What are the three cybersecurity ESG frameworks?

The three main cybersecurity ESG frameworks are GRI 418 (Customer Privacy), which covers privacy complaints and data losses; SASB TC-SI-230a (Data Security), which covers breaches involving PII and security approach descriptions; and EDCI 2026 (Cybersecurity Metric), which covers framework alignment, certifications, incidents, board oversight, and cyber insurance for private equity-backed companies.

What cybersecurity information do investors want in ESG reports?

Investors want to see framework alignment and percentages, incident and breach history, board-level cyber oversight, certifications such as ISO 27001 and SOC 2, vulnerability management practices, and third-party risk management processes.

How can I produce an ESG cybersecurity disclosure report?

RateYourCyber generates a three-page ESG Cybersecurity Disclosure report covering GRI 418, SASB TC-SI-230a, and EDCI 2026 automatically from a single cybersecurity assessment. The report includes your security score, framework alignment percentages, breach and incident data, vulnerability scan counts, and supplier monitoring numbers.

ESG Reporting and Cybersecurity | GRI 418, SASB, EDCI Frameworks Guide 2026

Q: Why is cybersecurity part of ESG reporting?

A data breach affects customers (social), triggers regulatory fines (governance), and can destroy shareholder value. ESG frameworks now include specific cybersecurity disclosure requirements covering breach data, framework alignment, board oversight, and third-party risk management.

Q: What is EDCI 2026 and who needs to report against it?

EDCI 2026 is the ESG Data Convergence Initiative cybersecurity metric, specific to private equity. It covers framework alignment, certifications held, material incidents, board oversight, cyber insurance, and vulnerability management. If your PE sponsor is part of the ESG Data Convergence Initiative, reporting against EDCI is no longer optional.

The Plain English Version

ESG reporting is how organisations disclose their performance on environmental, social, and governance risks to investors, regulators, and other stakeholders. It covers everything from carbon emissions to board diversity to how you protect customer data.

Cybersecurity and data privacy have become a core part of ESG reporting. Investors want to know how you manage cyber risk, whether you have had any breaches, and what frameworks you follow. If you are PE-backed, your sponsor almost certainly wants this data now.

Why Cybersecurity Is Now an ESG Issue

A data breach is not just a technical problem. It affects customers (social), triggers regulatory fines (governance), and can destroy shareholder value. That is why ESG frameworks now include specific cybersecurity disclosure requirements. If you are not reporting on cyber risk, your ESG reporting has a gap.

The Three Cybersecurity ESG Frameworks

GRI 418 - Customer Privacy

The simplest of the three. You disclose substantiated privacy complaints from customers and regulators, plus any identified data leaks, thefts, or losses. If you track incidents properly, you already have this data somewhere.

SASB TC-SI-230a - Data Security

More detailed. You report the number of data breaches involving personally identifiable information, what percentage involved PII, how many users were affected, and a description of your security approach. Institutional investors tend to focus on this when evaluating technology companies and SaaS providers.

EDCI 2026 - Cybersecurity Metric

The newest framework, specific to private equity. Covers framework alignment (ISO 27001, NIST CSF, SOC 2), certifications held, material incidents, board oversight, cyber insurance, and vulnerability management. If your PE sponsor is part of the ESG Data Convergence Initiative, this is no longer optional.

There is significant overlap between all three, which is why it makes sense to report against them from a single data source rather than creating separate reports.

What Investors Actually Want

Framework alignment - Which security frameworks do you follow and what percentage are you aligned to?
Incident history - Have you had breaches? How many? What was affected?
Board oversight - Does leadership actively oversee cyber risk?
Certifications - Do you hold ISO 27001, Cyber Essentials, SOC 2?
Vulnerability management - How do you find and fix security weaknesses?
Third party risk - How do you manage supplier security?

How RateYourCyber Makes This Easy

Complete a cybersecurity assessment - with all questions written in business language, not technical jargon - and the platform automatically generates a three-page ESG Cybersecurity Disclosure report covering GRI 418, SASB TC-SI-230a, and EDCI 2026 from one set of answers. No consultants, no spreadsheets, no guesswork.

The report includes your security score, framework alignment percentages across ISO 27001, NIST CSF 2.0, SOC 2 Type II, GDPR, DORA, and NIS2, breach and incident data, vulnerability scan counts, supplier monitoring numbers, and the narrative sections that each framework requires.

As you improve your security posture and re-assess, the numbers update automatically. So rather than a once-a-year scramble, you have a living view of where you stand.

You can download an example ESG Cybersecurity Disclosure report here to see exactly what the output looks like.

Read the full guide: ESG Cybersecurity Reporting: What Investors Actually Want and How to Produce It.

ESG Reporting

The Plain English Version

Why Cybersecurity Is Now an ESG Issue

The Three Cybersecurity ESG Frameworks

GRI 418 - Customer Privacy

SASB TC-SI-230a - Data Security

EDCI 2026 - Cybersecurity Metric

What Investors Actually Want

How RateYourCyber Makes This Easy

Related Terms

Key Frameworks

Resources

Generate Your ESG Report