There are few combinations of words in the English language that strike as much fear in the hearts of chief executives as “cyberattack.”

Once a relatively rare occurrence, the rapid digitalization of industries and systems in recent years has led to new online threats to businesses. Those risks only increased last year as companies moved online and to remote working in droves following the onset of covid-19. This shift saw more employees work from home, as they moved out of the office environment and far from the auspices of the IT department.

In this year’s Annual Global CEO Survey by consultancy PwC, cybersecurity jumped from fourth on the list of top-20 threats to businesses in 2020 to become the second-biggest, with almost half (47 percent) of business leaders worldwide highlighting it as their biggest concern. In North America and Europe, cybersecurity was identified as the top threat facing businesses.

Such conditions have helped create an ideal environment for many venture-backed cybersecurity start-ups to thrive. But venture firms themselves have not been immune from attacks.

In February, VC giant Sequoia Capital was forced to apologize as the personal and financial information of its investors was accessed by a third party after an employee was successfully phished. More recently, in August, Advanced Technology Ventures revealed that it was victimized by a ransomware attack impacting about 300 investors.

Such attacks on established and well-known VC firms underlines how serious the cyber-crime threat is.

Cyber-crime is becoming more common, and hackers are increasingly sophisticated in identifying potential weaknesses to exploit when targeting financial services firms. Brian Twibell, chief executive at social engineering attack specialist WireSecure, says the compromising of business e-mails in the US costs the financial services industry almost $2 billion of reported losses in 2020, according to FBI figures.

“A lot of these [crimes] go unreported because of reputational risk and so on. But private capital and real estate are [where] this type of fraud exists because you’ve got relatively unsophisticated buyers and sellers,” he says.

“Once somebody’s e-mail account is compromised, then you have bad actors reading everything received and everything sent. And the really sophisticated fraudsters like to focus on areas where there’s going to be large money movements.”

Twibell says it doesn’t matter where the point of contact in the investment chain is made; once a business e-mail is compromised, it can put GPs and LPs at risk.

“The really sophisticated fraudsters like to focus on areas where there’s going to be large money movements”
Brian Twibell

There are multiple ways for cyber-criminals to attack a business if they are determined. As such, venture firms need to take decisive action to ensure that their operations can withstand attacks and are as secure as possible.

“No matter one’s defenses, hackers are persistent and will employ numerous tactics to penetrate a company’s networks and systems,” says Sam Curry, chief security officer at Boston-based Cybereason. He adds that attempts to uncover such malicious operations by chasing alerts would be foolish.

“VCs and their LPs must make an effort to arm their internal or external security analysts with tools to quickly identify and respond to malicious operations with surgical precision,” Curry says.

“As with any organization from any industry, the key is to prepare in peacetime, prevent the preventable, and get really good at diagnosing the problem swiftly and stopping the enemy to limit material damage.”

Simon Eyre, chief information security officer at cybersecurity software provider Drawbridge Partners, advises venture firms to acquire expert advice, even for such public cloud systems as Google Workspace and Microsoft 365, which are still open to threats from cyber-criminals despite the strong defenses employed by their tech giants.

“Venture is a fast-paced, often remote environment where so much communication happens over electronic media. Attackers thrive in that environment”

William Kilmer
C5 Capital

“Don’t treat cyber-awareness training as a tick-box exercise,” he says. “Careful training and ownership fromthe executive team down is critical. Perform cybersecurity risk assessments on the business and the portfolio. Ensure everyone has reached a suitable standard.”

While building teams and systems in-house might be tempting to limit reliance on third parties and for greater control, it can be difficult to find experienced staff, and off-the-shelf solutions might not be 100 percent reliable or compatible.

“Socially engineered attacks are still predominant in our industry,” Eyre says. “It requires more depth to your cybersecurity program to protect against the real-world risks we see.”

That’s not to say IT isn’t a significant protector against cyber. But Eyre adds: “We are often the last line of defense when an attacker is trying to gain a foothold within a business.”

Ensuring investments are secure

It’s not just LPs that VC firms should worry about. While GPs might perform due diligence on a company’s financials before investing, they should ensure those potential portfolio companies are not at risk from cyber-threats.

“Every business, whether it is a two-person start-up or a multimillion-dollar corporation, should expect a cyberattack at some point,” says Nick Hayes, director of cyber-solutions at cybersecurity and risk advisory SureCloud.

“It’s no longer a case of if, but when. This is the same for VC firms, except they’re not only interested in attacks on their own organization but also on the businesses they want to invest in or have already invested in.

“VC firms have to consider that if a company is attacked, it’s not just the data that is stolen or the potential financial loss, it’s the reputational damage to both the company and the firm that backs them, which ultimately could have an impact on the success of their investment.”

And a poorly protected investee company can also be a potential source of vulnerability for a VC firm. As such, GPs need to make sure they take the correct precautions when approaching an investment.

“In the same way that you would set up an alarm to warn you against home intrusion. VCs should be carrying out comprehensive software due diligence in the pre-acquisition phase of every investment in parallel with financial and legal due diligence,” says Philippe Thomas, chief executive at Swiss digital assets security specialist Vaultinum.

“Technology due diligence will highlight risks and vulnerabilities associated with a software and its source code, including, but not limited to, data security issues,” Thomas says.

Nevertheless, identifying vulnerabilities in software requires specific technical skills and expertise that only a specialized third party will be able to provide, Thomas adds. And not all providers are the same.

“To be considered a trusted independent third-party, tech due diligence providers should be ISO27001-certified, have experience in archiving data securely and have no interest in using that data,” Thomas says.

In addition, he says they should not use cloud-based servers and instead use siloed servers, located where regulation provides strong data protection.

A pillar in the foundation of trust

For an industry that prides itself on protecting the identity of its investors, a successful and public cyberattack is a considerable reputational risk. And some VC firms are reluctant to comment on the record about cybersecurity issues, lest they put themselves under the spotlight and make themselves a target for cyber-criminals.

William Kilmer, managing partner at London-based cybersecurity investor C5 Capital, says there are several attributes that make firms potentially easy targets. This includes the industry’s highly mobile and remote-working employees, extensive use of cloud services, a broad attack surface and lots of public information that hackers can attain on employees to set up an attack.

“Through VC firms, hackers can get access to data and login information on wealthy individuals and organizations as well as access to deep pockets. What is more attractive than that?” he asks.

Building trust

Kilmer says it is incumbent on GPs to recognize that cybersecurity “is not just a cost of doing business, it’s a pillar in the foundation of trust.”While venture firms go to great lengths to protect their LPs, no specific cybersecurity requirements or standards exist in the industry.

“What we have seen is increasing encouragement by LPs to ensure that VC firms are conducting proper cybersecurity due diligence on companies before making an investment,” he says.

“This is moving from a traditional ‘check the box’ activity to more open exploration of the company’s processes, policies, and technology being employed to prevent attacks.”

Ultimately, Kilmer says there are three things VC firms can do to help protect themselves from attack.

First, firms should invest in the technology that will protect users in a remote, mobile and hybrid cloud world with on-premises cybersecurity infrastructure unsuitable for the demands of the current environment.

Second, firms need to approach cybersecurity as they would other business functions, such as accounting or legal, and partner with a provider they can trust to outsource monitoring, with Kilmer urging: “Don’t skimp on cybersecurity.”

And third, training employees in cybersecurity practices and awareness should be the priority for all venture firms.

“Venture is a fast-paced, often remote environment where so much communication happens over electronic media,” he says.

“Attackers thrive in that environment, and the best way to stop those types of socially engineered attacks is through high employee vigilance.”

This article first appeared in affiliate publication Venture Capital Journal