Beyond The Balance Sheet: Cyber Resilience Should Be The Foundational Criterion for Investors

Security isn’t just a wise investment - it’s non-negotiable. Investing in companies with poor ISO standards isn’t just risky, it can diminish a business’s value, erode its market position, set you up for post-investment hacks and jeopardise investor returns. As a result, cyber resilience has become the foundational criterion for investors. 

Ed Barlett, CEO at Hicomply and Thomas Brunsnes, Director at Cavu Corporate Finance, discuss the relationship between cyber resilience and wise investments. 

According to Ed Bartlett, CEO at Hicomply: “We’re seeing firsthand how ISO 27001 certification can be a decisive factor for investors looking to secure value and reduce risks. End customers and business partners expect it, and the market increasingly rewards companies that prioritise cybersecurity. Investors can view ISO 27001 as a signal that a business takes its security — and by extension, its market reputation—seriously.”

According to Thomas Brunsnes, Director at Cavu Corporate Finance: “ISO 27001 isn’t just about compliance; it’s about enabling faster, safer deal closures. Businesses with this certification not only protect themselves but enhance their market value. Investors need that assurance before making a commitment.”

Cyber threats have evolved, and so must investment strategies

Ed warns against relying on an outdated attitude towards addressing cybersecurity concerns. He says: “Cyber resilience isn’t a "nice-to-have" anymore, it needs to sit alongside solid financials, strong leadership, and a promising market position. For venture capital (VC), private equity (PE) investors and buyers it should be a fundamental aspect of due diligence. Historically, many investors treated cybersecurity as a post-deal clean-up job. Times are changing, and for good reason. Waiting to fix cybersecurity issues after the deal closes is playing with fire—because once you’re in, your newly acquired business is often a prime target.”

Hackers are nothing if not opportunistic. They know PE-backed companies have deeper pockets and will specifically target them post-acquisition. According to Accenture, the cost and frequency of cyberattacks on PE investments have surged. It’s not just about protecting assets; it’s about ensuring the very survival of your investment. After all, the fallout from a cyberattack can be catastrophic—financially, operationally, and reputationally.

Thomas echoed this shift for investors, adding: “For many investors, a lack of ISO certification signals an unnecessary risk. Today’s heightened regulatory and ethical standards mean businesses must protect their assets, including data, from costly breaches, because they are hard to come back from.”

The long road back from the breach

Recovery from a significant cyberattack is rare, and the road is often long, expensive and littered with litigation. Following a significant 2019 cyberattack, which was disclosed in December 2020, SolarWinds has been under the cosh ever since. In November 2022, SolarWinds agreed to pay $26 million to settle a shareholder lawsuit alleging that the company misled investors about its cybersecurity practices prior to the breach, as reported by Security Week. In July 2024, a US judge dismissed most of the Securities and Exchange Commission's (SEC) lawsuit against SolarWinds, which accused the company of defrauding investors by concealing security vulnerabilities before and after the cyberattack. However, this has not been the end of the saga. Most recently, in November 2024, it was reported that the SEC want to obtain oral testimony from a former SolarWinds engineer who documented concerns over a network vulnerability tied to VPN access and unmanaged devices. And so, it continues. 

In the UK, the foreign exchange company Travelex was hit by a ransomware attack in late December 2019, leading to a month-long disruption of services. The attack significantly impacted its operations and clients, including major banks. In August 2020, Travelex entered administration, resulting in the loss of 1,300 jobs, highlighting the severe impact of the cyberattack on its business continuity. In an interview with City AM in October 2024, CEO Richard Wazacz said that Travelex will likely change ownership as shareholders distance themselves, commenting: “Our shareholders have been incredibly supportive, and they’ve taken us through that recovery, but over the next 12 to 24 months it’s very likely that our shareholders will want to redeploy that money into new businesses.”

Due diligence in a "when, not if" world

Given the monetary and reputational risk, could your portfolio companies absorb such a hit? Probably not without severe consequences. Cash flow disruptions, operational downtime, and the potential need for expensive crisis management teams can quickly deplete resources. 

So, how do you avoid ending up with a toxic investment that’s considered a pariah in the market and a drag on your portfolio? 

Ed believes it’s about tabling cyber resilience from the start, adding: “Investors wouldn’t touch a business with poor financial controls, so why is cybersecurity treated differently? The risks are just as significant, if not more so. A business with strong cyber resilience not only protects itself but also enhances its market value. Companies with robust cybersecurity practices often have an easier time meeting customer demand, particularly in sectors where data security is paramount. This can directly impact sales and market expansion, making a secure business a more attractive and valuable investment.”

Moreover, cybersecurity is increasingly becoming a deciding factor in M&A and by having it addressed, it can help speed up these transactions. Tom adds: "ISO certification doesn’t just reduce risk; it accelerates the deal itself, streamlining negotiations and allowing them to close faster.”

Ed concludes: “Great investors factor in cybersecurity as a core element of their investment strategy. It’s not about finding reasons to walk away from deals but ensuring that the deals you do make are resilient and capable of weathering inevitable cyber threats.

Cyber resilience is the new frontier. It’s not a gamble you can take lightly. As the pace of cyberattacks accelerates, the potential cost of bad deals grows exponentially. The house always wins in the numbers game of cyber threats, but with the right approach, you can stack the odds in your favour.”

Ready to future-proof your investments? Start prioritising cyber resilience and book a demo today.