The number of cyber attacks on businesses is increasing by over 50 per cent year on year. Hackers are getting more sophisticated, and the venture capital (VC) industry – which moved over half a trillion pounds globally in 2021 – has a huge cybersecurity target on its back.
Venture capitalists manage a lot of money and valuable data; the two assets most attractive to a cybercriminal. Doing nothing to protect yourselves, as a VC, or your portfolio investments is no longer an option.
But while VC firms are ramping up their own defences to tackle the threat cyber-criminals pose, too often due diligence falls short when assessing an investee company’s cyber liability. This is creating unacceptable levels of risk: in the last few years, authorities in the UK and the US have seen ransomware actors pinpointing midmarket acquisition as their way into larger VC targets.
Ransomware is the most dangerous and costly type of cyber attack. Once a cyber-criminal (anyone from an organised criminal to an agent of a rogue state, or just your everyday hacker) has tricked their way into a network, they can lie in wait in one of your portfolio company’s systems for up to six months before choosing their moment to strike.
Out of nowhere that company is facing attack on multiple fronts. Attackers will demand money in exchange for not wiping or releasing private data. The average pay out for a mid-size organisation is £130,000. Most attacks take at least 21 days to recover from, costing a company another £1.4m in lost work. Not to mention that most companies never manage to retrieve all of their stolen data.
All this has real-world consequences for the investor: Companies that suffer a breach showed a fall in enterprise value of 20-33 per cent in the aftermath of an attack. A portfolio company succumbing to a devastating cyber attack and being rendered insolvent is a nightmare scenario for any VC that has just carried out a major investment. No-one wants to find themselves explaining to the board of directors and investors, why an avoidable mistake was made.
VC firms have to ask more cybersecurity questions, in more detail, of the potential investee to ensure that these companies are fully prepared for the ever-increasing pace of cyber attacks.
The following 12 questions are a must to include in your due diligence process.
- Have the external auditors looked at cybersecurity as part of their risk review process?
- Has there been a history of breaches and how have management responded? Are they logged?
- Does the organisation have a disaster recovery (DR) plan in place? Has it been tested?
- Are applications updated and solutions applied as soon as vulnerabilities are identified?
- Are basic controls, such as multi-factor authentication, in place to control access?
- Are penetration (“pen”) tests carried out by an external expert to test website, infrastructure and physical security? Has the board reviewed the results?
- Is the organisation monitored for cybersecurity risks?
- Are the staff trained in cybersecurity? Is it part of their performance assessment reviews?
- What is management’s attitude towards cybersecurity risk? Does the company have regular reviews, and do they monitor them at a board level?
- Does the company (as a minimum) have stated data protection policies and the appropriate management of its IT infrastructure? Do larger organisations have key roles such as Chief Information Security Officer (CISO) and Data Protection Officer (DPO) covered?
- Is there cybersecurity insurance cover in place? If so, what is the premium history and what are any special conditions of cover?
- What sort of warranties are sought from vendors? At the least, the company should have made “due and careful” enquiry into the state of their cybersecurity (using external parties as needed)
Any weak or incomplete answers to any of these questions should be a red flag and addressed before the investment goes any further. But whatever the response, a responsible VC with an eye on ensuring long-term returns should hire an independent company to put an investee business through its paces. A simulated test, “pen test”, of an investee company will shine a spotlight on where any weaknesses truly lie and is well worth the cost to an investor.
While the consequences of a cyber attack, whether financial, reputational or operational, can be dire, they are all avoidable with the right level of due diligence. To achieve this, a VC needs to make sure that cybersecurity preparedness has pride of place on their checklist for investee companies. It’s no different to checking for buildings and contents insurance, or that the balance sheet is in order, or any of the hundred other things which make up the checks and balances of the investment process.
A company may have everything in place to make a healthy return on investment under normal circumstances. But if they are hit by a successful cyber attack, this can all be blown away. To mitigate this ever-growing risk, a VC must work with trusted cybersecurity partners to create the necessary plans and to help them deal with incidents when (and not if) they happen.
Ian Shelby is a chartered accountant and CFO of Falanx Cyber