Startup valuations are the scoreboard of success, and the podium for winners is Unicorn Status—when a company reaches a valuation of $1 billion.
Achieving unicorn status is the dream of any startup, and it typically signals the startup’s strong potential to either go through an IPO or become acquired by a larger firm in an M&A deal. A start-up achieves unicorn status if:
Unfortunately, because it might have vulnerabilities that more established, public companies don’t, achieving unicorn status also puts the startup in the crosshairs of hackers looking for a juicy target.
Suffering a cyberattack and subsequent data breach can severely impact a unicorn’s IPO or M&A potential, not to mention the reputation hit and ensuing revenue losses.
Let’s dive into the unique challenges that unicorns (and potential unicorns) face, the factors that put them at a higher risk of attack, and what these startups can do about it.
Rapidly growing startups are known for their high-pressure environments, heavy employee turnover, and fast growth trajectory as they fight for market share in a highly competitive field. Startup pressure from boards and investors often means that they favor speed over security and compliance.
By the time a startup hits unicorn status, it’s typically beyond the early startup phase and well into what’s called “scale-up” mode. Scale-ups are usually more established, have healthy brand recognition, and can sometimes afford to move slightly slower, taking the necessary time to consider the risks of any new product feature or organizational shake up, whether it’s departmental or technological.
Given the relative stability of the organization, it also means they have to seriously consider the potential of a security compromise. Scale-ups tend to have a larger client base and the fallout from a data breach would be much larger than a brand-new startup with only a handful of customers.
Even though scale-ups aren’t as frantically speedy as other startups, they’re still under pressure in a massively competitive field. In the startup (and scale-up) world, a new batch of venture capital to a competitor might be all that’s needed to bring a unicorn down.
All of this puts the unicorn in a unique “middle” position: They have immense market share, making them valuable targets, but they’re not established enough to always put risk before growth. In such a landscape, unicorns might treat security as an afterthought when competitive pressure is extremely high.
Meanwhile, hackers will be aggressive in their attempts to infiltrate the unicorn because of its immense value, and because they know the company may not be investing in its cyber resiliency.
Achieving unicorn status brings with it a slew of press, putting the company front and center in everyone’s mind—including hackers. And when unicorns are compromised, it’s often major news.
For example, Uber reportedly achieved unicorn status in 2013, despite the company denying this. Before that, the company had no publicly disclosed data breaches. In 2014, it suffered its first devastating breach where a hacker released plaintext data from 100,000 Uber drivers.
Uber’s valuations continued to increase, eventually hitting $50 billion in 2015. As its valuation increased, so did the data breaches. The company suffered breaches in 2016, 2020, 2022, and 2023 (when one of its third-party providers was hacked).
Food delivery service DoorDash achieved unicorn status in 2018. A year later, the company confirmed a data breach that affected 4.9 million users. It’s possible that hackers attacked the company in 2018 as well. However, DoorDash denied these claims. In 2020, after DoorDash went public, it suffered another data breach that occurred through a supply-chain attack.
In December 2023, the hacker group ALPHV claimed it had accessed fintech unicorn Tipalti’s network and secured 265 GB of data. The loss of data was never confirmed but the incident illustrates the high-profile nature of unicorns and how they attract the attention of hackers.
Ransomware cybercrime organizations are also aware that companies looking to go public, or who are in the late stages of becoming acquired, are more likely to pay ransom fees. Uber reportedly paid hackers $100 million in the 2016 hack.
Even M&A procedures can create opportunities for hackers, with those opportunities potentially paying off extremely well when the acquired company is valued at over $1 billion. It’s vital for any company going through an M&A or readying itself for acquisition to increase its cyber resilience, and this is especially true of unicorns.
Cyberattacks on a unicorn can be far more costly than what a new organization can comfortably afford.
The average cost of a data breach is now at $4.88 million, 10% higher than last year. Costs include:
Beyond the financial impact, reputation is a vital aspect of being a unicorn. These companies are relatively new and still largely funded by venture capital. The loss of reputation means fewer new customers and fewer investors funding potential seed rounds, directly impacting the unicorn’s ability to eventually become profitable by investing in its infrastructure and employees. As much as 75% of customers are ready to sever ties with a brand after it’s been breached, says a recent report.
Data breaches can also embroil the unicorn in lengthy government intervention and regulatory procedures, not to mention costly litigation. The litigation might come directly from the attorney general’s office, as each US state has data breach laws that must be followed, or from a lawsuit that could be in the form of a class action suit.
Regardless of the outcome of any litigation, the negative press associated with an ongoing suit can further damage reputation. For high-profile companies such as unicorns, the press coverage is likely to be intense, which is why so many companies prefer settling these cases out of court rather than proving their innocence.
While specific valuation figures aren’t as accessible as a public company’s stock price, it’s easy to see how a cyber compromise can affect a company’s value, whether private or not. Uber’s shares fell sharply after its 2022 data breach, and Equifax lost $5 billion in market cap, 31% in 2017 after its data breach that year.
In a unicorn’s case, the investor profile is represented by private investors and VC firms. A loss in investor confidence in these cases would result in lowered valuation and possibly even losing the unicorn status.
It takes work to maintain the unicorn status. Whether a unicorn’s next step is an IPO, readying itself for an acquisition, or seeking its next fundraising round, there are a lot of eyes peering into the nuances of the company.
Decision-makers in the IPO and M&A process are looking for safe bets, and risk can reveal itself in many ways in a unicorn, such as:
Poor cyber resiliency can cause these decision-makers to walk away from a deal.
Making matters worse is the rising complexity, severity, and persistence of cyberattacks. According to FBI Director Christopher Wray, many of these threats are coming from foreign states; and unicorns, with their immense quantities of personal data, are just the type of target these states could use for their nefarious purposes.
Investing in an in-house security solution is a possible solution to the cyber threat problem, but it is enormously expensive and might not even be enough, especially considering the perennial cybersecurity labor shortage. Additionally, unicorns must focus as much of their attention as possible on product development and new customer acquisition, so setting up an in-house solution could spread their personnel too thin.
More and more companies, from small to enterprise-level, are using managed cyber security services to solve this difficulty. Managed security services allow an organization to improve its cyber resiliency using best-in-class technologies, and do it without taking time away from key resources. The external team can work as fast as your own team, yet allows you to focus on the most vital aspects of being a unicorn.
Equally important, using a managed security service will likely give you an advantage because it will be leveraging established threat research analysts and security practitioners, giving it a wide view of ongoing risks long before they hit your organization.
SolCyber works with organizations of all sizes. We offer top-tier security analysis and cutting-edge technologies to ensure cyber resilience. We believe that cyber security must always use a human touch. AI solutions are in their infancy and prone to errors. We use all the latest AI solutions available while ensuring those solutions don’t result in false positives (or false negatives) by having a human verify any critical decisions.
We can help your unicorn improve its cyber resilience. To learn more about how SolCyber can help your unicorn, contact us for a no-obligation chat.