Skip links

Unveiling the hidden risks: Why venture capital firms must scrutinise target companies’ cybersecurity posture before sealing the deal

Nicola Hartland | CRO | Falanx Cyber SOC services XDR MDR

The venture capital (VC) industry – which moved $445 billion in global venture funding in 2022 – has a huge cybersecurity target on its back. This is why VC firms typically have strong cyber defences.

But too often this focus falls short when vetting a target company. Asking about their cyber liability is regularly overlooked, creating unacceptable levels of risk. This is why VC firms must pay more attention to their weakest cyber link – target companies – and ensure that during the due diligence process, cybersecurity is top of the critical investment list.

The breach of a target company that has recently been acquired has serious consequences. Successful attacks cost up to a million pounds to resolve. These costs may not come directly from your pocket, but companies that suffer a breach generally fall in value by 20-33%, hitting your return on investment.

An attack even poses the risk of legal issues if data is sold on the dark web. This is a nightmare scenario for investors, who may be called in front of their board of directors to explain what went wrong.

Reputational costs are also a concern for the VC. A newly acquired portfolio company falling victim to a crippling cyberattack could damage the reputation a firm has built up after making years of astute investments with high returns.

Of course, every transaction carries an element of risk. The world’s top investors are the ones who understand how to reduce this risk the most, maximising returns and minimising losses.

The best way to do this is to add cyber due diligence to the critical investment checklist, asking detailed questions on a target company’s cyber systems. The top ten questions to ask include:

  1. Have you identified immediate vulnerabilities, and fixed them through upgrades to software?
  2. Do you regularly conduct companywide tests on phishing?
  3. Have you recently undergone a ‘pen test’, a physical intrusion of your internal and external network infrastructure? What were the results?
  4. Do you provide staff with training to detect and avoid threats?
  5. What is management’s attitude towards cyber security risk?
  6. Do you have regular cyber security reviews, and do you monitor them at a board level?
  7. Do you have a Chief Information Security Officer (CSIO), Data Protection Officer (DPO), and IT management to deliver an effective security environment?
  8. Are basic controls, such as multi factor authentication, in place to control access?
  9. Does the organisation have a disaster recovery (DR) plan in place? Has it been tested?
  10. Is there cyber security insurance cover in place? If so, what is the premium history and what are any special conditions of cover?

These are just a sample of the questions you should be asking that could potentially save you millions. A proper threat and risk assessment will give you a hacker’s eye view of the business you’re planning to invest in. Rest assured, financial, reputational, regulatory, and operational consequences can all be avoided with the right level of risk assessment.

Whatever the target company’s responses are, a responsible VC should hire an independent company to put a target company through its paces. Investing in security assessments, security testing of IT systems and 24/7 monitoring services is well worth the long-term reassurance. Proper due diligence could save you a million-pound bill.

Talk to us about securing your portfolio companies today

    Leave a comment