You may not hear it said or written often, but cybersecurity is a critical component of the Governance pillar in Environmental, Social and Governance (ESG) frameworks, anchoring resilience, trust and accountability in organisations and urban ecosystems. Governance within ESG focuses on robust risk management, ethical leadership and transparency, which are all deeply intertwined with cybersecurity. A single cyber incident can disrupt operations, shatter stakeholder confidence and cause significant reputational and financial damage. Recent events in the UK retail sector tells us that cybersecurity should be positioned as a non-negotiable governance priority. For organisations manging extensive portfolios or campuses, and for cities navigating interconnected digital infrastructures, integrating cybersecurity into governance is both a strategic imperative and a multifaceted challenge that demands systemic and proactive solutions.

Organisations overseeing large portfolios or campuses such as universities or corporate estates face heightened cybersecurity risks due to the scale and diversity of their digital assets. Often, these entities mange interconnected IT and operational technology systems, from IoT devices, to building management platforms. In mitigating risks, centralised cybersecurity frameworks aligned with ESG governance principles are adopted and monitored via governance, risk and compliance platforms with regular audits and board level oversight ensuring cybersecurity remains a priority alongside other ESG metrics. However, when ownership is fragmented with different departments, landlords and tenants operating their own systems, gaps are often created and vulnerabilities result. Standardised protocols and cross entity collaboration are critical to maintain a cohesive defence ensuring that cybersecurity is as rigorous as financial or environmental oversight.

This need for integration extends to the design of physical and digital infrastructure, where digital safety should mirror the proactive approach of health and safety. Just as buildings are designed with fire exits and structural safeguards, smart infrastructure should incorporate secure by design principles from the outset. Only by working alongside architects and engineers can cybersecurity personnel protect buildings, campuses and cities . Governance frameworks must play a key role here, mandating standards and incorporating cybersecurity readiness into ESG reporting, ensuring organisations are evaluated, not just on financial or environmental performance, but on their digital resilience.

Effective governance also requires robust mechanisms for raising and monitoring cyber risks, with findings escalated to board level ESG committees. Security operations centres and real-time dashboards track vulnerabilities, incidents and compliance to quantify risks within broader ESG registers. Regular training and cyber exercising enhance preparedness, whilst third party audits reinforce accountability. The dynamic nature of cyber threats, from supply chain attacks to ransomware demands continuous adaptions. Governance structures must evolve to stay ahead of emerging risks, ensuring organisations remain cyber resilient in an ever evolving threat landscape.

At a city scale the challenges and complexity multiply as interconnected infrastructure and dispersed ownership complicate cybersecurity governance. While singular buildings may have clear protocols, city wide systems such as transport networks, utilities or public Wi-Fi requires multi-stakeholder co-ordination. If London were to face a multi-faceted cyber-attack targeting non-critical national infrastructure (CNI), such as commercial buildings, what would happen? The National Cyber Security Centre (NCSC) would undoubtedly offer guidance, but no single authority would take charge, leading to a fragmented response from private sector security teams, local authorities and law enforcement. This lack of a unified framework highlights a critical governance gap in urban cybersecurity. Public-private partnerships such as London’s Smart City initiatives seek to address this through data sharing and joint exercises, but ownership disputes and varying cybersecurity maturity levels persist. By incentivising city wide standards and integrating resilience metrics into urban planning, ESG focused governance can bridge this gap, fostering collaboration that strengthens cities against digital threats, ensuring they thrive in an interconnected world.