When a company approaches a private equity firm in hopes of raising money, its founders typically come bearing a PowerPoint presentation providing a revenue forecast, tech development plan and go-to-market strategy. But today, investors are also becoming increasingly interested in their portfolio companies’ cybersecurity posture, a group of security experts, lawyers and investors tells FedScoop.
“There is building concern amongst investors who have had portfolio companies experience breaches,” said Yong-Gon Chon, CEO of Cyber Risk Management, a cyber risk consulting firm that offers penetration testing services through a subsidiary company. “Investors want to understand potential exposure to risk across all of their investments. [So, yes] there has been an uptick in inbound requests,” added Chon.
Ann Barron-DiCamillo, a former director of the U.S. Computer Emergency Readiness Team and a now venture capitalist with D.C.-based Strategic Cyber Ventures, told FedScoop that this practice — measuring cybersecurity as part of an investors’ due diligence process — is “becoming more and more common.”
“I’d say we have really seen a growth in that particular market over the last five years,” said FusionX CEO Matthew Devost, referring to an uptick in revenue for his business from services purchased by investors. Devost’s company, which was acquired by Accenture in August 2015, leverages offensive cyber capabilities to test clients’ digital defenses.
FusionX is traditionally employed by investors to conduct tests during a pre-funding stage or in preparation of a merger, acquisition or initial public offering, said Devost. In the past, FusionX has worked closely with clean-tech, biotech and several large software companies to improve cybersecurity on behalf of their investors. Currently, the Reston, Va.-based cybersecurity company is working with a cohort of prominent, well-funded private equity firms that use its services to understand the strengths and weakness of their portfolio companies. Devost, once a senior adviser to the Department of Defense, declined to discuss clients by name.
“The concept of red teaming and adversarial breach simulation is gaining industry traction,” agreed Chris Patten, director of attack and penetration services at Denver-based Optiv.
“Accurately performed breach simulation requires a tolerance for unconventional adversarial techniques that continue to remain difficult for many organizations to accept … leaving the exercise for those that are truly focused on understanding their actual resiliency to threats,” Patten told FedScoop.
Some of the largest investment firms based in or around the Silicon Valley area have slowly become aware in recent years of the threats posed by hackers who look to steal valuable intellectual property from high tech American companies, insiders said.
When asked about the cybersecurity techniques and services they relied on when auditing companies’ digital defenses, a New Enterprise Associates spokesperson said the firm did not engage in such practices. Over the past nine months alone, NEA has invested north of $400 million in commercial tech companies based in the U.S.
The Carlyle Group and large venture capital firms Revolution LLC, Andreessen Horowitz and KPCB either declined or did not respond to FedScoop’s requests for comment.
The MedSec Fallout
In early September, the broader investment world — spanning both public and private markets — became aware of the damaging impacts felt when an important software vulnerabilities is disclosed to the masses.
Shortly after news broke that St. Jude Medical Inc.’s pacemakers and other implantable medical devices were found to carry dangerous software vulnerabilities, the company’s stock plummeted more than 8 percent.
As additional details of the case emerged, the public became aware of the role played by MedSec Holdings, a cybersecurity firm who privately performed security penetration tests on St. Jude Medical’s devices, but then proceeded to partner with a short-seller rather than directly notify the medical device maker.
MedSec Holdings’ short-seller, Muddy Waters Capital LLC, bet against St. Jude Medical and subsequently cashed in on tanking stocks — an action that has since prompted lawsuits.
“This disrupted the market and potentially put people at harm by announcing potential vulnerabilities to the world, including potential wrongdoers, instead of the company who could address the issues and strengthen the security,” said Braden Perry, a regulatory and government investigations attorney with Kennyhertz Perry.
Since 2013, the Food and Drug Administration has been hammering proactive cybersecurity programs. In January, for example, the FDA issued draft guidelines for medical device manufactures to address technology security risks in both premarket and post-market production, explained Perry.
Just days after St. Jude Medical’s stock was crushed on the New York Stock Exchange, one of St. Jude Medical’s investors reached out to Jason Syversen, a former DARPA program manager and the now CEO of Manchester, NH.-based Siege Technologies, FedScoop learned. Siege Technologies describes itself as providing “offense-driven defensive cybersecurity solutions.”
“They are worried about the report and future bombshells,” Syversen said.
Over the last several weeks, this investor — who Syversen declined to name — is also speaking with other offense-oriented cyber firms in an effort to validate MedSec Holdings’ claims.
“The idea is to prevent surprises like this again,” said Syversen.
As it stands, today, private equity investors are traditionally expected to do their own research to make investment decisions, Jacob Olcott, a vice president at security ratings firm BitSight, said.
“The challenge in cybersecurity is that there is often a lack of information or data for the investor to make a decision,” said Olcott, a former legal adviser to the Senate Commerce Committee and Chairman John D. Rockefeller’s lead negotiator on cybersecurity legislation.
NCC Group, one of the largest information assurance firms in the world, said they have yet to see any influence on sales following the Med Sec Holdings’ disclosure — though it may be too early to tell.
“The MedSec/Muddy Waters situation is topical at the moment, but in our experience the demand for security testing services is constant,” said NCC Group Senior Vice President Kevin Dunn, “[the] drivers towards spending money on security will of course vary between companies …. security-relevant events that receive media coverage can serve to highlight a particular risk, but in general the majority of companies [we deal with] have embarked upon a security program in some way.”