It doesn’t matter what industry you’re in—if you handle sensitive digital information of any kind, cybersecurity must be top of mind. That’s certainly true for private equity and venture capital firms.
In fact, in February of this year, the U.S. Securities and Exchange Commission (SEC) proposed several new rules regarding how firms must manage and disclose cybersecurity risks. These rules aim to give investors confidence in firms’ preparedness for cyberattacks and resiliency should an attack occur.
The rules require, among other things, that firms develop and implement cybersecurity policies and disclose risks to investors. Most firms already have measures in place for tracking cybersecurity incidents. However, they don’t always share that information, and that lack of disclosure can affect investors and the industry.
Why Now?
Many industry observers believe that data breaches in the last few years are the catalyst for the SEC’s new rulemaking. In particular, cyberattacks increased significantly when the COVID-19 pandemic began, and firms quickly shifted to remote working.
That change meant that more data was traveling to and from potentially unsecured computers, that firms’ servers were being accessed remotely more often, and that, in general, cybercriminals suddenly had new opportunities to steal data. It seems the SEC felt it needed to take action to address these issues.
Incomplete and Untested Incident Response Plans Are Common
Incident response plans are only effective if they’re complete and thoroughly tested and if everyone in the firm understands their role in helping to prevent cyberattacks and respond to them if they occur. If there’s one “weak link” in the security chain, hackers are sure to find it. Too often, firms have plans that fail to check both boxes.
Most experts agree that annual review and testing of incident response and business continuity plans is a must. Ideally, testing should include both tabletop exercises and disruptive, real-world scenarios. Those two test modes help ensure that everyone understands their responsibilities regarding keeping the firm’s systems secure and the actions they must take if an attempted or completed security breach occurs.
Getting on the Same Cybersecurity Page
Part of the problem with establishing and maintaining effective digital defenses is that there are many types of cyberattacks and many security frameworks for shielding systems from those attacks. This has led to inconsistencies in how cyber risks are described and discussed.
Firms are starting to develop a shared vocabulary for talking about cybersecurity, which will accelerate the development of best practices. However, there’s still much work to be done.
The Cost of a Cybersecurity Breach
Every data breach has a different price tag for the firm that’s been violated. But the cost can be extremely high. Typically, it includes expenses for notifying investors, conducting forensic audits, offering monitoring services, etc. Then, of course, courts can award damages if a firm is found negligent for failing to protect its clients’ information assets.
In addition, a firm may never know the costs it has incurred related to reputational damage and lost business opportunities. So, every bit of time and effort put into developing and maintaining the highest cybersecurity standards and measures is well worth it.
Using the Right Systems Is Part of the Solution
Cybercriminals, like flowing water, tend to take the path of least resistance. Consequently, a firm with outdated software, no incident response plan or employee security training, and a relaxed security posture is more likely to be victimized.
Conversely, firms with purpose-built PE/VC systems for capturing and storing client and deal data, securely sharing resources, etc., are “harder targets” and less likely to be attacked. Of course, there’s no guarantee that a hacker won’t target them. But to some extent, it’s a numbers game, and using secure solutions for a firm’s operations may decrease the odds of being attacked or of an attack being successful.
Altvia’s suite of products is highly secure, which contributes to a firm’s overall cybersecurity strategy.
