Understanding Cyber Risks in Venture Capital Investments

SEC Cybersecurity 8-K Alert As the former Senior Cybersecurity Advisor to the U.S. Securities and Exchange Commission Chair it appears the 8-Ks issued so far are non compliant. What’s missing is how these cyber events have or will introduce material business, operational and financial harm. I suspect most companies have not figured this out. This is reflective of a disconnect amongst the technology, cybersecurity, business and enterprise risk management functions….. including the Boardroom!!!! Below is a list of business focused risk factors: • Costs due to business interruption, decreases in production and delays in product launches. • Payments to meet ransom and other extortion demands. • Remediation costs, such as liability for stolen assets or information, repairs of system damage and incentives to customers or business partners in an effort to maintain relationships after an attack. • Increased cybersecurity protection costs, which may include increased insurance premiums and the costs of making organizational changes, deploying additional personnel and protection technologies, training employees and engaging third-party experts and consultants. • Lost revenues resulting from intellectual property theft and the unauthorized use of proprietary information or the failure to retain or attract customers following an attack. • Litigation and legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities. • Harm to employees and customers, violation of privacy laws and reputational damage that adversely affects customer or investor confidence. • Damage to the company’s competitiveness, stock price and long-term shareholder value. Cyber risk management is a team sport that requires the entirety of the enterprise to ensure business resilience. What is required is a more inclusive message and collaboration that includes all enterprise risk management leaders. NACD (National Association of Corporate Directors) Khwaja Shaik X-Analytics (SSIC) John Frazzini CrowdStrike Dominique Shelton Leipzig Andrew Hoog John Carlin Erez Liebermann David Curran Avi Gesser Jamil Farshchi Jim Routh Robert Wilkinson Edward Amoroso Charles Blauner Sean Lyngaas Kim Nash The Wall Street Journal Anne-Marie Kelley Nasdaq Jay Leek Brian Peretti Jared Nussbaum Adam Cottini Thomas Etheridge Daniel Bernard Vanessa Mesics George Kurtz Shawn Henry CNBC Rocco Grillo Katherine Kuehn Bob Ackerman Jim Cramer Kevin Mandia Jen Easterly Learn more how the NACD (National Association of Corporate Directors) boardroom community is tackling this issue powered by X-Analytics (SSIC) https://lnkd.in/esrRhxJQ

I have received several inquiries regarding the recent White House Executive Order (EO) to address United States Investments in Certain National Security Technologies and Products in Countries of Concern. Thought I would share my perspective and how to address the EO.   The EO is the next step in actions by the Biden administration supporting the 2023 National Cybersecurity Strategy and begins to address the long-term national security concerns and risks that have been posed by the countries of concern for years.    The EO had several key factors that could have a significant impact on your organization and Private Equity and Venture Capital firms. They are:   1.      National security risks exist and are persistent in critical technologies. 2.      Countries of concern are a long-term risk to both the U.S. government and commercial sector and are not a “one and done”. 3.     Venture capital (VC) and private equity (PE) firms may be used as a backdoor by countries of concern to support their military and intelligence advancements. 4.      Enforcement will be conducted by the Department of Treasury and will establish policies. 5.      The Department of Commerce will have a role in enforcement activities and will establish policies. 6.      Treasury will provide an assessment to the White House within one year of implementation efforts. Here are a few suggestions on how to think about how the EO affects your organization:   An organization’s maturity in understanding the vast breadth and risks of all its suppliers and supply chain relationships will determine the next steps in establishing risk management and controls within its operations. The goal of the organization should be to “de-risk” its supply chain with suppliers that are not in the countries of concern. The ability to “de-risk” suppliers involves establishing a supply chain risk management (SCRM) framework and program. The framework, ideally managed by your chief risk officer, must ensure it supports all stakeholders and product/business owners through hub-and-spoke model to ensure due diligence on suppliers is conducted, and continually monitored, and also ensure a mitigation strategy to manage risk is deployed.     VC and PE firms must conduct due diligence in ensuring their outgoing financial flows are not supporting technological advancement in high-tech sectors like quantum computing, AI/ML, and semiconductors/microelectronics, to name a few, in countries of concern. VC/PE firms should conduct research and due diligence on their investments on a continuous basis. Hope this helps in preparing your organization in helping secure our National Security.  

Insightful piece by John Hauser and Brian Levine with EY making a strong case for #privateequity firms to revisit #cybersecurityrisks as the sector becomes an increasingly attractive target for threat actors. They touch on how portfolio companies, often resource-constrained, struggle to defend against sophisticated attacks. As #cyberthreats targeting PE transactions and portfolio companies increase, it's crucial for funds to implement a comprehensive cybersecurity strategy across the entire ownership lifecycle. PE funds can drive change by hiring cybersecurity experts, offering fund-provided services, and enlisting insurance brokers to assess coverage. A robust cyber program can reduce risk, improve competitiveness, and enhance innovation for PE investors and their portfolio companies.