The essential ESG factors (part 1): DEI and data security and privacy
2022.08.31 Kathy Matsui, Yumiko Murakami, Miwa Seki, and Yuna Sakuma

The original blog post in Japanese was published on August 2, 2022. 

After reading our post on why ESG is important for startups, you may be eager to implement ESG processes within your business operations but unsure where to place your efforts. Prioritization will vary depending on a company’s features, such as its products and services, business model, and geographic location, but there are four factors we believe are the most material issues for technology startups at all stages:

  • DEI (Diversity, Equity, and Inclusion)
  • Data security and privacy
  • Board composition
  • Climate action

In this blog post and next, we dig further into these four factors, starting with DEI and data security and privacy.

DEI (Diversity, Equity, and Inclusion)

Statistics show the lack of diversity in the technology startup ecosystem. In 2019, 84% of funding went to male-only-founded startups. The number of female-only teams declined in 2020 to 2.3% (also see here) and women still only comprise 25% of tech workers

Japan is not an exception. According to a report issued by the Financial Service Agency, the amount of funds raised by companies including at least one female in founders or presidents comprises only 2% among the top 50 companies raised funds in 2019. Also, there is only 1% of VC whose representative is a  female. 

Although these facts are fairly well known within the ecosystem, startups are not taking action to combat them; only a quarter of respondents answered “yes” that their company has programs to increase diverse representation in leadership (“2020 Global Startup Outlook report” from the World Economic Forum).

Significant research on this topic has yielded strong evidence that diverse organizations outperform those that are less so. A comprehensive study by BCG shows that companies with above-average diversity in their management teams deliver 19 percentage points higher innovation revenues than those with below-average diversity (45 percent average innovation revenues vs. 26 percent). 

Another BCG study shows that although startups co-founded or founded by women are underfunded relative to male-founded companies, they actually perform better over time, delivering an average of $730,000 in revenue over a five-year period, a full 10 percent more than their counterparts. And, ultimately, they prove to be the better investment, generating 78 cents for every dollar of funding versus 31 cents for non-woman-founded companies.

Investors’ interest in this important issue is growing as they come to accept that diversity does, in fact, drive corporate value. In addition, as the ESG lens is increasingly applied to VC firms by their current and potential LPs, the diversity of VC portfolios is rising as a key issue. As a result, VCs are increasingly looking for opportunities to invest in diverse founder teams.

That is to say, startups who don’t care about DEI will put them at a competitive disadvantage with respect not to attracting and retaining talent but also attracting capital. 

Data security and privacy

Recently, there has been strong pushback from both governments and individuals about the use and monetization of personal data and it has created an environment where robust data privacy and security have essentially become a license to operate.

Not seeing sufficient action from companies in addressing repeated data breaches and improper handling of user data, governments have sprung into action to compel better data privacy, security policies, and concrete actions from companies. Examples of regulation that aim to address this issue include the GDPR in the EU, UK GDPR, APPI in Japan, LGPD in Brazil, California Consumer Privacy Act, CDPA in Virginia, CPA in Colorado, NY SHEILD Act, and the longstanding APA in Australia and HIPAA in the US. While some of these date back many years, the majority noted here have only been phased in within the last five years.

As a result of this robust regulatory activity, lax data privacy and security policies and practices now result in lost customers, increased fines, and tarnished reputations for companies of all sizes—eventually leading to lost value and, in the most extreme cases, bankruptcy. Even before businesses face financial penalties from regulators, the cost of cyberattacks (estimated at $200K each on average for businesses) is enough to put a startup’s survival at risk.

Startups are increasingly being asked about their data management policies by not only investors but particularly customers before they invest or sign up for products and services.

Seeking to avoid the social and economic disruptions tech has enabled in the past, regulators, civil society, and other key stakeholders are scrutinizing in more detail emerging technologies such as AI, machine learning, virtual and alternative reality, and crypto innovations. Startups that don’t have robust data security and privacy policies and procedures will therefore face increased risks.

In Part 2 of this blog post, we’ll discuss the remaining ‘essential ESG factors,’ board composition and climate action. 

We thank Trista Bridges for her contributions to this post.