Why VC and PE Firms Need to Consider Their Own Cybersecurity

Venture Capital (VC) and Private Equity (PE) firms take on a lot of risk when investing in a new startup or operating business. Although it is vital to perform all necessary due diligence on any new investment, VC/PE firms shouldn’t ignore their own risk. Rather, they need to take a hard look at their own cybersecurity posture.

Hackers know that these companies may lead to significant payouts. After all, global venture investment in 2021 obliterated all previous records, hitting a stunning $643 billion. Such high figures make the coffers of VC/PE firms attractive targets for cybercriminals.

In 2020, three PE firms were specifically targeted by hackers who managed to intercept financial transactions that totaled $1.3 million. They did this through a combination of email diversion, hijacking relationships, and even directly initiating wire transfers.

Smaller VC/PE firms are at a high risk of being attacked; but, in many cases, do not have a sufficiently robust cybersecurity program to defend against such attacks.

In this article, we’re going to lay out the types of risks that smaller VC/PE firms face, and also provide tips on how best to protect against such attacks.

The cyber risks smaller VC/PE firms face

A new report has determined that small businesses are three times more likely to be targeted for a cyberattack than larger ones.

The cybersecurity problem for VC/PE firms has gotten so large that on Feb 9, 2020, the Securities & Exchange Commission (SEC) voted that “registered investment companies” implement written policies and procedures to mitigate cybersecurity threats.

Here are the primary risks that smaller VC/PE firms face.

Indiscriminate attacks

Automated attacks run by software or botnets look for security gaps found within any organization. These gaps are more likely to exist in organizations that haven’t invested in the proper cybersecurity protection required to block these attacks or to eliminate the security gaps in the first place.

Hackers know to target smaller companies for this very reason — the lack of resources to prevent an attack from being successful. In 2021, 20% of all data breach victims were SMEs, and more than 30% of small businesses have weak cybersecurity areas that can be breached by attackers.

For example, hackers leverage brute force and credential-stuffing automated attacks that look for accounts with weak passwords or account security. If, for instance, an organization doesn’t employ 2FA, this can make an account takeover attack much simpler for a hacker. DDoS attacks, known for taking down entire sites and applications, are becoming more sophisticated as hackers employ AI and machine learning capabilities to automate attacks.

As a result, hackers looking for low-hanging fruit, are deploying potentially devastating attacks to any likely company. The news site Private Funds CFO reported in 2021 that cyberattacks against mid-market PE firms were on the rise.

VC firms don’t have much cybersecurity control in place

Plenty of advice exists for VC/PE firms to do their due diligence and ensure that their investments are protected against breaches. But little is said about the elephant in the room of a VC/PE firm’s own security posture. VC/PE firms might feel they don’t need cybersecurity — after all, they’re not a target. But increasing attacks against smaller VC/PE firms prove otherwise.

For example, an accountant at a PE firm received an email purportedly from one of the firm’s general partners to transfer funds to a specific account. It was later discovered that this email was fraudulent. The hackers had even gone so far as to find an account that, except for one number, completely matched with a known account at the PE firm. 

Bolstered by a sense of false comfort, VC/PE firms don’t invest in the necessary resources to obtain detection and response tools or to implement the cybersecurity technology required to prevent attacks.

VC firms house valuable assets

What makes PE firms such juicy targets? They are a direct link to assets valued in the millions of dollars!

Furthermore, members of the VC/PE firms are often themselves high-value individuals, making them, personally, targets for hackers. Cybersecurity attorney Mark Rasch says that cybersecurity threats are particularly more harmful to high-net-worth families.

Hacking an individual’s device such as a phone, tablet, or computer, is a crucial method of assault that can give an attacker access to a PE firm or to an individual within that firm. Failure to secure these endpoints leaves the chicken coop wide open to the wolves.

By infiltrating a small PE firm, hackers can also obtain personal calendar information for high-value individuals that might even result in physical crimes such as executive kidnapping. On the corporate level, high-value individuals often have access to sensitive information and trade secrets that hackers are extremely eager to get their hands on.

VC/PE firms can be used to attack other organizations

By hacking the VC/PE firm, hackers might be able to gain access to the VC/PE’s investment companies. This magnifies the damage of the hack by the number of firms the VC/PE has invested in, bringing the total potential fallout from the hack to apocalyptic proportions.

The hackers could also use the VC/PE firm’s email account to send spoofed emails to their investment company asking for financial records, soliciting payments, or gaining access to the company itself. Portfolio companies place a lot of trust in VCs and often consider their requests and correspondence to be quite important, which means they may not even question it. Hackers exploit this elevated trust, putting VCs and their portfolio companies at risk.

How VCs and PEs can improve their cyber resilience

Addressing the major holes in a VC/PE firm’s security posture is fortunately not as complicated as it might initially seem, provided it is done properly and efficiently. It’s easy to get carried away with complex security setups. But before anything else, a VC/PE firm should focus on the fundamentals.

Focus on Email Channels

As the very first step, email channels should be protected. Spam filters and antivirus tools need to be configured so that malicious emails get detected every time. This would include implementing basic protocols at the mail server to help further detect potentially fraudulent emails. Considering that 91% of all cyberattacks begin with a phishing email, focusing on email hygiene is a top priority.

This hygiene should also include training employees on what to do if they observe anything suspicious. In one case, a PE firm was targeted by a fraudulent email, but no funds were stolen because the employee detected that something looked suspect in the email and promptly forwarded it to a superior for investigation.

Smaller VC and PE firms can take advantage of a smaller employee base and tailor their security awareness training program based on high risk and high value individuals who may face different kinds of attacks.

Limit Administrative Access

A breached administrator account will give the hacker almost unlimited potential to gain deeper access into the VC/PE firm’s network. By reducing the number of accounts that have full administrator access, a VC/PE firm can greatly mitigate the potential damage if an attack does occur.

Early detection and fast response capabilities

In the event of a compromise, companies should focus on detection and the ability to respond quickly and reduce business impact.

In much the same way as detecting a burglar as soon as he breaks a window can reduce the risk to your family and possessions, hacks that are detected quickly reduce the chance of data leakage and data loss. Generally, the more time hackers lurk within an environment, the more damage they can do. Therefore, it is critical that an organization be able to find attackers and flush them out quickly.

VC/PE firms should leverage modern managed security providers

It’s a matter of fact that cyber security is not your core business. That makes deploying a strong security program even more difficult as it can take years to test, implement and integrate the appropriate security tools and processes.

The simplest way to handle cybersecurity for a small VC/PE firm is to hire an MSSP that sources and deals with all the necessary companies required to provide a full security solution. This way, the VC/PE firm only has to deal with one vendor which then consolidates and coordinates all the various aspects of the solution so that they function smoothly together.

MSSPs like SolCyber ensure that all the necessary detection and response services are in place, and that cybersecurity support is available 24 hours a day, seven days a week. The MSSP can also assist the VC/PE firm in determining the security posture of potential investments before the VC/PE firm commits capital to the project.

Learn more about how SolCyber can help your VC or PE firm protect itself against cyberattacks.