Doug Howard is CEO of pondurance†
Cyber breaches are increasing rapidly, both in size and scope. With venture capital financing reaching an all-time high of $643 billion last yearPrivate equity (PE) and venture capital (VC) firms – along with their portfolio companies – are also facing more cyber threats and breaches and need to be better prepared than ever before.
In fact, the Securities and Exchange Commission (SEC) wants to ensure that registered investment companies such as PE and VC funds take the cyber threats seriously. The SEC recently proposed a new set of rules requiring companies to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks and require notification of significant cybersecurity incidents to the Commission.
“The proposed rules and changes are designed to improve cybersecurity preparedness and may improve investor confidence in the resilience of advisors and funds to cybersecurity threats and attacks,” said SEC Chair Gary Gensler.
The SEC notes that PE and VC funds, among other investment firms and advisors, are exposed to and dependent on a wide network of interconnected systems and thus face numerous cybersecurity risks. It says the proposed rules are intended to help the SEC better assess systemic risk and better monitor these funds.
These claims are not without foundation. Medium-sized companies – along with their financiers – are increasingly being targeted by hackers. In particular, ransomware groups are known to read headlines and go after recently funded companies because they know how much money they have in the bank. And if the hackers are successful, they also know that not just one company is at risk, but potentially the entire portfolio of a private equity or venture capital firm.
While alarming, these trends are forcing PE and VC companies to rethink their security systems and processes. Here are three ways companies can better measure the cyber-preparedness of their portfolios and significantly mitigate risk.
1. Conduct cyber research on portfolio companies.
Today’s attack surface is bigger than ever before, thanks to the proliferation of mobile devices and the fact that so many employees are working from home and logging in remotely. As a result, VC and PE firms must be extremely vigilant when assessing the cybersecurity capabilities of new potential investments.
A cyber risk assessment should examine the vulnerabilities in a portfolio company’s IT environments and the extent of damage that could occur in the event of a breach. While it is difficult to thoroughly assess any potential investment for effective cybersecurity measures, cyberdiligence can provide reasonable insight into a company’s current capabilities.
For example, does the portfolio or target company properly train its employees to prevent them from falling prey to phishing or malware attacks? Has the company implemented technologies such as multi-factor authentication that can prevent bad guys from abusing weak or stolen passwords and credentials? If a cyber breach occurs, how quickly is the company able to detect and respond to the threat? Has it performed penetration tests to see which systems are susceptible to hacking?
It is imperative for VC and PE firms to establish basic cybersecurity requirements to ensure portfolio companies and potential investment targets are not ducks for hackers.
2. Make sure your own business is safe.
PE and VC companies shouldn’t just talk; they have to walk the walk. They need to ensure that their own cybersecurity practices are top-notch so that they can lead by example for their portfolio companies.
Conducting a cyber risk assessment can help you find weaknesses and build your cybersecurity framework. There are many types of assessments, including NIST Cybersecurity Framework, NIST 800-53, NIST 800-171, NY Department of Financial Services (NYDFS), and more. These assessments can help you identify security risks and close any gaps.
It is also important to plan for disruption if and when a cyber incident occurs. By putting together an incident response plan, PE and VC companies can better identify, prevent and respond to business disruptions and potentially avoid millions of losses. In addition, your incident response plan must now include reporting to the SEC when significant cybersecurity incidents occur.
3. Implement managed detection and response.
Managed detection and response services (MDR) can play a critical role in protecting investment firms and their portfolio companies. MDR service providers can help you keep a constant eye on incoming attacks and help you take immediate action if and when they happen.
What makes MDR so valuable is that it provides round-the-cloud security services from a team of outsourced analysts. The reality is that most companies do not have the in-house resources to staff a full-fledged security center. But with MDR, you get a team of experts who are by your side 24/7. These people are specially trained to detect anomalous activities in your network and react immediately to possible threats.
Last year was a record year for investment, especially for cybersecurity startups. Last year they raised $29.5 billion in venture capital, more than doubling the $12 billion raised in 2020. It is clear that investors understand the magnitude of the cyber threats that companies face today. They must also understand that they are not immune to this threat and take appropriate measures to defend themselves and their portfolio companies.
Cleaning up after a beach, if a business survives, is much more expensive than preventive actions to reduce cyber risk.