Skip to main content

Venture Capital Firms Have a Cyber Problem. Here’s How To Fix It

As an investor, I understand that every investment carries an element of risk. The world’s top investors are the ones who understand how to reduce risk the most. Maximising returns, minimising losses.

The venture capital industry – which moved over half a trillion pounds globally in 2021 – takes this game of risk to the next level. Risk reduction at every step of the way is vital. 

To be clear, I’m not talking about the calculated risk that any venture capital (VC) firm must factor into their investment decisions. Knowing how much uncertainty you can tolerate in the pursuit of success is a defining part of what you do.

No, instead it's the risks you can control – on both your and the target company’s side – that must be eliminated. Cybersecurity is one such issue.

VC firms, for the most part, are ramping up their own defences as they are conscious of the threat cybercriminals pose. But too often investors fail to check that their target companies are doing the same.

The news is full of high-profile organisations that have been tripped up by devastating cyberattacks – in some cases terminally. One infamous example is the ‘Florentine Banker’ incident of 2019, where three companies across the UK and Israel had almost £1 million stolen after attackers gained control of the victim’s email accounts and diverted a planned transfer of funds. 

Even the FBI recently warned that ransomware criminals have been using significant financial events and stock information to extort their victims. An ‘it won’t happen to me’ mindset, no longer cuts it.

Incidents like this are a stark reminder that when it comes to investing money in target companies, investment firms have to go far beyond the bare minimum, ensuring their prospects are properly prepared for the ever-increasing pace of cyberattacks.

During the investment process, the critical investment checklist reduces risks wherever possible. They look at sales, assets and staffing as a matter of course, but how many put proper cybersecurity procedures on their checklist?

A business is only as strong as its weakest cybersecurity link, whether it be a breach in your own business, or at a company in which you have just invested millions. This has real-world consequences for an investment decision: companies that suffer a breach showed a fall in enterprise value of 20-33% in the aftermath of the announcement.

So before making an investment, VCs must check that a company is robust when it comes to protecting themselves online. The sort of questions they should be asking might include:

  1. Have you identified immediate vulnerabilities, and fixed them through upgrades to software?
  2. Do you regularly conduct companywide tests on phishing and physical intrusion?
  3. Have you recently undergone a ‘pen test’ of your internal and external network infrastructure?
  4. Do you provide staff with training to detect and avoid threats?

The answers – or lack of them – will be revealing. You should absolutely confront the discussion of cyber security as soon as possible with your target company. This must be on every investor's critical checklist.

And whatever the response, a responsible VC with an eye on ensuring long-term returns should hire an independent company to put a target company through its paces. If proper cyber security measures are not in place – don’t even Pass Go.


Nicola Hartland is Chief Revenue Officer at Falanx Cyber


The views expressed in this article are those of the author and do not necessarily reflect the views of AlphaWeek or its publisher, The Sortino Group

Content role

© The Sortino Group Ltd

All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency or other Reprographic Rights Organisation, without the written permission of the publisher. For more information about reprints from AlphaWeek, click here.