While financial service firms are spending a lot of time addressing emerging information threats and working to meet emerging expectations (for example, the SEC’s recent changes to Regulation SP or the Digital Operational Resilience Act in the EU), firms in the private equity (PE) and venture capital (VC) space has been informed of one more threat that they will need to look at.
In July, the United States National Counterintelligence and Security Center (NCSC) issued a report warning that foreign threats could use private funds to infiltrate technology firms in the process of attracting new investors, using this opportunity to gain and steal sensitive information. property and company secrets.
The Bulletin notes that these attacks have already occurred, and they pose a serious threat to the economic health of technology firms, their investment firms, and national security.
NCSC warning
The NCSC Bulletin explains how foreign PE and VC investment, particularly investment from Chinese companies, poses a unique risk to firms working to develop emerging technologies, such as AI, that align with the broader agenda of foreign governments. These investments could allow an aggressive foreign PE or VC firm to gain access to US firms’ intellectual property and data as they move through the early stages of the investment process, acting as due diligence on a technology firm. This intellectual property can be returned to a foreign government to promote its innovation.
In particular, the bulletin provides examples of US, UK and EU firms that had received funding from Chinese VC firms, which were withdrawn when the company gained access to their technology.
In addition, foreign threat actors can work to obtain sensitive information about firms seeking to access hidden funds through a few different methods, including:
- Working to avoid scrutiny from the Committee on Foreign Investment in the United States (CFIUS) through strict investment standards.
- Trap money through the US or the rest of the world to cover the source of the money.
- Providing a few or a few interactions to gain access to detailed information.
- Finding access to important data under the assumption of technical expertise.
This concern has increased following the identification of the US Department of Defense by IDG Capital, a Chinese VC company, as a “Chinese Military Company.” IDG Capital holds funds in more than 1,600 companies, including several in the US Furthermore, the US Department of the Treasury has warned that private fund advisors may unknowingly transfer money when making money with foreign investments, especially if the source of the money is wrong. thorough examination.
Role of PE and VC Firms in Mitigating This Risk
While the risk of this foreign investment will be more detrimental to firms looking for new capital, PE and VC firms have a responsibility to manage the companies in their portfolio and should play an active role in helping the firms in their portfolio. this danger.
These include:
Raising Awareness of Information Security Risks. The NCSC Bulletin provides an opportunity for PE and VC firms to engage with the management teams at their portfolio companies to discuss and evaluate how the firms are protecting trade secrets, valuable technology and sensitive information. PE and VC firms can highlight this risk of foreign investment, highlighting the company’s potential profitability, trade secrets and ability to secure government contracts, giving them red flags to let them know when foreign investment firms are starting to make money. But more importantly, the PE or VC firm can provide guidance on best practices for the portfolio company’s information security programs to help these programs protect their sensitive information from various potential cyberattacks.
PE and VC firms have a responsibility to provide oversight for their portfolio companies and must play a role in helping their portfolio companies manage this risk.
Managing the Risk of Partnerships/Minority Partnerships. The NCSC bulletin should serve as a reminder to PE and VC firms about the potential risks of limited partner/minority investments. As the article notes, new investments and limited funds are a common method for threat actors who are using to obtain sensitive or proprietary information from portfolio companies, and PE and VC firms must ensure that there are adequate protections for their portfolio companies. to save their money. This may include: guiding the portfolio company on the limitations that must be placed on the data and information provided prior to investment; support for making strong decisions on firms that offer little or no cooperation; and providing the portfolio company with the resources and support needed to oversee the protection of their sensitive data and intellectual property.
Conducting Due Diligence on Entry and Exit Investments. PE and VC firms should consider the risks outlined by the NCSC before entering or exiting their investment in a portfolio company. While not the only factor that determines a technology company’s value, PE and VC firms will be interested in understanding whether the portfolio company’s information is adequately protected and remains unique to the firm. PE and VC firms should be sure to confirm that the company’s technical assets are properly protected before investment.
Developing an Action Plan for Information Security Monitoring. One of the most important steps that PE and VC firms can take in response to NSCS’s bulletin is to ensure that they are taking an active role in cyber monitoring and information security initiatives across their portfolio. This includes establishing a systematic program to review, monitor, and improve cyber and information security programs within their portfolio, as well as ensuring that portfolio companies have the appropriate resources and capabilities to maintain proper controls and best practices in cyber and information security. This strategic approach will help reduce the risk of companies within the portfolio losing control of their sensitive information, either to malicious foreign investors or to a general cyberattack.
In light of the NCSC’s recent warning on the risks of foreign investment, PE and VC firms should remain vigilant and diligent in protecting the sensitive information of their portfolio companies. With external threats increasingly targeting private investment in an attempt to gain access to critical technology and intellectual property, the risks posed to firms and national security in general can be significant. By raising awareness of this risk, addressing issues related to minorities and limited partnerships, implementing appropriate skills, and adopting a strategic approach to information security programs, PE and VC firms can better protect their investment and maintain the profitability of portfolio companies.
Aaron Pinnick is the Executive Director of Thought Leadership, ACA Aponix
Middle Market Growth is produced by the Association for Corporate Growth. To learn more about the organization and how to become a member, visit www.acg.org.
#Private #Equity #Respond #External #Investment #Risk