What private investors need to know about cybersecurity in 2023

Privacy, operational security and consumer trust are top cyber concerns. Companies are looking to identify vulnerabilities and reduce risk.

In brief

• Companies are increasingly concerned about cybersecurity vulnerabilities. They want to protect data and systems, while controlling costs.
• Consumers, insurance providers and stakeholders expect a high level of security.
• Companies are advised to consider managed services and other agreements to improve their cyber resiliency while they focus on growth.

Cyber resilience is an elevated and ever-evolving topic for private investors, including venture capitalists, and their portfolio companies. Threats include:

• Phishing
• Malware
• Ransomware
• Business and supply chain disruption
• Data privacy breaches

However, cybersecurity spending has slowed in some areas due to recession concerns and as companies prioritize spend in other areas, particularly growth.

EY Cybersecurity leaders shared trends and perspectives during a recent National Venture Capital Associations (NVCA) webinar to help companies learn how to identify cyber risks, particularly during merger and acquisition (M&A) activity, separations, integrations, and divestitures.

Cybersecurity is becoming an increasingly important, strategic priority for companies of all stages

Cybersecurity was once an afterthought, but now private investors and their portfolio companies are bringing it forward earlier, according to Stacy Scott, EY-Parthenon Technology and Cybersecurity Transactions Leader. Companies want to avoid business disruption and be prepared on day one with access management, security and controls.

Consumer data protection is under constant scrutiny. How data is collected, where it is stored and whether it is deleted properly carry risk and implications for companies. Today, for example, customers have direct access to their health information through portals, and they share data with companies for hyper-personalized services. With that comes the expectation that companies handle data properly. Otherwise, they may face fines, reputational damage and civil lawsuits from people whose data was mishandled or breached.

By building cybersecurity into your brand early on, you can use it to create customer trust, rather than looking at it as a cost center. “This gives consumers an increased level of trust and certainty that their data is being handled as a high priority,” said Brian DePersiis, EY US-East Cybersecurity Consulting Leader.

For manufacturing companies, particularly life sciences and biotechnology companies, operational technology is becoming a greater concern. Companies are looking at mitigating any potential harm by segregating operational technology (OT) and sensitive information from other areas of the business and corporate networks. Increasingly, systems are monitored by artificial intelligence, the Internet of Things (IoT) and edge computing devices, and while they do add efficiencies, those systems can also be disrupted.

Cybersecurity insurance premiums are increasing, and to qualify, companies will have to prove that they’re getting smarter about cybersecurity. “The bar has been raised,” Scott said. “Find out about the expectations. What do you have to have in place before they decide to cover your risk?”

One client recently sent a “cyber SWAT team” in post-close to assess IT and cybersecurity and get a complete view of information systems and controls. The assessment also helped shape the path of the corporate structure.

“We used to have the mindset, ‘protect the data,’” Scott said. “That’s still a mindset, but now it’s [also] ‘protect the system and detect suspicious and potentially malicious behavior.’ What attackers are looking to do is just to disrupt.”

Five cybersecurity actions for private investors and portfolio companies

1. Identify vulnerabilities and mature detection capabilities:
Without a clear vision of future potential weaknesses, third-party risk and vulnerabilities, a company cannot address threats. Focusing on maturing detection processes can help reduce the risk of disruption while protections are implemented.

2. Look for technology simplification:
Following a merger, acquisition or any system integration, companies should look for ways to consolidate technology, retire outdated platforms, update to the current state-of-the-art system and save on costs.

3. Use existing and proposed regulations to design a framework:
“We’re seeing a trend where companies are looking at the regulatory environment and using that as a compass for what they will have to do eventually,” DePersiis said.

Companies must also apply lessons learned from events that have been in the news and perform tabletop exercises to improve decision-making and response.

4. Consider managed services:
Cybersecurity and regulatory concerns will not go away, and companies face additional challenges as 5G, quantum computing and advanced technologies are integrated into their operations. Organizations must decide how to respond — with in-house services or outside firms. Some find that it’s easier to outsource, even temporarily during the transition phase of a separation or integration or while they are building a new system for the separated company or merging two systems, according to Scott.

Other organizations decide to outsource because of a talent shortage and the high volume of false incidents that take time to investigate.

5. Ask better questions of investees:
This allows organizations to see if they are identifying cyber risk during due diligence and proactively managing cyber risk.

Investing in cybersecurity has a material impact on enterprise value

These actions pay off. A VC-backed health care technology company that was planning for a potential IPO over the next year had received several questions from stakeholders about data privacy and cybersecurity, IT processes and controls. An EY team performed an assessment and roadmap to bring the company’s cybersecurity in line with a regulatory framework. Over the next year, the company improved its results and was able to show stakeholders the value delivered. “It’s a good example of how, even if you haven’t been able to build security throughout the different stages of growth, you can transform that very quickly,” Scott said.