By Nicola Hartland, Senior Vice President at Falanx Cyber
It shouldn’t take an official report by Moody’s to tell investment firms that cyber-attacks are an ever-increasing threat to companies’ financial stability. Yet the same firms remain cyber-security laggards: the report found that nearly half of investment firms have no form of cyber insurance, and that while overall spend is increasing, it’s not leading to more robust defences.
That some investors don’t have their own house in order is certainly cause for concern. More worryingly perhaps, is that it can undermine how thorough they can be when considering the cyber preparedness of their portfolio companies – something which too often remains a piecemeal part of the investment process.
EU legislation is specifically targeting the financial services sector, such as investors and their portfolio of companies. And with good reason. It’s not household names alone that are at risk; small and mid-market companies are equally interesting to attackers, often because they are the least protected.
One infamous example is the ‘Florentine Banker’ incident of 2019, where three companies across the UK and Israel had £600k stolen after attackers gained control of the victims’ email accounts and diverted a planned transfer of funds. That, regrettably, is how easy it remains for attackers to take advantage of those without protection. Incidents like this should be a stark reminder that when it comes to investing their money in portfolio companies, investment firms need to be going far beyond the bare minimum in ensuring their prospects are thoroughly prepared for the ever-increasing pace of cyber-attacks.
If investors have skin the game with a company, any cyber-attack on their investment is essentially an attack . Companies that suffer a breach showed a fall in enterprise value of 20-33% in the aftermath of the announcement[1]. Not what you want to happen to your investments, especially in the current bearish economy. The solution is two-fold.
Investment firms need to ensure their cyber defences are up to snuff and check that they are not falling into common traps. Outsourcing all their IT security function, for example, for the sake of saving money, but failing to insist on levels of stringency, happens all too frequently. At the least, firms need a provider that offers regular penetration testing of their own networks and systems, and 24×7 managed detection services. Moody’s may have pointed out a lack of cyber insurance amongst investment firms, but even that only goes so far. Insurance prepares you for the worst – proactive monitoring prevents the worst from happening.
Managing the cyber security performance of their portfolio companies is more complex. But essentially, cybersecurity measures have to be added to an investor’s ‘critical’ checklist. Before making an investment, every fund manager undertakes an initial due diligence process. This now needs to include cyber preparedness as standard. They must check that a company is robust when it comes to protecting themselves online, and if not, be prepared to either walk away or spend more today to save money and reputation in the long term.
Yes, it’s frustrating to see an otherwise potentially strong investment fall by the wayside because its cyber security awareness is not where it should be. But a company that promises a lot when it comes to investment returns may turn out to be something of a dead duck when it comes to their resilience against hackers. The reality is that cyber preparedness will become a robust and vital add on that may constitute a significant investment for portfolio companies. I’ve begun to see increased pressure in M&A transactions for specific vendor warranties around cyber protection measures, and that pace will surely grow.
Most importantly, investment firms should confront the discussion of cyber security as soon as possible with an investee company. If proper cyber security measures are not in place – they need to make sure they are before they press ‘go’.
[1] Falanx Cyber case study: How Cyber-Secure Are Your Portfolio Companies?
