Cyber risk has quietly become an ESG reporting line item. If you are a PE-backed company, you have probably already had the email - your sponsor wants cybersecurity metrics in the next ESG data submission, and they want them in a specific format.
That is because the ESG Data Convergence Initiative (EDCI) introduced a standardised cybersecurity metric this year. We covered why EDCI matters for cybersecurity and ESG previously - but GRI 418 and SASB TC-SI-230a have also been creeping into investor due diligence packs for a while now.
The trouble is that most organisations do not have a clean way to produce this data. Security teams think in controls and vulnerabilities. Investors think in disclosure metrics. Bridging that gap usually means someone spends a week in a spreadsheet trying to work out what goes where.
We built something to fix that.
The three ESG cybersecurity frameworks worth knowing
GRI 418 - Customer Privacy
The simplest of the three. You need to disclose substantiated privacy complaints (from customers and regulators) and any identified data leaks, thefts, or losses. If you are tracking incidents properly, you already have this data somewhere.
SASB TC-SI-230a - Data Security
More detailed. You report the number of data breaches involving personally identifiable information, what percentage involved PII, how many users were affected, and a narrative description of your security approach. This is the one institutional investors tend to focus on when evaluating technology companies and SaaS providers.
EDCI 2026 - Cybersecurity Metric
The new one. Private equity-specific. Covers framework alignment (ISO 27001, NIST CSF, SOC 2), certifications held, material incidents, board oversight, cyber insurance, and vulnerability management. If your PE sponsor is part of EDCI, this is no longer optional.
The overlap between these three is significant - which is exactly why it makes sense to report against all of them from a single data source.
What does an ESG cybersecurity disclosure actually look like?
We generate a three-page PDF that covers all three frameworks from one assessment. The report includes your security score, framework alignment percentages across ISO 27001, NIST CSF 2.0, SOC 2 Type II, GDPR, DORA, and NIS2, breach and incident data, vulnerability scan counts, supplier monitoring numbers, and the narrative sections that SASB and EDCI require.
You can download an example ESG Cybersecurity Disclosure report here.
How we produce it
You complete our cybersecurity assessment - it covers governance, access control, data protection, incident response, business continuity, network security, third-party risk, and security awareness. Around 20 minutes if you know your environment.
The platform scores you out of 1000, maps your answers to six compliance frameworks, and then extracts the specific data points that GRI 418, SASB TC-SI-230a, and EDCI 2026 require. The output is a formatted PDF you can drop straight into an ESG filing, investor pack, or board report.
As you improve your security posture and re-assess, the numbers update. So rather than a once-a-year scramble, you have got a living view of where you stand.
Who is using this
Mostly PE-backed companies who have been asked to report EDCI cybersecurity metrics for the first time and do not want to hire a consultant to do it. Also sustainability teams who need cyber data for their ESG reports but do not speak the technical language, and CISOs who need to present security in terms the board and investors actually understand.
If you are an MSP or cybersecurity consultancy managing this across multiple clients, the multi-tenant setup handles that too.
Try it
The assessment is free. You can generate your first ESG cybersecurity disclosure report in about half an hour.
If you would like to discuss how RateYourCyber can help your organisation with ESG cybersecurity reporting, get in touch.