Technology continues to play a critical role in shaping the global risks landscape for individuals, governments, and businesses. According to the World Economic Forum’s Global Risks Report 2020, cyberattacks are ranked as the second risk of greatest concern for business globally over the next 10 years. Cyberattacks on critical infrastructure—rated the fifth top risk in 2020 by the expert network—have become the new normal across sectors such as energy, healthcare, and transportation. This confirms a pattern recorded in previous years, with cyber risks consolidating their position alongside environmental risks in the high-impact, high-likelihood quadrant of the report’s Global Risks Landscape.
The cyberattack surface (the totality of all information system and internet exposure) is growing at a rapid pace. In parallel, inherently borderless cybercrime is impacting victims around the globe, with the authority of law enforcement often constrained by jurisdiction and the limitations of legal processes serving to request information beyond national borders. Moreover, cybercrime-as-a-service is a growing business model, as the increasing sophistication of tools on the Darknet makes malicious services more affordable and easily accessible for anyone.
In this context, a cyber-risk assessment is crucial to any organization’s risk management strategy. A cyber-risk assessment provides an informed overview of an organization’s cybersecurity posture and provides data for cybersecurity-related decisions. A well-managed assessment process prevents costly wastes of time, effort, and resources and enables informed decision-making.
Many jurisdictional instruments, including the European Union General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018 in the United Kingdom, require risk assessments to be conducted. Any organization with a digital footprint should have an understanding of their cyber preparedness to ensure that the leadership does not underestimate or overlook risks that could cause significant damage.
Yet today, cybersecurity awareness is largely insufficient and there is no standard approach among investors and corporate leadership for evaluating the cybersecurity preparedness of their own, or their portfolio of companies. A cybersecurity-focused culture, based on cyber expertise and awareness, is vital to prioritizing cybersecurity in the investment process.
Including cybersecurity risk assessment in the investment and decision-making process is a rather new approach. The World Economic Forum along with leaders and cybersecurity experts in the investment industry have developed a due care standard to guide investor responsibility in terms of cybersecurity. Tailored to investors’ needs and principle-based, it aims to influence behavioral change rather than merely prescribe specific action to be taken.
According to a World Economic Forum report, adequate cybersecurity expertise is foundational and vital to exercising the cyber due care principles. Investors should ensure requisite cybersecurity expertise is available to them and their investment portfolio companies either internally or through external experts. An investor’s attention to cybersecurity should extend well beyond regulatory compliance and legal obligations and include regular briefings on evolving cyber risks.
Expertise should evolve to guarantee optimal efforts to stay abreast of cybersecurity developments. Overall, investors are urged to foster a cybersecurity awareness culture as most businesses, investment targets, and their key assets are either becoming digital or are already in the digital domain.
Principles to follow
Incorporate a cyber-risk tolerance—The investor incorporates cyber-risk tolerance into their portfolio risk methodology similar to other types of risks monitored, such as financial and management risks. This cyber-risk tolerance threshold indicates the investor’s risk appetite and serves as a reference when making investment decisions.
Conduct cyber due diligence—The investor conducts a business-relevant cybersecurity assessment of the target company in terms of people, processes and technology, as part of the due diligence evaluation and weighs the potential cyber risks against the valuation and strategic benefits of investment.
Determine appropriate incentive structure—In the early stage of investment negotiations, the investor clearly defines ongoing cybersecurity expectations, benchmarks, and incentives for portfolio companies within investment mandates and term sheets.
Secure integration and development—The investor develops and follows systematic action plans to securely integrate the investment target according to the nature of the investment. These action plans span the secure integration of people, processes, and technology, as well as define the support that the investor will offer to develop the target’s cybersecurity capabilities. The extent of integration may vary according to the type of investor (financial vs. strategic) and the motivation for the investment.
Regularly review and encourage collaboration—The investor reviews the cybersecurity capabilities of its portfolio companies on a regular basis. These reviews assess adherence to the cybersecurity requirements set out by the investor and serve as a basis for sharing cybersecurity challenges, best practices, and lessons learned across the investor’s portfolio.
Investing in innovation is one way to reduce the likelihood of unexpected disruption, identify “blue oceans” (markets associated with high potential profits), and contribute to achieving desired returns. Whereas entrepreneurs drive innovation and experimentation, investors play an important role in helping them to grow, optimize, and mature their businesses. Helping entrepreneurs to prioritize cybersecurity is one significant way in which investors can increase the likelihood of long-term success and a product’s resilience in the market, thereby strengthening the brand name and consumer trust.
When investing in a technology company, investors need to consider the degree of cyber-risk exposure to understand how to manage and mitigate it. Investors play a critical role in leading their investment portfolio companies towards better security consideration and implementation.
Cyber expertise comprises not only technical know-how but also cybersecurity awareness in governance and investment. The principles and the cybersecurity due diligence assessment framework are designed for investors who want to include cybersecurity among the criteria for their investment consideration and decision. One of the main barriers to prioritizing cybersecurity is the lack of cyber expertise in the market. Yet every investor who understands the importance of cybersecurity in our technological age can ask the right questions to assess and understand a target’s cybersecurity preparedness, thus play a significant role in securing our shared digital future.