Venture Capital Due Diligence Checklist for Cybersecurity (and How to Protect Investment in Portfolio Companies)

Investing in a software startup company can be a boon, but without following our venture capital due diligence checklist for cybersecurity, it can be a bust.

Investing in software startups can either reap great rewards or bust your bankroll. Venture Capitalists spend hundreds of hours evaluating promising early-stage companies, including technology, vision, total addressable market, product/market fit, and GoToMarket strategies before deciding to invest. Once they invest, the goal is repeatable business growth and/or exponential growth. However, there is one hidden, key risk factor for every technology startup that many investors neglect: cybersecurity. Best practices can make or break any startup. VCs need to add cybersecurity to the top of the list of concerns for both protecting their current portfolio companies and their due diligence process for new startup investments.

Traditional investor due diligence focused on the software company’s financial records and sales stream. The rise of Software-as-a-Service (SaaS) applications and the potential for becoming the next high stakes winner in real-life roulette now come with new risks. In July 2019, a global hospitality company announced in its U.S. Securities and Exchange Commision (SEC) filing that the United Kingdom’s Information Commissioner’s Office (ICO) had fined the company more than $124 million, roughly 2.5% of its worldwide revenue, as the result of a November 2018 data breach from one of its acquired companies. The lesson? A lack of cybersecurity due diligence during the merger and acquisition process can translate to a loss rather than a gain. Similar to a merger or acquisition, venture capital firms need to follow a due diligence checklist for cybersecurity to protect their money and their companies.

Why Venture Capital Firms Need to Engage in Cybersecurity Due Diligence

Although common sense dictates the importance of reviewing your portfolio from the cybersecurity perspective, the data proves the value further. According to the 2019 Verizon Data Breach Investigations Report data should make you wary:

  • 43% of breaches involved small businesses 
  • 52% of breaches feature hacking
  • 69% of breaches were perpetrated by outsiders
  • 71% of breaches were financially motivated

The short and, now, tiresome story? Small businesses are often the victims of external malicious actors gaining unauthorized access to data to make money off the stolen information on the dark web. 

Why Venture Capital Firms Need to Take Data Breach Costs For Smaller Organizations Seriously

While the number and type of data breach occurring in 2018 may not surprise you, the disproportionate impact of a data breach on the smaller organizations, the ones in which you are more likely to be investing, should surprise you. 

The 2019 IBM Cost of a Data Breach Report should at least give you pause. According to the Cost of a Data Breach Report, small businesses face smaller total costs per breach, but when the cost is averaged by the number of employees, the breaches impact them far more significantly. 

For example, a data breach cost organizations with more than 25,000 employees an average of $5.11 million compared to $2.65 million for organizations with 500-1,000 employees. However, when spreading that cost out to account for size, the data breach at the larger organization was $204/employee while for the smaller organization it was $3,533/employee. 

Overall, while the costs may be overall greater for a large organization, the smaller organizations lack the resiliency necessary to maintaining solvency in the aftermath of a data breach. 

5 Cybersecurity Risks to Monitor When Investing

Digital transformation makes startup software companies a compelling investment. Today’s new software can become tomorrow’s Lyft or Doordash. However, instead of playing a game of roulette with your portfolio, you want to make risk aware decisions to protect your company’s reputation and your investors. To do this, you need to know the risks that can be mitigated and ensure that the companies you fund are enforcing the appropriate controls. 

5. Web Application Security

Web application attacks were the number one breach pattern detected in the Data Breach Investigations Report. Malicious actors attacked by exploiting code-level vulnerabilities and by undermining authentication mechanisms. 

Before investing in a web application software, ensure that the company incorporates controls to mitigate risk, such as:

  • Security plugins
  • Regular security patching
  • Whitelisting of file extensions
  • File type verification protocols
  • Content Security Policy (CSP)
4. Malware/Ransomware Protection

Nearly 24% of the incidents reported in the Data Breach Investigations Report involved malware. Malicious actors continuously evolve their threat methodologies, meaning that most ransomware and malware are not new strains but updated versions of old ones. Equally concerning, many new malware attacks no longer require users to execute files. The fileless attacks act as parasite code within legitimate system processes. 

As part of your due diligence, you should ensure that the company in which you want to invest:

  • Disables macros 
  • Monitors for unauthorized traffic
  • Monitors endpoint security
  • Regularly updates devices
3. Cloud Security

Most software companies use Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS) for development environments. These new cloud locations increase the attack surface and lead to new risks. Unlike legacy DevOps, modern developers spin up new instances, workloads, and containers in cloud-based ecosystems like AWS or Oracle. Relying solely on code, a single mistake can leave a misconfigured cloud location open to the public, making it a cybersecurity risk. 

As you engage in your due diligence process, you need to ensure that the DevOps environment is:

  • Engaging in accurate inventory of software packages and version information to detect known common vulnerabilities
  • Continuously monitoring for misconfigured cloud resources
  • Scanning third-party components for commonly known vulnerabilities
  • Documenting compliance with security frameworks
2. Social Engineering

Whether it’s a text, social media private message, or email, social engineering is still a primary threat vector. According to the 2019 Data Breach Investigations Report, although phishing simulation click-through rates fell from 24% to 3% over the past seven year, 18% of people who clicked through were using mobile devices. As more employees use mobile devices to check email or access collaborative tools, this threat vector becomes more dangerous. 

When engaging in due diligence, you want to determine: 

  • Whether employees receive social engineering training
  • What a “passing score” for the training is
  • How often the company trains its employees
  • How the company enforces its policies
1. Cyber Risk Insurance

The cost of a data breach is compounded by the hidden financial losses. Business loss arising from a data breach cost $1.42 million, or 36%, of the total data breach costs according to the 2019 Cost of a Data Breach Report. Equally important, organizations unable to retain customers after a data breach spent 45% more on average for a data breach. 

Your due diligence needs to include a review of the potential investment’s cybersecurity risk insurance policy to determine whether it covers:

  • Data compromise response expenses
  • Identity recovery services
  • Data re-creation
  • Loss of business
  • Network security liability
Zeguro: Cybersecurity Solutions to Protect Your Portfolio

At Zeguro, we understand startup culture. As an investor, you have stakeholders whose money you need to protect, and any additional risk to your financial security can be devastating. That’s why we built our product to help small and mid-size businesses - so that they can secure data and obtain the necessary insurance to protect against future risks

Zeguro is a cyber safety solution and insurance provider for small to mid-sized businesses (SMBs), offering a comprehensive suite of tools for risk mitigation and compliance, as well as insurance premiums that are tailored to the size, sector and profile of a company.
Learn more →

No items found.
Sidd Gavirneni
Written by

Sidd Gavirneni

Co-Founder & CEO

18 years of security, strategy, product & innovation management experience; MBA from IE in Spain and from Dartmouth; MS in computer science with a focus on information security.

Sign up for the latest news

Oops! Please make sure your email is valid and try again.