- Director of ESG, Private Investments
- About Us
- My Account
The views expressed are those of the author at the time of writing. Other teams may hold different views and make different investment decisions. The value of your investment may become worth more or less than at the time of original investment. While any third-party data used is considered reliable, its accuracy is not guaranteed. For professional, institutional, or accredited investors only.
Cyberattacks are among the world’s most pressing risks. In fact, they were rated as top ten risks in both the 2020 and 2021 World Economic Forum Global Risk Reports.1 The reports note that cybercrime-as-a-service is on the rise as it becomes more affordable, accessible, and sophisticated. Though previously considered a technology issue, cybersecurity has become an increasingly material ESG concern for private companies, investors, regulators, and consumers.
In this piece, we highlight this rising problem, explore how it affects the private sphere, discuss key regulatory considerations, and share best practices for private companies facing these threats.
The rapid shift to work-from-home models brought on by COVID-19 forced numerous companies to bypass various cybersecurity controls, leading to an unprecedented rise in cyberattacks during the pandemic.2 Critical controls, such as secured data transmissions via VPN software or enforcement of risk-mitigating behaviors, were, in many cases, compromised for the sake of rapidity and ease.3 In 2021, this contributed to increased cyber threats for 81% of global organizations and greater downtime due to cyber incidents for 79% of global organizations.4 Notably, nearly 80% of senior IT employees and security leaders now feel their companies lack sufficient protection against cyberattacks despite raising IT security investments.5 Still, only 57% of companies conducted a data security risk assessment in the past year.6 These concerning trends have led over 60% of technology executives to expect the number of reportable ransomware incidents to continue to grow in 2022.7 We believe early-stage private companies that can nimbly adapt to this evolving landscape will be well positioned to address these rising risks. Critically, cyber threats are pervasive across industries and come in many forms.
Cyberattacks are material issues for both private and public companies as they raise the risk of exposing confidential company information or sensitive customer data, halting operations which can consequently disrupt supply chains, increasing regulatory scrutiny, and/or causing reputational harm. The average cost of a data breach in 2021 (including ransom payments and customer compensation) was US$4.24 million per incident (the highest level in 17 years),8 and the global cost of cybercrime is projected to be US$10.5 trillion annually by 2025.9 Companies with marketable information on clients or intellectual property are at heightened financial risk due to the impact that data has on both their value and brand loyalty. In addition, firms that depend heavily on real-time operations can expect high per-minute costs of lost opportunity and revenue in the event of a denial-of-service (DoS) attack.
Thus, while a firm may incur no direct material loss from some attacks, these risks can have a significant influence on a company’s valuation by impacting brand perception and operating costs. Private companies should incorporate these potential risks when evaluating cybersecurity investments as underspending could severely amplify long-term costs.
While overall risks remain the same for both public and private companies, public companies are often better prepared as they have more consistent scrutiny on cyber risks due to their required engagement with public investors. In contrast, when investing in a private company at early stages, investors likely have very limited insight into the company’s cybersecurity risks.
Importantly, we believe private companies are at the highest risk of a cybersecurity attack right before they go public. This is because a public announcement can draw the attention of “black hat” hackers who are very aware of a company’s maturity stage. If controls are not in place, IPO headlines can place an easy target on a company that may not be able to fend off or survive an attack and is therefore more likely to pay a ransom. By addressing these risks early, private companies can better avoid issues at this critical transition period.
Regulators across the globe are increasingly concerned about data privacy, security, and transparency. For example, the SEC identified “information security and operational resiliency” as one of its 2021 priorities and has proposed rule amendments to ameliorate disclosures regarding cybersecurity risk governance. The proposal encourages boards to enhance disclosure on the rigor of their cybersecurity oversight committees, to recruit specific director expertise, to incorporate cybersecurity performance in executive compensation, and to align with external security process best practices.10 In addition, in February 2022, the SEC proposed its first comprehensive cybersecurity rule for investment advisors and funds. This would require confidential disclosure to the SEC of details about the scope of the breach, how the advisor/fund is working to limit the hack’s impact, and its effect on financial markets.11 Furthermore, an annual investor disclosure on cybersecurity preparedness and maintenance of such practices would also be required.
While cybersecurity regulation evolves, there are several frameworks that private companies can leverage to help mitigate increasing risks, such as ISO 27000, the National Institute of Standards and Technology’s Cybersecurity Framework, or the Cybersecurity Maturity Model. However, we recommend companies design their own standards in a way that is most relevant to their business model and industry. This allows their controls to be sufficiently customized for their risk profile.
In addition, trends in data privacy regulation have seen an increased emphasis on consumer welfare and control. In 2018, the EU created a new set of rules — the General Data Protection Regulation (GDPR) — designed to give EU citizens more control over their personal data. Several other regions have since begun implementing similar policies, including the California Consumer Privacy Act (CCPA) in the US. These policies promote lawfulness, fairness, accuracy, and transparency of data processing, limitations on data collection and storage, and robust processes for accountability and recourse.12 As these regulations continue to rise, well-prepared private companies can differentiate themselves from their peers.
In addition to the actual risks, private companies should consider preparing for greater scrutiny as more investors include cybersecurity risk evaluations in their due diligence process. While each black hat incident itself is important, how a company responds to attacks is often more material to investors. Companies should always disclose attacker incidents to the affected stakeholders (such as customers or suppliers). Furthermore, we believe companies need to be proactive and disclose incidents publicly or internally depending on the specific business circumstances and the sensitivity of the data.
Investors are also concerned with the amount of capital deployed to technological investments relating to cyber protection. Higher-risk industries (such as tech and retail) and private companies/SMEs (due to their maturity stage and vulnerability level) are expected to allocate an above-average amount to IT spending. Firms typically spend roughly 1.7% – 12% of IT expenses on cyber risk (sometimes upward of 20% depending on risk level) and rarely spend less than 5%.13 This can include investments to update hardware and software, multifactor authentications, adoption of cybersecurity insurance, and procurement of third-party score assessments. Notably, insurance is often a good proxy for company materiality and cyber strength. However, insurance premiums have been on the rise and many companies struggle to obtain coverage due to heightened risks. Insurance has also broadened the ransom market as attackers are aware of what companies can afford.
Importantly, companies must continuously and aggressively patch and evolve their security as attackers are constantly modifying their approach. While smaller firms can outsource most of their security operations, we believe it is important to hire someone in-house on the leadership team who has the necessary practical level of expertise to formulate bespoke risk assessments and controls. In contrast, third parties will often provide a commodity service without the necessary nuanced perspective. In addition, we believe it is essential for private companies to produce sustainability reports that provide a high-level disclosure of the above as well as details on governance structures and controls. These disclosures are viewed favorably by investors as positive indicators of a private company’s cybersecurity maturity and precaution.
On the privacy end, companies are encouraged to adhere to the GDPR and CCPA guidelines and to use clear and simple language in their privacy policies. To maintain trust and increase user control, we believe companies should also provide high-level disclosure on any AI decision-making processes, consider AI best practices and principles, and facilitate user access to correction, retention, portability, and deletion of data.
Cybersecurity is a widespread and rapidly growing issue that has significant material impacts on private companies. These risks are particularly relevant as private companies approach the public markets wherein strong oversight controls are considered good governance. In our view, it is critical for companies to have the necessary expertise and infrastructure to navigate these substantial risks and the corresponding increase in regulation and disclosure expectations.
|Governance, oversight, and controls|
|1.||When did the C-suite and operations team last go through a rehearsal for ransomware (including a ransom Q&A)?|
When was the last holistic cybersecurity assessment (i.e., beyond penetration testing)?
How do you help your board members interpret cybersecurity reports?
|4.||Is cybersecurity integrated into enterprise risk management programs and, if so, what are the company’s preventative, detective, and corrective controls?|
|Breach history and response|
|5.||Have you had an internal data breach or an external cyberattack that has impacted your systems?|
|6.||What are your company’s disclosure and response policies if an attack occurs|
Are there clearly defined roles within your crisis management team to minimize confusion during attacks?
|Business model and operations|
|8.||Do you use Internet of Things products for your operations and, if so, have you analyzed how secure they are?|
|9.||Are any of your competitors based in countries with state hackers?|
|10.||Is there something specific about your business model that puts you at a higher risk of a cyberattack?|
1Source: 2020 World Economic Forum Global Risk Report. | 2Source: McKinsey, “Cybersecurity’s dual mission during the coronavirus crisis”, March 2020. | 3Ibid. | 4Source: Business Wire, November 2021. | 5Sources: Forbes, March 2021. IDG Research Services survey, Insight Enterprises. | 6Ibid. | 7Source: PwC, “Cyber-ready: Today and for tomorrow”, 2021. | 8Source: Ponemon Institute and IBM Security, Cost of a Data Breach Report, July 2021. To calculate the average cost of a data breach, this research excludes very small and very large breaches. Data breaches examined in the 2021 study ranged in size between 2,000 and 101,000 compromised records. | 9Sources: Embroker, December 2021. Cybercrime Magazine, November 2020. | 10Sources: JDSUPRA, March 2021. Greenberg Traurig, September 2021. | 11Source: Ignites, February 2022. | 12Source: Information Commissioner’s Office, UK. | 13Source: Cybersecurity Dive, October 2020.
To read more, please click the download link below.