Doug Howard is CEO of Pondurance.
getty
Cyber breaches are rapidly increasing in both size and scope. With venture funding reaching an all-time high of $643 billion last year, private equity (PE) and venture capital (VC) firms—along with their portfolio companies—are also facing more cyber threats and breaches and need to be more prepared than ever before.
In fact, the Securities and Exchange Commission (SEC) wants to ensure that registered investment companies like PE and VC funds are taking the cyber threats seriously. The SEC recently proposed a new set of rules that would require firms to adopt and implement written cybersecurity policies and procedures that are intended to address cybersecurity risks and mandate the reporting of significant cybersecurity incidents to the Commission.
“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,” said SEC chairman Gary Gensler.
The SEC notes that PE and VC funds, among other investment firms and advisors, are exposed to and rely on a broad network of interconnected systems and thus face numerous cybersecurity risks. It says the proposed rules are meant to enhance the SEC’s ability to assess systemic risks and better oversee these funds.
These claims are not without merit. Midsized companies—along with their financial backers—are increasingly being targeted by hackers. In particular, ransomware groups have been known to peruse the headlines and go after recently funded companies because they know how much money they have in the bank. And, if the hackers are successful, they also know it’s not just one company that is at risk but potentially the entire portfolio of a private equity or venture capital firm.
While these trends are alarming, they are forcing PE and VC firms to take a close look at their security systems and processes. Here are three ways firms can better gauge the cyber preparedness of their portfolios and significantly mitigate risks.
1. Conduct cyber due diligence on portfolio companies.
Today’s attack surface is larger than ever before, thanks to the proliferation of mobile devices and the fact that so many employees are working from home and logging in remotely. As a result, VC and PE firms must be hyper-vigilant when assessing the cybersecurity capabilities of any new potential investment.
A cyber risk assessment should examine vulnerabilities in a portfolio company’s IT environments and the scope of damage that could occur in the event of a breach. While it is difficult to thoroughly assess each potential investment for effective cybersecurity measures, cyber diligence can provide a reasonable understanding of a company’s current capabilities.
For instance, is the portfolio or target company properly training its employees on how to avoid falling prey to phishing or malware attacks? Has the company implemented technologies like multi-factor authentication that can prevent the bad guys from exploiting weak or stolen passwords and credentials? If a cyber breach does occur, how quickly is the company able to detect and respond to the threat? Has it conducted penetration testing to see what systems are susceptible to being hacked?
It is imperative for VC and PE firms to set basic cybersecurity requirements to ensure that portfolio companies and potential investment targets are not sitting ducks for hackers.
2. Make sure your own firm is secure.
PE and VC firms shouldn’t just talk the talk; they need to walk the walk. They need to ensure that their own cybersecurity practices are first-rate so that they can set the right example for their portfolio companies.
Taking a cyber risk assessment can help you find weaknesses and build your cybersecurity framework. There are many types of assessments, including NIST Cybersecurity Framework, NIST 800-53, NIST 800-171, NY Department of Financial Services (NYDFS) and more. These assessments can help you identify security risks and plug any holes.
It’s also important to plan for disruption if and when a cyber incident occurs. Putting together an incident response plan can help PE and VC firms better identify, prevent and respond to business disruptions and potentially avoid millions in losses. In addition, your incident response plan should now include reporting to the SEC when significant cybersecurity incidents occur.
3. Implement managed detection and response.
Managed detection and response (MDR) services can play a critical role in helping investment firms and their portfolio companies stay protected. MDR service providers can help you keep a constant eye out for incoming attacks and help you take immediate action if and when they happen.
What makes MDR so valuable is that it provides round-the-cloud security services from a team of outsourced analysts. The reality is that most companies don’t have the internal resources to staff a full-blown security operations center. But with MDR, you get a team of experts who are at your side 24/7. These people are specifically trained to detect anomalous activity in your network and immediately respond to any potential threat.
Last year was a record-breaking year for investments, especially for cybersecurity startups. They raised $29.5 billion in venture capital last year, more than doubling the $12 billion raised in 2020. Obviously, investors understand the magnitude of the cyber threats that businesses face today. They must also understand that they are not immune to this threat and take appropriate steps to defend themselves and their portfolio companies.
Cleanup after a beach, if a company survives, is far more costly than preventative actions to reduce cyber risk.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
