It is inevitable that organizations will be attacked, and without a plan, the response will be difficult and costly. Some important activities include conducting security posture assessments, actively monitoring networks and threats, investing in resources to manage and respond to threats, creating an incident response plan and an inventory of digital assets, and implementing education and training programs.

Fortunately, public companies are required to disclose financially material risks as part of their public filings. For example, the Securities and Exchange Commission requires public companies to report certain cybersecurity breaches within four days.

Ultimately, the responsibility for ESG strategy—and data management—belongs to executives. I’ve seen too many executives make the mistake of thinking someone else will deal with the problem later. Later is too late. It’s always a matter of when—not if—your organization will be attacked. Every company should include a cyber risk profile as part of their ESG strategy today.