Nine critical controls to protect your portfolio from cyber attacks
How to make cybersecurity part of your due diligence process
As every private funds CFO knows, investing in a new portfolio company requires careful consideration of potential risks. Risks related to inadequate cybersecurity are substantial. According to Fitch, 8,100 cyber insurance claims were closed with payment in 2021, a number that has grown 200% annually over the last three years. That level of risk is attracting regulatory attention. Last year, the US Securities and Exchange Commission (SEC) unveiled a set of proposed rules that set new requirements governing cybersecurity risk management on the part of registered investment advisors and funds.
Even with the SEC’s public recognition of the potential threats faced by investors, it’s well worth your time and energy to focus on cybersecurity. An ideal time to identify threats and deploy critical cybersecurity controls is before you close on an investment with a new portfolio company.
More than just a risk to operations, an organization’s cybersecurity posture represents a potential risk to its investors, both in terms of financial returns and the possibility that their personal information could be compromised. During a deal, it’s critical to conduct proper due diligence on this type of risk and to mitigate any issues you discover. Grant Bourzikas, former chief information security officer at Silicon Valley Bank, recently noted in a video the importance of being prepared, “From a VC and PE standpoint, it is essential that your portfolio is resilient under attack from things like distributed denial of service attacks or ransomware.”
Fortunately, there are resources available to help you assess cybersecurity risk and mitigate it as appropriate.
An ideal time to identify threats and deploy critical cybersecurity controls is before you close on an investment with a new portfolio company.
Produce a comprehensive risk assessment
Cybersecurity risk mitigation is ultimately an exercise in maximizing return on investment (ROI). Without a clear sense of the potential risk, it can be difficult to determine the appropriate level of resources to commit to addressing the issue. The first questions to ask are: What is the impact of a data breach in the cybersecurity realm? Who will take action?
Consider Yahoo, which disclosed three data breaches toward the end of 2016, after it had committed to an acquisition by Verizon. The fallout cut the size of the deal by $350 million.* Failing to detect these sorts of issues early can produce both reputational and financial damage. In the case of Marriott International’s acquisition of Starwood Hotels & Resorts, Marriott discovered that for $13.6 billion it had purchased extensive security issues along with the chain’s assets.**
Even more concerning, the damage from an acquired company’s poor cybersecurity posture may not be limited to its own operations. A breach of information that includes sensitive information about institutional investors, family offices and private accredited investors could jeopardize a private equity (PE) firm’s ability to raise additional funds. If a cybersecurity incident could be materially damaging, it’s in your best interest to make sure cybersecurity risks are properly managed, or ensure controls are put into place to do so.
Implement controls strategically to manage risk
Risk management doesn’t have to be all-encompassing. Few funds CFOs have unlimited resources to throw at cybersecurity issues, so it’s critical to achieve as much risk reduction as possible for the cost of a given control.
If a company already has robust cyber insurance in place, it can help better quantify the cost of a cybersecurity incident. However, requiring that portfolio companies carry cyber insurance isn’t always possible. Cyber insurance is significantly less common overseas, especially among smaller companies, so international deals may require additional scrutiny.
Absent cyber insurance, it’s unwise to presume anybody at the target company has done a cybersecurity risk assessment.
Cybersecurity controls come with a range of effectiveness and cost. As tools become more sophisticated, their ROI generally drops. It can be useful to view them in three tiers so you can understand how to achieve the highest possible level of risk mitigation with the resources available.
Nine essential cybersecurity controls
Tier 1: Recommended and effective tools
These are the first cybersecurity controls you should recommend that your portfolio companies consider. They are relatively easy to implement and can offer risk mitigation at a lower cost.
Requiring MFA for all network endpoints and training employees on its use are cost-effective ways to tighten cybersecurity.
Keeping all digital information encrypted both in transit and at rest, across all networks, is another basic cybersecurity step that can help harden your systems against breaches.
Implementing a formal plan can help prevent chaos in the event of a breach and can be as simple as filling out a template you’ve developed in advance. It’s also important to test a plan once it’s in place to ensure your team understands what their roles would (and would not) be in an emergency.
Tier 2: More resource-intensive tools, with an additional level of safety
These tools can generate an additional level of protection.
These solutions can be costly, but it’s important to consider the costs against the benefits of being back online much faster in the event of a ransomware attack.
Vigilant employees offer substantial protection against cyber attacks. Consistent training can keep them from becoming complacent and ensure they are up to date as threat vectors change and cybercriminals become more sophisticated.
The more system and network updates can be automated, the less organizations need to rely on their people to run updates on their devices. A network is only as strong as its weakest device, so the IT resources spent here can have a significant impact.
Tier 3: World-class protection, at a cost
When the stakes are very high and the resources are available, these controls can go even further to help thwart cybercriminals.
These systems monitor devices on a network to identify usage patterns that could indicate malicious use. This type of technology can respond to emerging threats before they are broadly known.
Tightening access to sensitive information is the basic principle behind tools like MFA. Privileged access management monitors network activity to identify and mitigate potential breaches of sensitive information more quickly.
The ability to segment a network into discrete parts can help limit a cybercriminal’s ability to access sensitive information in the event of a breach. This reduced threat profile comes at the expense of greater network complexity.
Few funds CFOs have unlimited resources to throw at cybersecurity issues, so it’s critical to achieve as much risk reduction as possible for the cost of a given control.
You don't need to do it all on your own
With needs identified and a menu of controls at your disposal, the final question is what action to take. If you have the luxury of a partner or teammate who acts as an interim chief information officer for portfolio companies, that person can be a great resource for identifying and implementing cybersecurity controls. Your internal IT department can also be helpful.
Third parties with knowledge and expertise include managed service providers and third-party cyber risk consulting firms that can often do assessments and make appropriate recommendations. Insurance brokers and insurance companies can be a valuable source of assistance as well.
Cyber threats pose more than just an operational risk. They can also create investment and reputational risks. Building cybersecurity controls into your due diligence process can help you maximize the full potential of your portfolio investments and protect your firm and clients.
CEO and founder, Converge
** “Marriott's $13.6 Billion Starwood Deal Bought Security Risk,” Bloomberg, 11/30/2018
All non-SVB named companies are independent third parties and are not affiliated with SVB Financial Group.
The views expressed in this column are solely those of the author or speaker and do not reflect the views of SVB Financial Group, or Silicon Valley Bank, or any of its affiliates. This material, including without limitation the statistical information herein, is provided for informational purposes only. The material is based in part upon information from third-party sources that we believe to be reliable, but which have not been independently verified by us; and, as such, we do not represent that the information is accurate or complete. You should obtain relevant and specific professional advice before making any investment or other decision. Silicon Valley Bank is not responsible for any cost, claim or loss associated with your use of this material.