Any investment comes with an element of risk, and when you’re conducting due diligence on a potential startup or are working to mature a company in your portfolio, cybersecurity risk should be assessed and considered as early as possible. That’s because it can quickly spiral out of control and result in financial, reputational, continuity, legal, and compliance risk to the company and the investors
In the past, cybersecurity might seem like something that could have been kicked down the line, yet increasingly, it actually can have a huge impact on the future value of your portfolio companies. It should be addressed like any other risk within your portfolio – maybe even at a higher priority, as implementing controls early will lead to significant savings and cost avoidance over a later retrofit.
Here are three key reasons why investors should incorporate cybersecurity tools, services and best practices into their portfolio companies today.
1. Start your cybersecurity program early and save more
When you analyze a company’s finances to determine whether or not to invest, it’s natural to consider the prospective company’s existing debt. But what some investors fail to analyze are the costs associated with cyber debt. If companies don’t prioritize establishing a security culture early and a comprehensive associated security program, then each employee, device, third-party application and new piece of software that’s added to their environment adds to their cyber debt. Those costs can really add up over time in the form of re-architecture work, replacement and new technologies and an increasing risk of a cyberattack.
Those costs are only going to rise the more companies in your portfolio grow. For example, implementing security protocols and best practices like two-factor authentication and limiting admin access is easy when you have 10 employees. Trying to reverse bad habits and get buy-in from an organization that’s grown substantially will be exponentially harder. By addressing cyber debt early, your portfolio companies will save time, money, and resources in the long run. And they’ll be more resilient against cyber threats.
2. A data breach could devastate your startup or growing business
Data breaches are expensive and cost companies an average of $4.24 million in 2021 according to a report from the Ponemon Institute. And the full costs of a data breach extend beyond ransoms paid or the cost of recouping lost data. Total data breach costs include remediation, investigation, legal fees and payouts, compliance fines, and the costs of reputational damage and business disruptions.
This is true for all companies, but some of these costs can be fatal for startups or small firms, especially when it comes to reputational damage. If one of your key investments don’t have an established reputation or haven’t built up enough trust with customers, a data breach may be the end of their business, which can then lead to potential financial or legal risk that may come back to you. Having your companies invest in cybersecurity early to avoid a data breach is essential. The risk is even higher for new acquisitions as they’re prime targets for hackers with their injection of cash.
As you prioritize costs and budgets, make sure you’re looking at that $4.24 million number. Is that an expense one of your growing companies can take on in the event of a data breach? If not, cybersecurity is probably worth the investment.
3. Reduce impact to the top and bottom line
When a startup is small, it may not be garnering a lot of attention and can fly under the radar for a while. Leadership can take its time professionalizing the organization, but there will come a time — perhaps more quickly than you’d expect — when cybersecurity becomes important to the people and organizations around your portfolio companies.
For your customers, the most direct impact is around customer acquisition and retention. While early adopters may be willing to overlook security gaps to take advantage of the latest technology, the majority of customers over time will want to make sure they can trust companies with their private, personal information. And as your set of companies grows, their customers will expect stronger security. Any indication of a breach could lead to a mass exodus of customers. In fact, according to PCI Pal data, 62% of Americans claimed they would stop buying from a brand for several months following an attack.
As more businesses are impacted, governments are stepping in with more stringent regulations to protect citizen’s data. Depending on where your customers are located and which industry your business operates in, you are likely required to follow regulations like GDPR, CCPA and HIPAA. The SEC has also recently proposed new cybersecurity risk management rules for investors that would require them to “adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors.”
Not only are regulations increasing, but the fines for not complying with them are increasing as well. At the end of 2020, Singapore set heavier fines for data breaches and it’s likely other countries will follow suit.
Maybe most importantly for you, cyber risk has a direct impact to an exit for your companies. A company’s security posture will be a key factor in the valuation process. As purchasers are conducting due diligence, they’ll be looking closely at your portfolio company’s security systems and processes because they won’t want to take on any unnecessary risk. Providing assurance that the company is cyber resilient and has not experienced a breach can remove any barriers to closing a deal.
View cybersecurity as your next investment
The best way to determine where cybersecurity falls on the prioritization list is to view it as a long-term investment. It may seem like something that can or should be pushed off until your companies have more time and budget to make big improvements, but small steps taken early on. If you start early, it will cost less and require less effort in the long run. This is as much about implementing controls as it is about embedded a security culture at a company.
Improving your companies’ security posture doesn’t have to mean they need to hire an entire team of experts and put together a robust program. Many startups and small businesses outsource their security efforts to an MSSP and purchase the minimum effective dose of security. This will increase your companies’ security posture and reduce the risk of a breach, allowing them to pay down cyber debt before it spirals out of control. It also makes businesses more attractive to customers and other investors.
SolCyber is not your average MSSP. We bring everything to the table from a curated security tech stack to 24/7 detection and response services. And we want to help you get your portfolio companies into a position where security grows with the business.
If you’re ready to invest in security best practices, drop us a note. We’d love to chat.