The nation’s largest public companies outperformed their peers in six other global financial centers

Digital cityscape, Paris, France, which topped the cybersecurity maturity index

French blue-chip companies have topped an international league table for cybersecurity maturity, leapfrogging their US counterparts, a new study has revealed.

The CAC 40 – the 40 largest public companies in France – outperformed their peers in six other global financial centers, according to research by IT service management firm Wavestone.

The UK’s FTSE 100 remained in third place, below the US’ Dow Jones 30, and followed by their publicly traded counterparts in Belgium, Singapore, Switzerland, and Hong Kong.

Every stock exchange’s maturity score rose year on year, with the 20 firms comprising the Swiss SMI making the biggest strides.

Wavestone analyzed the corporate communications of 290 companies, including annual reports to shareholders, international data agreements, and reports submitted to federal agencies, published up to June 1, 2020.

‘People-centric’ security policies

“In France, we can clearly see [that] CISOs are people-centric,” Gérôme Billios, global cybersecurity partner at Wavestone, told The Daily Swig, noting that France was the top performer on training and awareness, with 85% of companies flagging activities in this area.

Florian Pouchet, head of cyber at Wavestone UK, said investors and regulators wanted to see evidence that firms were taking the cybersecurity threat seriously.

“Investors are becoming increasingly interested in evaluating [the] cybersecurity level of companies [and] rating agencies are starting to take that into account in their evaluations,” he explained.

In response, a majority of the companies studied appear to be discussing information security at the highest level, as well as earmarking funding to bolster their security posture.


RELATED Germany assumes EU presidency with a strong focus on cybersecurity


A trawl of these organizations’ public communications showed that 57% of executive committees were taking an active interest in the subject, rising to 68% among the FTSE 100, 63% of the Dow Jones and Singaporean STI, and 60% of the CAC 40.

Around one in three (34%) outlined wide-ranging investments in cybersecurity and cyber-attack response plans, while one in two (49%) mentioned more modest, limited plans. Only 6% failed to mention cybersecurity funding at all.

However, researchers found no evidence of a cybersecurity strategy in the corporate communications of 8% of firms, albeit this represented a two-point drop on 2019.

Boasting the strongest executive engagement “and the highest commitment to investment for the second year in a row,” Pouchet said the UK “continues to lead the way with regards to mobilization”, and has stayed true to its strategic ambition “to be ‘the safest place to live and do business online’”.

Every single US firm, meanwhile, mentioned comprehensive cyber spending plans, as well as strategies around audit risk and control.

Data privacy

The findings also suggest that boardrooms are noticing the raft of data protection laws being enacted or updated around the world.

our in five companies (80%) mentioned data privacy in their communications – a 13-point year-on-year rise – while all French companies did so.

Companies were also far more likely to view cybersecurity as primarily an operational risk than a legal or financial risk, cited by 229, 110, and 108, respectively.

Many of the most cutting-edge technology trends – AI, quantum computing, blockchain, IoT, and 5G – inevitably appeared in corporate communications, but rarely with reference to the cybersecurity implications.

For instance, while 124 companies mentioned AI, only 18 considered the cybersecurity opportunities or threats this technology posed.


Read more of the latest cybersecurity research


‘Cyber resilience’ was the most frequently mentioned emerging topic, followed by control frameworks, incident detection, supply chain security, and mergers and acquisitions security.

“With closer scrutiny from the financial services regulators, like the Bank of England and the European Central Bank, it’s no surprise that companies are starting to deploy cyber resiliency measures,” said Florian Pouchet.

“We are seeing development in disaster recovery plans and a move to cloud computing to ensure continuity in core business processes.”

IT was the most cyber-mature sector, followed by the service industries, finance, and energy and utilities. The least mature was food and agriculture.

On how firms might raise their country’s score for 2021, Billois suggested they aim for “more transparency on cyber-attacks, as they are still [often perceived] as [having] something to hide and crisis management communications is often not to the standard of what clients and the public are looking for.”

Wavestone has published reports for each of the seven global financial centers.


READ MORE EU-US Privacy Shield data-sharing framework declared invalid by ECJ