ESG insights for private companies

Cybersecurity for private companies

Multiple authors
2024-04-30
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.
1300422159

The views expressed are those of the authors at the time of writing. Other teams may hold different views and make different investment decisions. The value of your investment may become worth more or less than at the time of original investment. While any third-party data used is considered reliable, its accuracy is not guaranteed. For professional, institutional, or accredited investors only. 

Cyberattacks are among the world’s most pressing risks. In fact, they were rated as a top ten risk in each of the World Economic Forum’s last three Global Risk reports.1  Though previously considered a technology issue, cybersecurity has become an increasingly material ESG concern for private companies, investors, regulators, and consumers alike. Critically, cyber threats are pervasive across industries and come in many forms (Figure 1).

In 2023, cybersecurity experts expect to see increased ransomware attacks, fueled by technologies like Natural Language Processing and AI, and more attacks through social engineering. They also believe companies will make significant investments in automated response technology and new post-quantum encryption algorithms and will have a greater focus on board cyber oversight and on identifying cyber professional talent.2 We think private companies that can nimbly adapt to this evolving landscape will be better positioned to address these risks. 

In this piece, we highlight this rising problem, explore how it is particularly relevant for private companies, discuss key regulatory considerations, and share best practices for companies facing these threats.

Figure 1
cybersecurity-for-private-companies-fig1

Why cybersecurity is material for private companies

Cyberattacks are material issues for all private and public companies (Figure 2) as they raise the risk of exposing confidential company information or sensitive customer data, halting operations that can consequently disrupt supply chains, increasing regulatory scrutiny, and/or causing reputational harm. The average cost of a data breach in 2022 was ~US$4.35 million per incident and is projected to reach US$5 million in 2023.3 Notably, the continued use of remote workers following the pandemic brings additional cybersecurity challenges. This contributed to increased attacks and costs were roughly US$1 million higher in remote-work-related breaches.4 Companies with marketable information on clients or intellectual property are at heightened financial risk due to the impact that data has on both their value and brand loyalty. In addition, firms that provide services to others or depend heavily on real-time operations can expect high per-minute costs of lost revenue and dissatisfied clients in the event of a denial-of-service or ransomware attack. 

Thus, while a firm may incur no direct material loss from some attacks, these risks may affect a company’s valuation by impacting brand perception and operating costs. Private companies should consider these potential risks when evaluating cybersecurity investments as underspending could amplify long-term costs.

Figure 2
cybersecurity-for-private-companies-fig2-opt2

Private companies are most at risk right before IPO

While overall risks remain the same for both public and private companies, public companies are often better prepared as they have more consistent scrutiny on cyber risks due to their established oversight practices and engagement with public investors. In contrast, when investing in a private company at early stages, investors likely have more limited insight into the company’s cybersecurity risks and thus the same scrutiny is not applied. Furthermore, early-stage companies may be more focused on building a client base and generating revenue with fewer resources allotted to cybersecurity risk management. 

Importantly, we believe early-stage companies are at the highest risk of a cybersecurity attack right before they go public. This is because a public announcement normally draws the attention of “black hat” hackers who are very aware of a company’s maturity stage and the critical importance of its reputation during an IPO. This can make the business an attractive target for extortion/ransom attacks. If thoughtful controls are not in place, the company may not be able to fend off the attack, potentially placing it in the position of having to pay a ransom, suffering a public data breach, or having its services shut down at a critical time. By addressing these risks early, private companies can better avoid issues at this crucial transition period.

Increasing regulatory considerations

Regulators across the globe are increasingly concerned about data security, privacy, and transparency. In the US, the SEC identified “Information Security and Operational Resiliency” as one of its 2021 priorities and proposed rule amendments in March 2022 to improve disclosures regarding cybersecurity risk governance. Expected to take effect this April, the SEC’s proposed rules seek to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.”5 If enacted, public companies would be required to disclose material cybersecurity incidents within a certain time frame and provide ongoing updates on the incidents’ status. Companies would also need to disclose their cybersecurity governance policies, including board oversight and management’s role in managing cyber risk.6 Notably, approximately 90% of companies in the Russell 3000 lack a single board director with relevant cybersecurity experience.7 As these regulations evolve, private companies — particularly those preparing for an IPO — should consider whether they have sufficient cyber expertise on their leadership teams.

There are several frameworks that private companies can adopt as best practices to mitigate increasing risks and prepare for regulation. These include ISO 27000, the National Institute of Standards and Technology’s Cybersecurity Framework, or the Cybersecurity Maturity Model.8 However, we recommend that companies customize their own standards to be most relevant to their business model and industry. This will help ensure that controls are sufficiently customized for the company’s risk profile.

Beyond cybersecurity, data privacy is another key area of focus for global regulators, with an increased emphasis on consumer welfare and control. In 2018, the European Union (EU) created a new set of rules — the General Data Protection Regulation (GDPR) — designed to give EU citizens more control over their personal data.9 Several other regions have since begun implementing similar policies, including those by the California Consumer Privacy Act (CCPA) and the California Privacy Protection Agency (CPPA) in the US. These policies promote lawfulness, fairness, accuracy, and transparency of data processing, limitations on data collection and storage, and robust processes for accountability and recourse.10 Crucially, one recent analysis showed 92% of companies across all verticals and business sizes are still unprepared for CCPA and CPPA, and 91% are unprepared for GDPR.11 As these regulations continue to increase, well-prepared private companies can differentiate themselves from their peers. 

Cyber-hygiene best practices for private companies

In addition to the actual risks, private companies need to prepare for greater scrutiny as investors increasingly include cybersecurity risk evaluations in their due diligence process prior to the closing of a deal. These could include network scanning, penetration testing, third-party cybersecurity assessments, and proof of eligibility for cybersecurity insurance.12 Additionally, while each cyberattack incident itself is important, a company’s response to an attack can be even more material to investors. Companies should aim to be highly transparent and disclose material incidents promptly to the affected stakeholders (such as customers or suppliers). Notably, we believe it is important to establish relationships with third-party breach response services to assist early on in response to a potentially material incident.

Investors are also concerned with the amount of capital deployed to technological investments relating to cyber protection. Higher risk industries (such as tech and retail) and private companies/SMEs (due to maturity stage and vulnerability level) are expected to allocate an above-average amount to IT spending. Firms typically spend between roughly 1.7% – 12% of IT expenses on cyber risk and rarely spend less than 5%.13 This can include investments to ensure that hardware and software are maintained securely and patched quickly, that multifactor authentication is in place and widely used, to adopt cybersecurity insurance, and to procure independent third-party assessments. Notably, insurance is often a good proxy for company cyber strength. However, in the US, cyber insurance was 79% more costly in 2Q22 than it was a year prior, as insurers placed limitations on coverage and increasingly required stricter cybersecurity measures of the companies to which they issue policies.14

Importantly, companies must continuously and aggressively patch and evolve their security as attackers are constantly modifying their approaches. While smaller firms can outsource some security operations, we believe it is important, where financially feasible, to include a cybersecurity expert on the leadership team with the necessary expertise to formulate bespoke risk assessments and controls. To be effective, we believe cybersecurity needs to be proactively integrated into the operations of the firm. 

Of additional concern is overseeing cybersecurity in key third-party service providers and establishing processes to assess supplier risk and respond in the event they are subject to cyberattack. In fact, more than 80% of third-party vendor risks are discovered after the initial onboarding and due diligence process.15 In our view, companies that rely on third-party vendors for technical development services and solutions should therefore implement strict due diligence standards to minimize risk. 

Finally, we encourage companies to proactively provide high-level disclosure of the above precautions as well as details on governance structures and controls. These disclosures are generally viewed favorably by investors as positive indicators of a company’s cybersecurity preparedness. For data privacy, companies are encouraged to adhere to the GDPR, CPPA, and CCPA guidelines and to use clear, simple language in their privacy policies.

Figure 3
cybersecurity-for-private-companies-fig3

Bottom line

Cybersecurity is a widespread and rapidly growing issue that has significant material impacts on private companies. These risks are particularly relevant as private companies approach the public markets, where strong oversight controls are considered part of good corporate governance and attention from potential attackers may increase. In our view, it is critical for companies to have the necessary expertise and infrastructure to navigate these substantial risks and the corresponding increase in regulation and disclosure expectations.

Appendix: Top 10 cybersecurity questions for private companies

Governance, oversight, and controls
1.When did the C-suite and operations team last go through a rehearsal for ransomware (including a ransom Q&A)?
2. 

When was the last holistic cybersecurity assessment (i.e., beyond penetration testing)?

3.

How do you help your board members interpret cybersecurity reports?

4.   Is cybersecurity integrated into enterprise risk management programs and, if so, what are the company’s preventative, detective, and corrective controls?
Breach history and response
5.Have you had an internal data breach or an external cyberattack that has impacted your systems?
6.What are your company’s disclosure and response policies if an attack occurs?
7.

Are there clearly defined roles within your crisis management team to minimize confusion during attacks?

Business model and operations
8.Do you use Internet of Things products for your operations and, if so, have you analyzed how secure they are?
9.Are any of your competitors based in countries with state hackers?
10.Is there something specific about your business model that puts you at a higher risk of a cyberattack?

1Sources: World Economic Forum, “The Global Risks Report” 2021 to 2023. | 2Sources: Venture Beat, “Accenture shares 9 cybersecurity predictions for 2023,” December 2022. | 3Source: IBM, “Cost of a Data Breach 2022.” Figures include ransom payments and customer compensation. | 4Ibid. | 5Source: US Securities and Exchange Commission, “SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” 9 March 2022. | 6Ibid. |7Source: Forbes, “90% Of Boards Are Not Ready for SEC Cyber Regulations,” 6 February 2023. | 8Source: IT Governance, “ISO 27001, the International Information Security Standard.” | 9Source: General Data Protection Regulation. | 10Sources: Perkins Coie and Cytrio. | 11Source: Cytrio, “5th State of CCPA & GDPR Privacy Rights Compliance Research Report – Q4 2022,” February 2023. | 12Source: Wall Street Journal, “Private-Equity Firms Tighten Focus on Cyber Defenses at Portfolio Companies,” January 2023. | 13Source: Cybersecurity Dive, “Security accounts for just 5.7% of IT spend: Gartner,” October 2020. | 14Source: Tripwire, “Key Insights from the Guide to Cybersecurity Trends and Predictions for 2022 – 23,” February 2023. | 15Source: Gartner, “Third-Party Risk Management.” | 16Source: Wall Street Journal, “Private-Equity Firms Tighten Focus on Cyber Defenses at Portfolio Companies,” January 2023.

Experts

Related insights

Showing of Insights Posts
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.

Private market perspectives

Continue reading
event
Video
2025-01-31
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.

Five key ESG topics for private companies in 2024

Continue reading
event
Article
2024-12-31
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.

Governance best practices in public markets

Continue reading
event
Article
2024-08-31
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.

Five key ESG topics for private companies in 2023

Continue reading
event
Article
2023-12-31
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.

ESG in private markets: Insights for 2023

Continue reading
event
Whitepaper
2023-11-30
Archived info
Archived pieces remain available on the site. Please consider the publish date while reading these older pieces.

Read next