What place should cybersecurity have in annual reports?

Cybersecurity for private companies

According to the Commercial Code, every commercial enterprise—regardless of its size and type—is required to draw up an annual report that describes its business, its financial situation, and the risks it faces. This description of the risks shall include the means and procedures adopted to respond to them.

This is the angle from which cyber protection issues are addressed. According to the Cybersecurity Index survey, carried out by the firm Wavestone, the majority of CAC 40 companies classify it as an operational risk, i.e. resulting from an external event and inadequate internal processes. More and more companies are also presenting cybersecurity as a legal risk. This risk arises when the company, one of its subsidiaries, or its subcontractors does not comply—knowingly or unknowingly—with regulations.

Consideration of cybersecurity is reflected in the attitude of the executive committee. For 2019, 60% of CAC 40 companies indicated how the members of this committee were mobilised: 45% announced that they had a « body » working with the managers, and 12.5% had designated a committee member to deal with cybersecurity within the group. And 93% of the security reports of French companies mention « concrete » measures to secure the network architecture and strengthen access control. Employee awareness and training methods are also presented in 85% of the reports from large groups. In addition to indicating the methods used (e-learning, presentation or management exercise), some mention both the awareness rate and the measures concerning suppliers.

However, the Cybersecurity Index survey only covers information that has been made public. According to the authors, the work actually done may be greater than that mentioned in the annual reports. A company’s objective is to make a profit; the annual report presents the strategy and the means chosen to achieve this goal. Cybersecurity issues are discussed in terms of the risk they pose to profitability. Many organisations are still reluctant to report having been victims of cyberattacks. Only the reports to the CNIL—which are mandatory in the event of a breach of personal data—provide information on this phenomenon.

Cybersecurity in public services

Cybersecurity measures are even more discreet within public authorities. Toulouse Métropole was the victim of two computer attacks in 2020. Since then, its teams have carried out a major review of its network and cybersecurity training actions in collaboration with Orange Cyberdefense. The quality of the work accomplished has been promoted on the Cybermalveillance.fr website[1]. However, the term ‘cybersecurity’ appears only twice in the institution’s annual report this year (its services are working on a guide to cyber crisis management).

This discretion sometimes covers up a lack of knowledge of the means. A study carried out in November 2021 by the SMACL mutual insurance company showed that 27% of elected representatives had not taken any measures—either organisational or technical—against cyber risks and that 19% of them did not know where to turn in the event of an attack.

Nevertheless, there is one sector where accountability is mandatory: health care. Article L. 111-8-2 of the Public Health Code stipulates that healthcare establishments must—without exception—report any acts of cyber malice of which they are victims. These reports are used to inform the ‘Agence Numérique de Santé’ (Digital Health Agency), which publishes an annual observatory of reports regarding information system security incidents in the health sector.

Important obligations

Nevertheless, companies and institutions have a role to play in cybersecurity. The annual reports do not mention the status of the Operators of Essential Services (OESs). This status was created in 2018 when the 2016 European Network and Information System Security Directive was transposed into French law to define the organisations without which both the economy and society could no longer function. OESs belong to the following sectors: energy; transport and logistics; banking and financial services; water; and digital infrastructure (internet exchange points, system service providers, and domain name registries). Public bodies specialising in healthcare and education are also affected. The OESs are obliged to align their information system with the technical standards presented by ANSSI, to report to the latter any incident that could threaten the conduct of their activities, and to submit to regular audits by the authorities.

Securing the networks of OESs is completed by the cybersecurity component of the France Relance investment plan. Endowed with 136 million euros, this latter provides for the establishment of a network of Computer Security Incident Response Teams (CSIRTs) responsible for supporting SMEs, ETIs, municipalities, and EPCIs (public bodies for inter-municipal cooperation). In February 2022, ANSSI joined forces with seven French regions to start a four-month incubation programme for these CSIRTs. Great discretion surrounds all this. The list of OESs is kept secret and the communication modalities will vary according to the nature and criticality of the institutions concerned.

Towards new methods of communication?

What means should be used to describe the digital security measures applied? More generally, how can stakeholders—suppliers, partners, customers, and users—be reassured that cyber risks are under control? First of all, compliance with cybersecurity standards. The most widely used are ISO 21827, 27001 and 29190.

Then there is the regulation of a specific transaction, such as the 2015 European Payment Services Directive (PSD2). It describes the means of securing payment processes on the Internet and regulating the use of data collected by the providers of this service.

The set of supranational regulations explicitly targeting organisations in an industry is another standard. Two examples of this are the 2020 European regulation on the digital operational resilience of the financial sector (which establishes strict guidelines for organisations in the financial sector and will be implemented in 2024) and the UNECE WP29 regulation (which makes the use of a cybersecurity management system for the production of new vehicles mandatory from July 2022).

A fourth means is the rating[2] recommended by the CNIL in its data protection maturity self-assessment model of September 2021. All topics relating to the GDPR (including digital security) are subject to an assessment enabling managers to know the maturity of the company concerned. The law of 3 March 2022 for the « cybersecurity certification of digital platforms intended for the general public »—adopted by the French Senate in second reading on 24 February 2022 for implementation from October 2023—follows this logic. It aims to improve the cybersecurity information made available to French consumers. This obligation applies specifically to digital platforms, which will have to indicate the quality of their protection system in the form of a « CyberScore ». Similar to the NutriScore, it summarises the result of a check on data and network security on the one hand and on the location of personal data on the other. This check will consist of a self-assessment followed by an inspection by teams from the DGCCRF and ANSSI. The CyberScore concerns companies offering « an online public communication service », i.e. large digital platforms, instant messaging, and videoconferencing services. But the CyberScore raises questions. What thresholds will define the companies that are subject to this obligation? In what form will it be displayed to Internet users and how long will it be valid? Is there not a risk of creating a false sense of security among users?

The CyberScore underlines the importance of digital security audit organisations. More than a check, audits certify that protection systems are complete and effective. In terms of cybersecurity, ANSSI’s PASSI qualification allows for audits to be carried out on six specific subjects: architecture audit, configuration audit, source code audit, organisation audit, industrial systems audit, and intrusion tests). According to Wavestone, 58% of CAC 40 companies have announced that they have conducted audits in 2019 and 10% say they have their own department for this task.

Will inspections of cyber defence policies by external observers become more widespread? This would confirm the ability of organisations to defend themselves against increasingly frequent and costly cyberattacks. In any case, organisations should indicate how they protect themselves and, above all, how they contribute to protecting society. Cybersecurity, a new form of CSR?