Private companies are most at risk right before IPO
While overall risks remain the same for both public and private companies, public companies are often better prepared as they have more consistent scrutiny on cyber risks due to their established oversight practices and engagement with public investors. In contrast, when investing in a private company at early stages, investors likely have more limited insight into the company’s cybersecurity risks and thus the same scrutiny is not applied. Furthermore, early-stage companies may be more focused on building a client base and generating revenue with fewer resources allotted to cybersecurity risk management.
Importantly, we believe early-stage companies are at the highest risk of a cybersecurity attack right before they go public. This is because a public announcement normally draws the attention of “black hat” hackers who are very aware of a company’s maturity stage and the critical importance of its reputation during an IPO. This can make the business an attractive target for extortion/ransom attacks. If thoughtful controls are not in place, the company may not be able to fend off the attack, potentially placing it in the position of having to pay a ransom, suffering a public data breach, or having its services shut down at a critical time. By addressing these risks early, private companies can better avoid issues at this crucial transition period.
Increasing regulatory considerations
Regulators across the globe are increasingly concerned about data security, privacy, and transparency. In the US, the SEC identified “Information Security and Operational Resiliency” as one of its 2021 priorities and proposed rule amendments in March 2022 to improve disclosures regarding cybersecurity risk governance. Expected to take effect this April, the SEC’s proposed rules seek to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.”5 If enacted, public companies would be required to disclose material cybersecurity incidents within a certain time frame and provide ongoing updates on the incidents’ status. Companies would also need to disclose their cybersecurity governance policies, including board oversight and management’s role in managing cyber risk.6 Notably, approximately 90% of companies in the Russell 3000 lack a single board director with relevant cybersecurity experience.7 As these regulations evolve, private companies — particularly those preparing for an IPO — should consider whether they have sufficient cyber expertise on their leadership teams.
There are several frameworks that private companies can adopt as best practices to mitigate increasing risks and prepare for regulation. These include ISO 27000, the National Institute of Standards and Technology’s Cybersecurity Framework, or the Cybersecurity Maturity Model.8 However, we recommend that companies customize their own standards to be most relevant to their business model and industry. This will help ensure that controls are sufficiently customized for the company’s risk profile.
Beyond cybersecurity, data privacy is another key area of focus for global regulators, with an increased emphasis on consumer welfare and control. In 2018, the European Union (EU) created a new set of rules — the General Data Protection Regulation (GDPR) — designed to give EU citizens more control over their personal data.9 Several other regions have since begun implementing similar policies, including those by the California Consumer Privacy Act (CCPA) and the California Privacy Protection Agency (CPPA) in the US. These policies promote lawfulness, fairness, accuracy, and transparency of data processing, limitations on data collection and storage, and robust processes for accountability and recourse.10 Crucially, one recent analysis showed 92% of companies across all verticals and business sizes are still unprepared for CCPA and CPPA, and 91% are unprepared for GDPR.11 As these regulations continue to increase, well-prepared private companies can differentiate themselves from their peers.
Cyber-hygiene best practices for private companies
In addition to the actual risks, private companies need to prepare for greater scrutiny as investors increasingly include cybersecurity risk evaluations in their due diligence process prior to the closing of a deal. These could include network scanning, penetration testing, third-party cybersecurity assessments, and proof of eligibility for cybersecurity insurance.12 Additionally, while each cyberattack incident itself is important, a company’s response to an attack can be even more material to investors. Companies should aim to be highly transparent and disclose material incidents promptly to the affected stakeholders (such as customers or suppliers). Notably, we believe it is important to establish relationships with third-party breach response services to assist early on in response to a potentially material incident.
Investors are also concerned with the amount of capital deployed to technological investments relating to cyber protection. Higher risk industries (such as tech and retail) and private companies/SMEs (due to maturity stage and vulnerability level) are expected to allocate an above-average amount to IT spending. Firms typically spend between roughly 1.7% – 12% of IT expenses on cyber risk and rarely spend less than 5%.13 This can include investments to ensure that hardware and software are maintained securely and patched quickly, that multifactor authentication is in place and widely used, to adopt cybersecurity insurance, and to procure independent third-party assessments. Notably, insurance is often a good proxy for company cyber strength. However, in the US, cyber insurance was 79% more costly in 2Q22 than it was a year prior, as insurers placed limitations on coverage and increasingly required stricter cybersecurity measures of the companies to which they issue policies.14
Importantly, companies must continuously and aggressively patch and evolve their security as attackers are constantly modifying their approaches. While smaller firms can outsource some security operations, we believe it is important, where financially feasible, to include a cybersecurity expert on the leadership team with the necessary expertise to formulate bespoke risk assessments and controls. To be effective, we believe cybersecurity needs to be proactively integrated into the operations of the firm.
Of additional concern is overseeing cybersecurity in key third-party service providers and establishing processes to assess supplier risk and respond in the event they are subject to cyberattack. In fact, more than 80% of third-party vendor risks are discovered after the initial onboarding and due diligence process.15 In our view, companies that rely on third-party vendors for technical development services and solutions should therefore implement strict due diligence standards to minimize risk.
Finally, we encourage companies to proactively provide high-level disclosure of the above precautions as well as details on governance structures and controls. These disclosures are generally viewed favorably by investors as positive indicators of a company’s cybersecurity preparedness. For data privacy, companies are encouraged to adhere to the GDPR, CPPA, and CCPA guidelines and to use clear, simple language in their privacy policies.