Cybersecurity is a concern for all industries, but some, like venture capital and private equity, are more attractive targets due to the nature of the data they collect and process. Investment firms work with highly sensitive financial data on a daily basis, and its confidentiality is essential for the smooth running of their business operations.
As a consequence, data breaches can severely impact a venture capital or private equity firm’s bottom line. According to IBM and the Ponemon Institute’s 2021 Cost of a Data Breach Report, financial institutions have the second-highest data breach costs of any industry: $5.72 million/data breach. Lost business is the biggest contributing cost factor and includes business disruption and revenue loss from the system downtown, loss of existing and new customers, as well as reputational damage.
But venture capital and equity firms do not only need to worry about their own cybersecurity but also that of vendors and portfolio companies. According to the British Private Equity and Venture Capital Association (BVCA) and PWC’s Cybersecurity for the private equity and venture capital industry guide, 52% of organizations interviewed indicated that the share value of publicly-traded clients was negatively affected as a result of an acquired company’s post-acquisition data breach.
Venture capital and equity firms are therefore expected to not only ensure that third-party vendors handling sensitive information can provide an adequate level of cybersecurity before hiring them but also perform cybersecurity due diligence to determine the cyber maturity of a target investment and identify potential cyber risks that could impact the parties involved in the transaction. According to BVCA and PWC, 49% of their interviewees said deals they were involved in fell apart because of undisclosed breaches. 82% also said the stronger a company’s cybersecurity infrastructure, the higher the value assessed to the organization.
If in the past, due diligence was about assessing the financial health and market potential of a target investment, nowadays venture capital and private equity firms can no longer ignore the crucial role cybersecurity plays in the success of their merger and acquisition operations.
When it comes to sensitive data, venture capital and private equity firms also need to be aware of their regulatory obligations. Personally identifiable information (PII) and financial data are protected under laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) and international standards such as the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply with their requirements can lead to heavy fines and penalties that can severely cripple business operations.
The danger of insider threats
When it comes to venture capital and private equity, insider threats can be the most dangerous. A solid cybersecurity framework can safeguard data from outsider threats but fail to protect data from employees that have direct access to it. Data exfiltration can be particularly tempting for employees looking to move on to another company or that are looking to engage in insider trading.
At the same time, due to the sensitivity of the data involved, negligence can be just as disastrous for venture capital and private equity firms. Data leaks can destroy months of work and cause deals being negotiated to completely fall through.
One way to address insider threats is to use Data Loss Prevention (DLP) solutions that allow sensitive data to be defined based on a company’s needs. DLP tools come with predefined profiles for common types of protected information such as PII and intellectual property but also allow for customizable policies to suit a firm’s requirements. Once sensitive data is defined, DLP solutions monitor and control its transfer and use.
By monitoring sensitive data and logging and reporting any attempts to violate policies, DLP solutions allow companies to identify suspicious user activity. DLP technology can block files containing sensitive information from being transferred to personal email addresses or cloud storage services and even prevent confidential information from being printed or copy-pasted into the body of an email.
When applied on the endpoint, DLP solutions such as Endpoint Protector can also ensure that its policies remain active on a work computer, whether it is in the office, used remotely, or not connected to the internet.
Controlling the use of removable devices
Another common exit point for data is removable devices. Easy to use, hide or lose, USBs, in particular, have long been a data security blind spot and have been the root cause of massive data breaches in the past. However, they can also be useful tools for employees to easily take data with them when they go out for meetings or conferences.
Venture capital and equity firms can use DLP solutions to control the use of peripheral and USB ports as well as Bluetooth connections. In this way, only company-approved devices can be connected to work computers. Firms can thus ensure that employees only use company-issued secure devices and easily monitor which employees are copying sensitive files.
By applying enforced encryption, firms can ensure that all files copied onto removable devices are automatically encrypted with 256bit AES CBC-mode encryption. No one without a decryption key can access them. Passwords can be reset if they have been compromised, and devices can be wiped remotely. Easy to use and highly efficient, such solutions ensure that any USB stolen or lost will not be accessed by third parties.
Addressing the risks of data at rest
According to Varonis’ 2021 Financial Data Risk Report, a financial services employee has access on average to nearly 11 million files. Many of them can contain sensitive company data and information protected under data protection legislation. Venture capital and equity firms must ensure that such files, when no longer used, are not simply stored in unprotected locations where, in case of a data breach, they can easily be stolen.
Companies can use DLP data discovery tools to identify where data is being stored locally. Some solutions also offer administrators the possibility of taking remediation actions to delete or encrypt sensitive data when it is found in unprotected locations. This can be done automatically from the DLP dashboard across the entire company network.
DLP content discovery can also be useful in the case of compliance auditing. Venture capital and private equity firms can perform content discovery scans and generate reports that prove they secure sensitive data, cutting down on the time needed for the auditing process.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.