Private companies may be most at risk right before IPO
While overall risks remain the same for both public and private companies, public companies are often better prepared as they have more consistent scrutiny on cyber risks due to their required engagement with public investors. In contrast, when investing in a private company at early stages, investors likely have very limited insight into the company’s cybersecurity risks.
Importantly, we believe private companies are at the highest risk of a cybersecurity attack right before they go public. This is because a public announcement can draw the attention of “black hat” hackers who are very aware of a company’s maturity stage. If controls are not in place, IPO headlines can place an easy target on a company that may not be able to fend off or survive an attack and is therefore more likely to pay a ransom. By addressing these risks early, private companies can better avoid issues at this critical transition period.
Increasing regulatory considerations
Regulators across the globe are increasingly concerned about data privacy, security, and transparency. For example, the SEC identified “information security and operational resiliency” as one of its 2021 priorities and has proposed rule amendments to ameliorate disclosures regarding cybersecurity risk governance. The proposal encourages boards to enhance disclosure on the rigor of their cybersecurity oversight committees, to recruit specific director expertise, to incorporate cybersecurity performance in executive compensation, and to align with external security process best practices.10 In addition, in February 2022, the SEC proposed its first comprehensive cybersecurity rule for investment advisors and funds. This would require confidential disclosure to the SEC of details about the scope of the breach, how the advisor/fund is working to limit the hack’s impact, and its effect on financial markets.11 Furthermore, an annual investor disclosure on cybersecurity preparedness and maintenance of such practices would also be required.
While cybersecurity regulation evolves, there are several frameworks that private companies can leverage to help mitigate increasing risks, such as ISO 27000, the National Institute of Standards and Technology’s Cybersecurity Framework, or the Cybersecurity Maturity Model. However, we recommend companies design their own standards in a way that is most relevant to their business model and industry. This allows their controls to be sufficiently customized for their risk profile.
In addition, trends in data privacy regulation have seen an increased emphasis on consumer welfare and control. In 2018, the EU created a new set of rules — the General Data Protection Regulation (GDPR) — designed to give EU citizens more control over their personal data. Several other regions have since begun implementing similar policies, including the California Consumer Privacy Act (CCPA) in the US. These policies promote lawfulness, fairness, accuracy, and transparency of data processing, limitations on data collection and storage, and robust processes for accountability and recourse.12 As these regulations continue to rise, well-prepared private companies can differentiate themselves from their peers.
Cyber hygiene practices for private companies
In addition to the actual risks, private companies should consider preparing for greater scrutiny as more investors include cybersecurity risk evaluations in their due diligence process. While each black hat incident itself is important, how a company responds to attacks is often more material to investors. Companies should always disclose attacker incidents to the affected stakeholders (such as customers or suppliers). Furthermore, we believe companies need to be proactive and disclose incidents publicly or internally depending on the specific business circumstances and the sensitivity of the data.
Investors are also concerned with the amount of capital deployed to technological investments relating to cyber protection. Higher-risk industries (such as tech and retail) and private companies/SMEs (due to their maturity stage and vulnerability level) are expected to allocate an above-average amount to IT spending. Firms typically spend roughly 1.7% – 12% of IT expenses on cyber risk (sometimes upward of 20% depending on risk level) and rarely spend less than 5%.13 This can include investments to update hardware and software, multifactor authentications, adoption of cybersecurity insurance, and procurement of third-party score assessments. Notably, insurance is often a good proxy for company materiality and cyber strength. However, insurance premiums have been on the rise and many companies struggle to obtain coverage due to heightened risks. Insurance has also broadened the ransom market as attackers are aware of what companies can afford.
Importantly, companies must continuously and aggressively patch and evolve their security as attackers are constantly modifying their approach. While smaller firms can outsource most of their security operations, we believe it is important to hire someone in-house on the leadership team who has the necessary practical level of expertise to formulate bespoke risk assessments and controls. In contrast, third parties will often provide a commodity service without the necessary nuanced perspective. In addition, we believe it is essential for private companies to produce sustainability reports that provide a high-level disclosure of the above as well as details on governance structures and controls. These disclosures are viewed favorably by investors as positive indicators of a private company’s cybersecurity maturity and precaution.
On the privacy end, companies are encouraged to adhere to the GDPR and CCPA guidelines and to use clear and simple language in their privacy policies. To maintain trust and increase user control, we believe companies should also provide high-level disclosure on any AI decision-making processes, consider AI best practices and principles, and facilitate user access to correction, retention, portability, and deletion of data.