Topics In Demand
Notification
New

No notification found.

Ways Private Equity and Venture Capital Firms can Protect Themselves from Cyber Risks
Ways Private Equity and Venture Capital Firms can Protect Themselves from Cyber Risks

August 26, 2022

251

0

Cyber breaches are increasing rapidly, both in size and scope. Venture funding reached an all-time high of $643 billion last year, thus forcing private equity (PE) and venture capital (VC) firms, along with their portfolio companies, to face more cybersecurity threats and breaches. This has led to a need to establish a more prepared and secure connection than ever before. 

Today it is imperative for private equity (PE) and venture capital (VC) firms to position cybersecurity requirements to ensure that portfolio companies, as well as potential investment targets, are not sitting ducks for hackers. However, the reality is that many organizations do not have the internal resources to attend a full-blown security operations center.  

The U.S. SEC or Securities and Exchange Commission recently proposed a new set of rules that would require private equity firms investing in cybersecurity to adopt and implement reported policies and procedures that are intended to address cybersecurity complexity and mandate the reporting of significant incidents. 

cybersecurity diligence

The proposed rules and amendments are devised to enhance cybersecurity preparedness and to improve investor confidence in the resiliency of advisers as well as funds against cyber threats and attacks. 

Read more: Four Ways Traditional Finance is being Disrupted by Open Finance 

The SEC stated that PE and VC funds, among other investment firms, are exposed to and rely more on a broad network of interconnected systems, thus leading to a rising risk of facing numerous cybersecurity risks. However, the proposed rules are implied to enhance the SEC’s ability to assess systemic risks and better supervise these funds. 

While these rising cyber risks are alarming, they are forcing PE and VC firms to take a close look at their existing security systems and processes. Here are a few ways equity firms can better gauge the cyber preparedness of their investment portfolios to mitigate the threats. 

  • Conducting cyber due diligence on investment portfolio companies 

  • Establishing or revamping secure connections at the organization 

  • Implementing managed detection as well as responses 

prioritize the possible risks   

Establishing a Secure Transactional Framework 

Cyberattacks can have major ramifications on private equity and venture capital firms. Deals can fall through, the market cap of compromised portfolios can get wiped away, sensitive data poses great cyber threats, and unwanted lawsuits, investigations, or penalties can emerge. These elements can impair an organization's ability to attract or retain investors. 

Financial investment firms are more likely to become victims of cyberattacks than other businesses. However, PE and VC firms may not have the same level of security. Here are five propositions that can assist PEs and VC firms in stepping up their cybersecurity game. 

 

cybersecurity hygiene

  1. Evaluate and prioritize the possible risks 

The very first steps in creating an effective risk management program are to identify the risk and assess the countermeasures that are already in place. Once the risks are identified, cybersecurity controls can be formulated around them. While certain situations may pose a greater risk, others can demand tighter controls. Significant financial events like M&As can be at a higher risk of ransomware scams. It is equally vital to evaluate the security posture of portfolio companies through a common security lens. This allows PEs to identify as well as understand where the most risk resides and what measures need to be implemented to bring risk back to acceptable levels. 

  1. Consider stock of compliance and constraints 

Registered investment advisors (RIAs), as well as PE and VCs, have a fiduciary obligation to oversee cybersecurity readiness and incident preparedness for their customers and shareholders. The SEC proposed cybersecurity rules concerning RIAs’ cyber risk management, incident reporting, disclosure, and record-keeping. This new rule mandates all RIAs to implement policies and procedures designed to address cybersecurity threats. They must also review and assess policies on an annual basis and have incident response and recovery processes in action. They are also advised to possess records concerning cybersecurity incidents. 

Additionally, there are many regulations that apply to portfolio companies based on the jurisdiction in which they operate. Firms that fail to accomplish adequate cybersecurity diligence on their portfolio companies are likely to fall under issues related to the duty of care framework. 

compliance and constraints 

  1. Focus on cybersecurity hygiene of employees as well as the organization 

The human element is considered the root cause of almost 82% of breaches. An unsuspecting employee can likely fall prey to a phishing email, download a malicious attachment, or visit a malicious URL; a well-meaning developer can accidentally leave servers in the cloud unprotected, and an employee with privileged access can use a simple password that can be easily hacked. Businesses must mitigate these risks by familiarizing their staff with cybersecurity hygiene. Employees should be guided on the latest tactics employed by cybercriminals as well as their responsibility, accountability, or liability in case of any cyber incidents. Organizations should incorporate cyber hygiene into their culture, such as using strong passwords, securing online behavior, patching and updating software, and reporting malicious activities. Extending the same training to the employees of portfolio companies is equally important. 

  1. Establish a vendor risk management program 

Investment funds and PE &VC advisors are often exposed to a vast array of interconnected systems, thus making them more vulnerable to several cybersecurity risks. Most cyber breaches often involve hackers accessing systems through a third party. PE and VC firms should execute cyber diligence on all their suppliers along with the suppliers of their portfolio companies. Evaluating their security history, audits & practices and comparing them against industry frameworks like NIST or ISO will aid in gaining a sense of security. 

identifying security gaps

When onboarding a new client, organizations should obtain a written commitment from them to maintain information security. Organizations should formulate policies, protocols, and procedures to vet information security practices on a regular basis. They should ensure that portfolio companies follow standard guidelines and protocols to gain a holistic view of emerging cyber risks. 

  1. Examine defenses regularly and be prepared for any 

Every new system, user, device, and acquisition adds an additional layer to the cybersecurity complexity. It is, therefore, crucial for organizations to appoint a process that assists them in identifying security gaps, vulnerabilities, as well as security loopholes before they take major turns. Organizations can hire security experts to undertake a network penetration test along with a thorough vulnerability check at least once a year. Performing extensive audits on internal and external infrastructure, firewalls, wireless configurations, application code, and cloud policy configurations can also prove helpful in keeping cyber risks at bay. In a worst-case scenario, organizations should have cyber insurance in place as it can help offset some additional costs and aid in faster recovery. 

The Future Ahead 

With the cybersecurity landscape continuing its stratospheric growth, the graph is expected to rise onwards. Cybersecurity is now deemed as the number-one spending item on the technology investment list. With the rise in cyberattacks, organizations are continuing to spend more money on security; however, they often end up spending it in the wrong areas. 

For private equity and venture capital firms, having a security-first approach is paramount in today's evolving digital landscape. While stakes are high, one mistake or one lapse in judgment can result in dire consequences. The idea is to create an actionable, measurable, and repeatable security framework that spans investment portfolios across the entire M&A life cycle. 

In 2022, 88% of board members believed that cybersecurity is a business issue, not a technical one. Boards are working on setting new metrics, measurements, and governance that will assist in gaining protection against ransomware and other threats. Results from one of the surveys indicated that institutional investors from hedge funds, pension funds, and private equity are of the belief that blockchain technology will likely have the most significant impact on healthcare, financial services, and banking. The study reveals that almost 39% of the investors believe that blockchain will do to banking what the Internet did to the media landscape. 

Investors have started to anticipate that the latest plunge in technology stocks is set to translate into a slowdown in private markets. Cybersecurity venture capital firms are now predicting that the global blockchain market is expected to exceed $40 billion by 2025. Investors are now aware of and understand the magnitude of the cyber threats that businesses are likely to face today. They must also comprehend that they are not immune to this threat and employ appropriate measures to defend themselves along with their portfolio companies. 


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


A Global Insights and Analytics company

© Copyright nasscom. All Rights Reserved.