Private companies are most at risk right before IPO
While overall risks remain the same for both public and private companies, public companies are often better prepared as they have more consistent scrutiny on cyber risks due to their established oversight practices and engagement with public investors. In contrast, when investing in a private company at early stages, investors likely have more limited insight into the company’s cybersecurity risks and thus the same scrutiny is not applied. Furthermore, early-stage companies may be more focused on building a client base and generating revenue, with fewer resources allotted to cybersecurity risk management.
Importantly, we believe early-stage companies are at the highest risk of a cybersecurity attack right before they go public. This is because a public announcement may draw the attention of “black hat” hackers who are very aware of a company’s maturity stage and the critical importance of its reputation during an IPO. This can make the business an attractive target for extortion/ransom attacks. If thoughtful controls are not in place, the company may not be able to fend off the attack, potentially placing it in the position of having to pay a ransom, suffering a public data breach, or having its services shut down at a critical time. By addressing these risks early, private companies can better avoid issues at this crucial transition period.
Increasing regulatory considerations
Regulators across the globe are increasingly concerned about data security, privacy, and transparency. In July 2023, the US SEC adopted new rules of cybersecurity risk management and disclosure for public companies, with the goal of creating consistent and comparable information for investors. The new rules require companies to disclose cybersecurity incidents and impacts within four business days of the incident being determined to be material. Furthermore, companies must disclose material information about their cybersecurity risk management, strategy, and governance in annual reporting.6 This reporting must include the board and management’s role(s) in identifying, assessing, and reporting cybersecurity risks internally. Private companies — particularly those preparing for an IPO — should consider whether they have sufficient cyber expertise on their leadership teams to satisfy investor and/or regulatory expectations for oversight.
There are several frameworks that private companies can adopt as best practices to mitigate increasing risks and prepare for regulation. These include ISO 27000, the National Institute of Standards and Technology’s Cybersecurity Framework, or the Cybersecurity Maturity Model.7 However, we recommend that companies customize their standards to be most relevant to their business model and industry. This will help ensure that controls are sufficiently customized for the company’s risk profile.
Beyond cybersecurity, data privacy is another key area of focus for global regulators, with an increased emphasis on consumer welfare and control. In 2018, the European Union (EU) created a new set of rules — the General Data Protection Regulation (GDPR) — designed to give EU citizens more control over their personal data.8 Several other regions have since begun implementing similar policies, including those by the California Consumer Privacy Act (CCPA) and the California Privacy Protection Agency (CPPA) in the US. These policies promote lawfulness, fairness, accuracy, and transparency of data processing; limitations on data collection and storage; and robust processes for accountability and recourse.9 Companies are accordingly investing in their data privacy systems, increasingly moving from manual compliance to automated solutions to improve their compliance with CCPA and CPPA.10 As these regulations continue to increase, well-prepared private companies can differentiate themselves from their peers.
Cyber-hygiene best practices for private companies
In addition to the actual risks and regulations, private companies should prepare for greater scrutiny as investors increasingly include cybersecurity risk evaluations in their due diligence process prior to the closing of a deal. These could include network scanning, penetration testing, third-party cybersecurity assessments, and proof of eligibility for cybersecurity insurance.11 Additionally, while each cyberattack incident itself is important, a company’s response to an attack can be even more material to investors. Companies should aim to be highly transparent and disclose material incidents promptly to the affected stakeholders (such as customers or suppliers). Notably, we believe it is important to establish relationships with third-party breach response services to assist early on in response to a potentially material incident.
Investors are also focused on the amount of capital deployed to technological investments relating to cyber protection. A recent survey found that companies increased spending on cybersecurity by 70% from 2019 to 2023 and allocated a median of 8% of their technology budgets to cybersecurity (up from 5% in 2019).12 Higher-risk industries (such as tech and retail) and private companies/SMEs (due to maturity stage and vulnerability level) are generally expected to allocate an above-average amount to IT spending. This can include investments to securely maintain hardware and quickly patch software, to ensure multifactor authentication is in place and widely used, to adopt cybersecurity insurance, and to procure independent third-party assessments. Notably, insurance is often a good proxy for company cyber strength. While cyber insurance premiums have increased in recent years, one survey reported that 76% of issuers purchased specialized cyber insurance in 2023.13
Importantly, companies should continuously and aggressively patch and evolve their security as attackers are constantly modifying their approaches. While smaller firms can outsource some security operations, we believe it is important, where financially feasible, to include a cybersecurity expert on the leadership team with the necessary expertise to formulate bespoke risk assessments and controls. To be effective, we believe cybersecurity needs to be proactively integrated into the operations of the firm.
Another area of focus for private companies relates to social engineering attempts by attackers via email, phone, or other means. Smaller companies with fewer resources can attract attackers for this very reason, with the likelihood of attacks increasing with press releases about funding rounds and new investors. We’ve observed email-related attacks on private companies, with attackers masquerading as executives from firms who are investors. One method attackers use is to establish “lookalike” (i.e., spoofed) email domains, similar to those of the new investment firms, and send emails in the hope of tricking an unwary member of the private firm such that the private firm is defrauded. Establishing a strong security culture and creating awareness can be an effective defense in combatting this and other social engineering methods.
Of additional concern is overseeing cybersecurity in key third-party service providers and establishing processes to assess supplier risk and respond in the event they are subject to cyberattack. In fact, more than 80% of third-party vendor risks are discovered after the initial onboarding and due diligence process.14 In our view, companies that rely on third-party vendors for technical development services and solutions should implement strict due diligence standards to minimize risk.
Finally, we encourage companies to proactively provide high-level disclosure of the above precautions as well as details on governance structures and controls. These disclosures are generally viewed favorably by investors as positive indicators of a company’s cybersecurity preparedness. For data privacy, companies are encouraged to adhere to the GDPR, CPPA, and CCPA guidelines and to use clear, simple language in their privacy policies.