How important is cyber-security to an investor?

Introduction

Cyber security is increasingly critical to investors as it directly impacts a company’s operational resilience, regulatory compliance, and reputation—key factors that influence financial performance and valuation. In today’s digitized economy, a single data breach can result in significant financial loss, legal liabilities, customer attrition, and long-term brand damage.

Investors are acutely aware that inadequate cyber risk management can compromise intellectual property, disrupt supply chains, and trigger regulatory fines, all of which erode shareholder value. As a result, robust cyber security is now seen not just as an IT function, but as a core governance and risk consideration in investment decisions—particularly for ESG-conscious investors seeking sustainable, future-proof assets.

During due diligence, investors view cybersecurity as a critical area of risk and value protection, especially in sectors reliant on data, digital infrastructure, or regulatory compliance. Here’s a structured outline of how they assess it:

1. Cybersecurity Governance

Board oversight: Is there board-level awareness and responsibility for cybersecurity?
Policies and frameworks: Are there formal policies in place (e.g., based on NIST, ISO 27001)?
CISO/leadership: Does the company have a Chief Information Security Officer (CISO) or equivalent?

2. Risk Management and Threat Posture

Risk assessments: Are cyber risks regularly identified and assessed?
Incident history: Has the company suffered prior breaches? How were they handled?
Threat detection: What monitoring systems and controls are in place (e.g., SIEM, EDR)?

3. Data Protection and Privacy

Data classification: How is sensitive data identified and managed?
Compliance: Does the company comply with GDPR, CCPA, HIPAA, etc.?
Encryption and access control: Are strong controls in place to protect data at rest and in transit?

4. Incident Response and Resilience

Incident Response Plan (IRP): Is there a clear, tested plan in place?
Disaster recovery / Business continuity: Are backups tested and infrastructure resilient?
Insurance: Is there cyber insurance coverage, and is it adequate?

5. Third-Party and Supply Chain Risk

Vendor management: Are third-party vendors assessed for cybersecurity risk?
Contracts: Are SLAs and legal agreements in place to mitigate third-party breaches?

6. Technology Stack and Vulnerabilities

Tech due diligence: Are systems and software up to date and patched?
Penetration testing: Have vulnerability assessments or penetration tests been conducted recently?
Legacy systems: Are there outdated or unsupported systems still in use?

7. Financial Impact of Cyber Risk

Cost of breaches: Are there historical or potential costs related to breaches (legal, reputational, regulatory)?
Valuation adjustments: Investors may adjust valuation or require warranties/indemnities if risk is high.

8. Positive Indicators Investors Look For

Strong cyber hygiene (MFA, encryption, user training)
Certifications (ISO 27001, SOC 2)
Clean breach history with documented improvements
Proactive security culture and leadership commitment

How big is the problem?

According to the UK Government’s Cyber Security Breaches Survey 2024, approximately 50% of UK businesses and 32% of charities reported experiencing some form of cyber security breach or attack within the past 12 months.

The prevalence of such incidents varies by organization size:

Medium-sized businesses: 70% reported breaches
Large businesses: 74% reported breaches
High-income charities (annual income over £500,000): 66% reported breaches

The most commonly reported type of cyber threat was phishing attacks, affecting 84% of businesses and 83% of charities that experienced a breach.

Those statistics sound pretty bad but are likely the tip of the iceberg. Lockbit Ransom, a notorious cyber was recently itself hacked and the breach, which has defaced the group’s dark web affiliate panels, includes the leak of a MySQL database dump containing critical records related to the gang’s activities. It suggests that a lot of companies have been successfully attacked by the group:

‘btc_addresses’ Table: Contains 59,975 unique Bitcoin addresses, likely used for ransom payments and laundering transactions.
‘chats’ Table: Perhaps the most damning, this table includes 4,442 negotiation messages between LockBit operators and victims, spanning from 19th December 2024 to 29th April 2025.

Why don’t companies report attacks?

Companies do not report cyber-attacks for several key reasons:

Reputational Risk: Admitting to a breach can damage a company’s brand, erode customer trust, and lead to lost business.
Stock Price Impact: Publicly traded companies may fear that disclosing an attack will negatively affect their stock price.
Legal and Regulatory Exposure: Reporting an incident may invite scrutiny from regulators or lead to lawsuits, especially if sensitive customer data was compromised.
No Legal Obligation (in some cases): In certain jurisdictions or types of attacks (like those not involving personal data), there may be no mandatory reporting requirement.
Ongoing Investigations: Some companies delay disclosure to avoid tipping off attackers or interfering with law enforcement investigations.
Internal Culture or Lack of Preparedness: Companies without strong cybersecurity policies may not have clear procedures for handling and reporting incidents.

What laws govern cyber-security and reporting

United Kingdom

UK GDPR & Data Protection Act 2018

Who must report: Any organisation that experiences a personal data breach likely to risk individuals’ rights and freedoms.
Deadline: Report to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.

Network and Information Systems (NIS) Regulations

Who must report: Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSPs).
Deadline: Notify the relevant authority (e.g., ICO for RDSPs) without undue delay and no later than 72 hours after becoming aware of the incident.

Cyber Security and Resilience Bill (Proposed)

Introduced in July 2024, this bill aims to strengthen the UK’s cyber defences by expanding reporting requirements, including mandatory ransomware incident reporting. It seeks to align UK regulations more closely with the EU’s NIS2 directive

European Union

General Data Protection Regulation (GDPR)

Who must report: Data controllers experiencing a personal data breach likely to result in a risk to individuals’ rights and freedoms.
Deadline: Notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

NIS2 Directive (Directive (EU) 2022/2555)

Who must report: Essential and important entities across various sectors, including energy, transport, health, and digital infrastructure.
Deadline: Report significant incidents to the relevant national authority within 24 hours of becoming aware, with a final report due within 72 hours.

Cyber Resilience Act (Proposed)

Who must report: Manufacturers of digital products and software.
Deadline: Report actively exploited vulnerabilities and severe incidents to ENISA and the relevant national Computer Security Incident Response Team (CSIRT) within 24 hours, followed by a detailed report within 72 hours.

United States

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

Who must report: Entities in critical infrastructure sectors.
Deadline: Report covered cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of reasonably believing an incident has occurred. Ransomware payments must be reported within 24 hours.

Securities and Exchange Commission (SEC) Rules

Who must report: Public companies.
Deadline: Disclose material cyber incidents within four business days of determining the incident’s material impact.

State-Level Data Breach Notification Laws

Who must report: Varies by state; generally, any entity handling personal information.
Deadline: Varies by state; most require notification without unreasonable delay, often within 30 to 60 days.