Value at Risk: The rising financial impacts of ESG
In this series of articles, we explore why environmental, social and governance (ESG) issues are no longer peripheral to financial performance. The old disclaimer - “past performance does not guarantee future returns” - could not be more relevant today.
One of ESG’s challenges is that the benefits can be hard to define and materialise over a longer timeframe. There are few significant financial benefits that align to typical strategy cycles of 3 to 5 years and this makes it harder for executives and boards to prioritise investment in ESG, and as a result, ESG is pushed down the agenda unless regulation forces action.
We are entering a phase where ESG factors are materialising as financial risks in the near-term, outside the bounds of regulation. Emerging threats such as physical climate risk, cyber incidents, and the disruptive evolution of generative AI are moving faster than traditional metrics can capture.
AI's impact on businesses today is unclear and complex but one thing is certain, the scale and speed of the AI revolution is unprecedented. AI is expected to advance at least 2 to 4 times faster than the internet; and compared to the 80 years it took for the industrial revolution… Take fraud risk as an example, Forbes reported that deepfake fraud attempts surged globally to 6.5% in 2024, up from just 0.01% in 2022.
Climate risks are equally escalating and complicated. 2025 is looking like a likely contender to be the hottest year on record, and 2024 saw unprecedented insurance payouts for storm and flood damage in the UK.
Against this backdrop, it is imperative that investors and boards take a forward-looking approach, assessing resilience to ESG factors that could become financially material in the very near future.
This three-part series will focus on evolving ESG factors and their impact on investment fundamentals. Starting with Governance, and a focus on Cyber Security.
Each article will explore why these issues are financially material, what Addidat’s data tells us about the maturity of UK small caps, and what investors and boards can do to ensure we’re building a resilient UK small cap market for the long-term.
Cyber Risk and the AI gap | Past resilience doesn’t mean future protection
The cost of a cyberattack is no longer an abstract line item. Whilst it might be the high-profile companies that reach the headlines (M&S, Co-op, Heathrow, ARUP, to name a recent few) the 2025 UK Governance Cyber Security Breaches Survey found that 67% of businesses with 50 to 250 employees and 74% of those with more than 250 employees experienced at least one cyber attack or breach in 2024. And most attacks could have been prevented.
With AI, vulnerabilities can be more easily and quickly exploited, and attacks are becoming more sophisticated and harder to detect.
For small- and mid-cap companies, where margins are narrower, the impact can be existential: business interruption, regulatory fines, and erode customer and investor trust.
Yet, Addidat’s analysis shows that a large proportion of UK small-cap firms still make no meaningful disclosures about how they manage cyber and information security risks.
Investors and boards should ask: if companies are silent on such a clear financial exposure, what does that mean for resilience, valuation, and capital allocation?
Financial Materiality of Cyber risk
Cyber is not a pure technology problem. It is a board-level risk with direct impact on P&L and enterprise value.
Operational disruption could lead to unplanned downtime that stalls revenue and damages client contracts
Regulatory fines can be significant. If a cyber attack results in a data breach under GDPR fines can be £17.5m or 4% of annual income
Reputational erosion impacts market cap and revenue over multiple years. Trust lost with customers, suppliers, and investors is slow to rebuild.
Legal costs as a result of failed contracts and data breaches could mount up.
Following M&S’s recent cyber attack, 10% was wiped off their market value, online services were down for 4 months, c. £300m lost operating profit, and they are facing a class-action lawsuit.
IBM’s 2025 Cost of a Data Breach report places the average cost of a UK breach at £3.4m and Howden Insurance reported in 2024 that cyber attacks cost on average 1.9% of revenue for UK companies.
UK small-cap business need to get organised around this topic
The Addidat Platform, highlights a persistent disclosure gap in the UK small-cap market
Fewer than 30% of companies reference the existence of Cyber Policies
Only 1 in 5 disclose alignment to recognised standards such as ISO 27001, Cyber Essentials
Only 35% reference the existence of staff training or attestation - the biggest vulnerability in cyber security
Nearly 40% make no meaningful cyber resilience disclosures at all
This lack of transparency leaves investors unable to assess risk exposure and companies unable to demonstrate resilience. For small-caps, proportionate but credible disclosure can be a differentiator.
The benefits of getting it right
While much focus is rightly placed on avoiding loss, cyber resilience can be a growth enabler.
Customers and supply chain partners increasingly demand assurance before awarding contracts.
Building cyber resilience into your operations can be a clear commitment to customers.
Companies that can evidence strong cyber governance are more attractive to investors and can reduce the cost of capital.
Regulators view robust disclosure as a marker of maturity, reducing scrutiny.
Cyber resilience can be a competitive advantage, whilst M&S was struggling to recover, Next’s sales increased by 10.5% in Q2, significantly outperforming expectations.
What should investors and companies do?
Investors, whether part of your investment due diligence or building into an engagement strategy with investees, consider the following:
What is the potential financial impact of a cyber attack - could customer services be disrupted, or sensitive information leaked?
What evidence exists that a company recognises, manages, and tests cyber resilience?
How transparent is the company about incidents, near misses, or remediation actions?
Is cyber treated as a board issue, with clear accountability and independent assurance?
Executives should build a solid understanding of the potential financial impacts and ensure controls are appropriately and sufficiently funded:
Is cyber being treated as a financial risk and not an IT issue? It’s a case of “when” not “if” a cyber incident will happen.
Do you understand the risk profile to the business sufficiently? Where are the biggest vulnerabilities and what is the impact to the business and the associated financial impacts?
Is the control framework sufficient? What’s the investment plan and budget allocation to ensure it remains sufficient?
Are you appropriately evidencing resilience to stakeholders through disclosure of governance and controls, and evidencing performance and continued funding?
Non-executive board members must ensure that cyber has an appropriate risk profile and gets the required board time:
Who owns cyber and information security risk at board level, are you provided with appropriate information and how often is it discussed?
What independent testing or certification (e.g., ISO 27001, penetration testing) has been obtained, and when was it last refreshed?
How frequently are business continuity and crisis response plans tested, and what lessons were learned?
How is the company ensuring it stays current with emerging threats, including AI-driven deep fakes, social engineering, and supply chain vulnerabilities? As well as AI-driven controls?
Past performance is no guarantee of future protection. As cyber threats rapidly evolve, the companies that survive and thrive will be those that demonstrate resilience in both practice and disclosure. For investors, that means demanding transparency; for boards, it means embedding cyber security into governance. The right data helps both sides focus on what matters most.
The Addidat Platform provides both companies and their investors with market leading ESG insights across the whole UK small cap market, building resilience into businesses for the long-term.
Sources
https://www.ibm.com/reports/data-breach
