Cyber maturity to protect investment and ensure profitability

Is an investor required to assess the quality of cybersecurity in the company whose shares they purchase? The Financial Markets Authority states that “There is no regulatory obligation for portfolio management companies to specifically assess the cyber risks of the issuers in which they invest. However, these risks may be part of a broader risk assessment.” It adds that it has “no knowledge of specific regulations in this area apart from Article 18 of the Delegated Regulation AIFM, which generically states: ‘Managers shall exercise a high level of diligence in the selection and ongoing monitoring of investments.’” Nevertheless, some “issuers,” i.e., companies seeking to raise funds, sometimes mention cyber risks in their URD (Universal Registration Document) and/or in risk factors as part of their market information obligations.

The example of Saint-Gobain, a victim of the NotPetya ransomware in 2017, has clearly demonstrated the massive impact of cyber risks. The company experienced a revenue loss amounting to €250 million, which cut its operating profit by €80 million. Investment funds thus have a real interest in this issue. According to Julien Lopizzo, CEO of Semkel, a company specializing in cyber audits that has worked with about ten funds including PAI Partners, Archimed Group, and Adagia Partners, this issue is no longer marginal: “It is very difficult to know how many funds assess the cybersecurity of companies they intend to invest in, but I estimate that half of them call on entities capable of conducting cybersecurity audits.”

Should a cyber audit be conducted?

For investors arguing that the company they are interested in has no specific reason to attract cybercriminals, Jérôme Lopizzo reminds them that cybercriminals closely monitor their decisions: “If a company attracts significant investments, the chances of extracting money from it are even greater. A company hit by ransomware loses an average of two months of activity and therefore revenue, or more if its clients suffer damages and decide to seek compensation through legal action.”

What can be done? “The investor or acquirer must determine whether cybersecurity is integrated into the company’s governance,” says Anne Doré, founder and CEO of Adhel, an independent cybersecurity consulting and training firm. “At a preliminary stage, it is essential to verify whether the company holds certifications, both general and specific to its industry.”

Before launching an audit, simple checks can provide an initial assessment of a company’s cyber maturity, explains Jérôme Lopizzo: “Is there an Information System Security Policy, a PSSI? Is there a system to protect PCs, Macs, and employees’ phones? Is there an agreement with a phishing training platform, given that phishing is one of the primary infiltration methods used by cybercriminals?”

The presence or absence of a CISO should receive particular attention, notes Arnaud Boudesseul, former Operations Director at the consulting firm Guardea Cyberdéfense. “If no CISO is present, the company’s ability to adopt a genuine cybersecurity approach is reduced. This is a ‘minor warning’, and it is recommended to conduct audits and penetration tests to determine the necessary measures.” If an audit is needed, Raphaël Liotier, lawyer and Director of Digital Criminal Law at Lexing Alain Bensoussan, advises entrusting it to a professional: “The ANSSI has identified and listed providers and assigned them the PASSI certification.”

Not a technological risk but a business risk

Even if no cyberattack occurs, low cyber maturity is also a strategic handicap, Anne Doré emphasizes: “In certain markets, a company unable to demonstrate a sufficient level of cybersecurity will simply be excluded from specific calls for tenders. This jeopardizes its development, or even its sustainability.” Anticipation becomes even more critical with the NIS 2 Directive and the Cyber Resilience Act, which will significantly increase the level of maturity required of many companies (see below: “The challenge of regulatory evolution”).

While investors’ attitudes will likely evolve, there is still progress to be made among business leaders, Anne Doré laments: “Whenever cybersecurity is mentioned, they refer their interlocutor to the IT department or a service provider. They need to understand that cybersecurity is a strategic issue and that cyber risks are business risks. The triggering element may be technological, but the real risks involve, for example, halting their production line, laying off employees, or facing legal risks related to contracts.” If a new massive cyberattack were required to shift priorities, one thing is already certain: many businesses would not survive. According to figures from a Senate report, more than half of small businesses facing such situations go bankrupt within the following year.

The challenge of regulatory evolution

For companies with low cyber maturity, the situation will become even more difficult to manage as regulations tighten, Raphaël Liotier highlights: “With the implementation of NIS 2, these companies will find themselves in an even more challenging situation because the measures to be implemented are numerous and detailed. For example, the technical and methodological requirements annexed to Implementing Regulation No. 2024-26904, targeting a specific category of actors, span nearly fifteen pages.”

Furthermore, there will be costs related to revising contracts to align them with the directive. Companies not covered by NIS 2 should not celebrate prematurely. If one of their clients must comply with the directive, contracts will need to be updated, Raphaël Liotier notes: “Contract renegotiation will need to include new clauses in line with NIS 2 requirements and be accompanied by compliance plans to ensure cybersecurity audits do not result in very negative ratings.”

Another directive will increase the burden. Two measures under the Cyber Resilience Act, which came into effect on December 10, 2024, will impact cybersecurity issues. The first relates to the concept of security by design. “Manufacturers will need to consider cybersecurity from the product’s or service’s design phase,” says Vincent Maret, Partner at KPMG France and Head of the Cybersecurity and Personal Data Protection Division. “The current situation, where manufacturers often neglect cybersecurity to bring a product to market as quickly as possible and address security later, will no longer be viable after December 11, 2027, when all measures under the CRA will be applied. Cybersecurity will need to be integrated from the project’s outset, similar to how personal data is handled under GDPR.”

The second measure under the CRA requires security patches to be provided for five years if vulnerabilities are discovered. “Clients will no longer end up with products lacking cybersecurity and no means to address this issue,” says the KPMG France partner. “Companies and startups will need to incorporate this regulatory requirement into their product monitoring processes.”

Can an investor be held accountable in case of a cyberattack?

Can an investor be held liable if a cyber risk materializes? According to Raphaël Liotier, the lawyer and Director of Digital Criminal Law at Lexing Alain Bensoussan, this scenario cannot be entirely ruled out: “If a company suffers a cyberattack and it is found that it failed to take all measures required by NIS 2 to protect itself, the liability of its management could, under certain circumstances, be engaged. As for the investor, they risk losing a significant portion of the capital invested in this company. For the investor’s liability to be engaged, there would need to be a causal link between the damage incurred and a specific fault attributable to the investor, or at least behavior that was the source of the observed damage.”