Cyber breaches are increasing rapidly, both in size and scope. Venture funding reached an all-time high of $643 billion last year, thus forcing private equity (PE) and venture capital (VC) firms, along with their portfolio companies, to face more cybersecurity threats and breaches. This has led to a need to establish a more prepared and secure connection than ever before.
Today it is imperative for private equity (PE) and venture capital (VC) firms to position cybersecurity requirements to ensure that portfolio companies, as well as potential investment targets, are not sitting ducks for hackers. However, the reality is that many organizations do not have the internal resources to attend a full-blown security operations center.
The U.S. SEC or Securities and Exchange Commission recently proposed a new set of rules that would require private equity firms investing in cybersecurity to adopt and implement reported policies and procedures that are intended to address cybersecurity complexity and mandate the reporting of significant incidents.
The proposed rules and amendments are devised to enhance cybersecurity preparedness and to improve investor confidence in the resiliency of advisers as well as funds against cyber threats and attacks.
Read more: Four Ways Traditional Finance is being Disrupted by Open Finance
The SEC stated that PE and VC funds, among other investment firms, are exposed to and rely more on a broad network of interconnected systems, thus leading to a rising risk of facing numerous cybersecurity risks. However, the proposed rules are implied to enhance the SEC’s ability to assess systemic risks and better supervise these funds.
While these rising cyber risks are alarming, they are forcing PE and VC firms to take a close look at their existing security systems and processes. Here are a few ways equity firms can better gauge the cyber preparedness of their investment portfolios to mitigate the threats.
-
Conducting cyber due diligence on investment portfolio companies
-
Establishing or revamping secure connections at the organization
-
Implementing managed detection as well as responses
Establishing a Secure Transactional Framework
Cyberattacks can have major ramifications on private equity and venture capital firms. Deals can fall through, the market cap of compromised portfolios can get wiped away, sensitive data poses great cyber threats, and unwanted lawsuits, investigations, or penalties can emerge. These elements can impair an organization's ability to attract or retain investors.
Financial investment firms are more likely to become victims of cyberattacks than other businesses. However, PE and VC firms may not have the same level of security. Here are five propositions that can assist PEs and VC firms in stepping up their cybersecurity game.
Read more: Five Personal Finance Startups that are Revolutionizing Fintech
-
Evaluate and prioritize the possible risks
The very first steps in creating an effective risk management program are to identify the risk and assess the countermeasures that are already in place. Once the risks are identified, cybersecurity controls can be formulated around them. While certain situations may pose a greater risk, others can demand tighter controls. Significant financial events like M&As can be at a higher risk of ransomware scams. It is equally vital to evaluate the security posture of portfolio companies through a common security lens. This allows PEs to identify as well as understand where the most risk resides and what measures need to be implemented to bring risk back to acceptable levels.
-
Consider stock of compliance and constraints
Registered investment advisors (RIAs), as well as PE and VCs, have a fiduciary obligation to oversee cybersecurity readiness and incident preparedness for their customers and shareholders. The SEC proposed cybersecurity rules concerning RIAs’ cyber risk management, incident reporting, disclosure, and record-keeping. This new rule mandates all RIAs to implement policies and procedures designed to address cybersecurity threats. They must also review and assess policies on an annual basis and have incident response and recovery processes in action. They are also advised to possess records concerning cybersecurity incidents.
Additionally, there are many regulations that apply to portfolio companies based on the jurisdiction in which they operate. Firms that fail to accomplish adequate cybersecurity diligence on their portfolio companies are likely to fall under issues related to the duty of care framework.
-
Focus on cybersecurity hygiene of employees as well as the organization
The human element is considered the root cause of almost 82% of breaches. An unsuspecting employee can likely fall prey to a phishing email, download a malicious attachment, or visit a malicious URL; a well-meaning developer can accidentally leave servers in the cloud unprotected, and an employee with privileged access can use a simple password that can be easily hacked. Businesses must mitigate these risks by familiarizing their staff with cybersecurity hygiene. Employees should be guided on the latest tactics employed by cybercriminals as well as their responsibility, accountability, or liability in case of any cyber incidents. Organizations should incorporate cyber hygiene into their culture, such as using strong passwords, securing online behavior, patching and updating software, and reporting malicious activities. Extending the same training to the employees of portfolio companies is equally important.
Read more: Private Equity Investment: 2022 Trends in Review
-
Establish a vendor risk management program
Investment funds and PE &VC advisors are often exposed to a vast array of interconnected systems, thus making them more vulnerable to several cybersecurity risks. Most cyber breaches often involve hackers accessing systems through a third party. PE and VC firms should execute cyber diligence on all their suppliers along with the suppliers of their portfolio companies. Evaluating their security history, audits & practices and comparing them against industry frameworks like NIST or ISO will aid in gaining a sense of security.
When onboarding a new client, organizations should obtain a written commitment from them to maintain information security. Organizations should formulate policies, protocols, and procedures to vet information security practices on a regular basis. They should ensure that portfolio companies follow standard guidelines and protocols to gain a holistic view of emerging cyber risks.
-
Examine defenses regularly and be prepared for any
Every new system, user, device, and acquisition adds an additional layer to the cybersecurity complexity. It is, therefore, crucial for organizations to appoint a process that assists them in identifying security gaps, vulnerabilities, as well as security loopholes before they take major turns. Organizations can hire security experts to undertake a network penetration test along with a thorough vulnerability check at least once a year. Performing extensive audits on internal and external infrastructure, firewalls, wireless configurations, application code, and cloud policy configurations can also prove helpful in keeping cyber risks at bay. In a worst-case scenario, organizations should have cyber insurance in place as it can help offset some additional costs and aid in faster recovery.
Read more: Economic Whiplash: What is it and Four Ways to Avoid it
The Future Ahead
With the cybersecurity landscape continuing its stratospheric growth, the graph is expected to rise onwards. Cybersecurity is now deemed as the number-one spending item on the technology investment list. With the rise in cyberattacks, organizations are continuing to spend more money on security; however, they often end up spending it in the wrong areas.
For private equity and venture capital firms, having a security-first approach is paramount in today's evolving digital landscape. While stakes are high, one mistake or one lapse in judgment can result in dire consequences. The idea is to create an actionable, measurable, and repeatable security framework that spans investment portfolios across the entire M&A life cycle.
In 2022, 88% of board members believed that cybersecurity is a business issue, not a technical one. Boards are working on setting new metrics, measurements, and governance that will assist in gaining protection against ransomware and other threats. Results from one of the surveys indicated that institutional investors from hedge funds, pension funds, and private equity are of the belief that blockchain technology will likely have the most significant impact on healthcare, financial services, and banking. The study reveals that almost 39% of the investors believe that blockchain will do to banking what the Internet did to the media landscape.
Investors have started to anticipate that the latest plunge in technology stocks is set to translate into a slowdown in private markets. Cybersecurity venture capital firms are now predicting that the global blockchain market is expected to exceed $40 billion by 2025. Investors are now aware of and understand the magnitude of the cyber threats that businesses are likely to face today. They must also comprehend that they are not immune to this threat and employ appropriate measures to defend themselves along with their portfolio companies.
With a presence in New York, San Francisco, Austin, Seattle, Toronto, London, Zurich, Pune, Bengaluru, and Hyderabad, SG Analytics, a pioneer in Research and Analytics, offers tailor-made services to enterprises worldwide.
A market leader in Investment Research Services, SG Analytics assists in strengthening investment decisions by leveraging custom research support. Contact us today if you are in search of an investment research firm that offers tailored research support across a broad range of asset classes.