Has cyber risk become a top-tier risk for an investment fund like Seven2?
Today, cyber risk is a major industrial risk. A mismatch between the level of risk and the resources deployed can lead to a serious incident. Action must therefore be taken on two levels: daily operations and anticipation/prevention of incidents. At Seven2, we have structured our approach around four pillars: technical, processes, audit, and governance. Cybersecurity is conceived "by design," starting from the very first deployment of any new application.
How do you use cyber rating tools in your investment decisions and in managing your portfolio companies?
The mission of a fund like Seven2 is value creation. However, cybersecurity has become a key factor in preserving — and creating — value. In 2021, I created the "Cyber Program" based on a simple observation: without a consistent measurement, it is difficult to know where portfolio companies truly stand regarding security.
During the due diligence phase, it helps us quickly qualify the maturity level of a target. If a significant gap is identified, it can result in a remediation plan—which impacts the financial valuation of the deal. Once the investment is made, Security Rating, AD Rating, and 365 Rating become long-term management tools: beyond the score itself, they allow for daily monitoring and concrete support for teams in their continuous improvement plans. They also provide us with clear indicators, presented twice a year at the cyber committee to the CEO and partners, to manage risk at the executive level. Cyber rating is becoming a standard because it directly addresses the challenges of protecting and enhancing the value of portfolio companies.
Active Directory is often at the heart of attacks: how do you address this risk at Seven2?
An insecure Active Directory is a prime target for cybercriminals, yet this subject often remains underestimated. By continuously assessing Active Directory security, AD Rating® has allowed us to structure our approach with great precision: management of privileged accounts, identification of critical weaknesses, and prioritization of actions. It is a highly operational tool, but also an excellent governance tool. It makes visible risks that would otherwise remain difficult to objectify and manage, and helps establish a culture of rigor and continuous improvement.
"AD Rating makes a critical risk at the heart of systems visible and manageable" - Samuel BAFOURD
About Samuel BAFOURD
Samuel Bafourd joined Seven2 in 2001 as a system and network administrator, before becoming CIO in 2018, in charge of digital transformation and cyber strategy. He is a graduate of the École Supérieure des Pays de Loire (ESPL).
