Founder Series: Top Tips to Follow to Navigate the Evolving Cyber Threat Landscape

6 minute read | December.20.2022

Orrick's Founder Series offers monthly top tips for UK startups on key considerations at each stage of their lifecycle, from incorporating a company through to possible exit strategies. The Series is written by members of our market-leading London Technology Companies Group (TCG), with contributions from other practice members. Our Band 1 ranked London TCG team closed over 320 growth financings and tech M&A deals totalling US$9.76bn in 2022 and has dominated the European venture capital tech market for 7 years in a row (PitchBook, FY 2022). In our previous instalments, we have guided founders through the process of incorporating a private limited company, building their team, how to use share options to attract and incentivise their employees, protect their ideas, identify key compliance considerations and get ready to raise.

For many, cybersecurity is an area that is intimidating and hard to navigate – especially for smaller companies who often lack the resources (and sometimes knowledge) to protect effectively against cyber risks.

Individuals or groups which target companies with cyber threats (often called "threat actors") continue to aim primarily at companies which are highly likely to pay a ransom, or those lacking cybersecurity defences, including: companies which are IP or data-rich, important to supply chains, those in industries such as financial services, healthcare and energy, or which are perceived to work with governmental bodies, and small or earlier stage companies with limited cybersecurity defences.

Failing to implement appropriate cybersecurity defences has a real cost: data breaches can cost millions, even for small companies. This includes the expense of investigating and notifying regulators, legal costs, as well as downtime, customer, and reputation loss.

It is never too early to get clued up on cybersecurity – our Cybersecurity Jargon Buster is available here (produced in collaboration with S-RM and Thomson Reuters Practical Law).

Read on for our summary of the top 10 cybersecurity considerations for startups.

Who and what should you be protecting? Using your business plan as a starting point, you should assess the value of your current and future data assets to ensure time and resources are effectively directed to high-risk areas. For many early-stage companies, IP and confidential information can be the most valuable assets. Prioritising the protection of customer personal data is also essential. A comprehensive map of the data you hold can assist with how time, resource and budget is allocated.

What and how you protect should also be adapted to reflect the risks of the industry you are in, including any industry-specific laws (e.g. the Network & Information Systems Regulations/Directive in the UK/EU and the Electronic Communications (Security) Measures Regulations in the UK).
Ensuring your systems are protected. Most early-stage companies are reliant on third party technological solutions (e.g. cloud-based systems and a remote work force), which pose cybersecurity challenges.

To protect your company's systems, you should be continually working with your security teams to identify areas of weakness and deploy proportionate solutions, such as implementing secondary authentication mechanisms (e.g. multi-factor authentication), regularly rotating user passwords and auditing privileged accounts on a regular basis. Third-party vendors can also be used to monitor threats internally and externally.
Clear and detailed incident response plan. Your company should map all areas of its business to create an incident response plan, which sets out the processes for managing a cybersecurity incident, outlines the external vendors that can support in an incident and the structure of teams that will collaborate during an incident. Preparation is essential in order to focus key stakeholders during a cybersecurity threat.

This plan should be reviewed and updated on an ongoing basis to ensure it grows with both the company and the evolving threat landscape.
Documentation. As your company grows, personnel will change. Therefore, it is vital that time is spent documenting your cybersecurity processes to ensure continuity and to demonstrate regulatory compliance. There should be a clear audit trail of security changes, whether for internal or external purposes.
Vendor security. When negotiating with vendors, your contracts should include cybersecurity provisions detailing your expectations of the vendor to mitigate cybersecurity risks. These may include notification and escalation obligations, warranties that the vendor will comply with their cybersecurity obligations and indemnities to make the vendor liable for any costs arising from a failure to do so.

In response to increased regulatory attention to supply chain cybersecurity attacks (particularly following high-profile incidents such as the 2020 SolarWinds attack), the UK National Cybersecurity Centre released new guidance in October 2022 (available here), aimed at helping companies assess cybersecurity in their supply chains.
Security culture. You should ensure your security culture is incident ready. During an incident, a disconnect between security teams and the wider company can hinder cooperation and reduce a company's ability to work efficiently towards a containment phase.
Budgets. According to the UK's Department for Digital, Culture, Media and Sport's 'Cybersecurity Breaches Survey 2022', UK SMEs have taken few proactive steps on cybersecurity, in part because of competing budget priorities. To help overcome this, security teams need to drive cyber awareness at board level at an early stage to enhance buy-in.

Investing in large scale capital projects, including those that ensure safety against potential cyber threats, is essential for long-term economic growth and ensuring a company's ongoing resilience.
Cyber insurance. Many early-stage companies do not invest in cyber insurance, despite the increasing frequency of cyber-attacks. The cost of cyber insurance can be a deterrent, however, the potential losses arising from a cyber incident can be significant. Insurers are interested in clients who exhibit cybersecurity maturity, which is more important to them than the size of the organisation. A diligent approach to cybersecurity has the ability to reduce an insurance premium dramatically. For more information see: Cybersecurity Insurance and Managing Risk: 10 Things to Know.
Regulatory compliance. Regulatory fines or sanctions can be the greatest financial and reputational exposure arising from a cybersecurity incident.

Along with the steps above, which can help demonstrate compliance to regulators, you should examine the activities of your business and consider whether they expose you to regulatory risks. Regulators are particularly concerned about incidents involving large quantities of personal data or sensitive personal data (such as health data). In some cases, an incident can expose you to risks from several regulatory regimes across multiple jurisdictions. For example, if your health tech company controls or processes health information, you should consider whether you have obligations under the UK and EU GDPR, as well as the Health Insurance Portability and Accountability Act in the USA.
Company and cyber maturity. Cyber maturity is important as your company grows and faces more complex issues. At any stage, you should be ensuring that regular discussions are had throughout the company about cybersecurity issues. An early-stage company might hold these conversations at bi-annual or quarterly Board meetings, whereas a larger company may establish smaller committees focused specifically on cybersecurity.

A key indicator of cyber maturity and company maturity growing alongside each other is the ease and speed at which cybersecurity discussions shift in relation to developing demands, such as in the event of a merger or acquisition, or if your company is looking to introduce a new product or service.

Our Cyber, Privacy & Data Innovation team can assist you at all stages of your cybersecurity process from preparation, incident response and post-incident review, kicking off any advice with an introductory meeting where they can learn about your business and objectives, and provide strategic advice on:

Tackling cybersecurity expectations and requirements from investors, customers, and regulators.
Key cybersecurity risk areas and controls.
Cybersecurity insurance.
Industry frameworks (e.g., NIST, ISO, CIS and SIG) and Certifications (e.g., SOC 1, SOC2, and HITRUST).

If you would like more details on any of the issues above, please contact Kelly Hagedorn.

Authors

Jamie Moore Partner, Technology Companies Group, Fintech

London

See my bio

D:+44 20 7862 4610
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Companies Group
Fintech

vCard

See full bio

Jamie Moore Partner

London

Jamie acts for both early and late stage companies in intellectual property rich sectors and those who invest in them, including some of the most active venture capital funds, corporate or individual investors.

Jamie has a passion for disruptive technologies, innovation and entrepreneurial business. He has acted on countless transactions across a broad range of sectors both in the UK and internationally, but is most known for his experience in acting on investments into fintech and Artificial Intelligence companies.

Jamie has deep knowledge of the practice area in which he operates and market trends, which he leverages to provide clear and concise advice on a range of corporate issues taking high growth technology companies from start-up through to exit.

He presents on corporate law and venture capital to clients and at seminars in the City, including practitioners’ conferences on practical legal issues in venture capital transactions and SEIS/EIS investments.

An active participant in the venture capital community, Jamie Moore has contributed to industry standard form documentation, acted as a mentor for various Seedcamp portfolio companies and hosted office-hours for the Barclays' TechStars cohort.

Kristy Hart Associate, Technology & Innovation, Technology Companies Group

London

See my bio

D:+442078624600
E: [email protected]

Practice:

Technology & Innovation
Technology Companies Group

vCard

See full bio

Kristy Hart Associate

London

Kristy has experience working with companies as well as investors and venture capital funds throughout a company's life cycle, including early-stage financings, institutional funding rounds and exits.

In addition to equity financings, Kristy advises clients on other corporate transactions including bridge financings, secondary transactions and cross-border flip transactions.

Kelly Hagedorn Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

London

See my bio

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Fintech
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kelly Hagedorn Partner

London

Kelly provides comprehensive regulatory advisory services to clients, including counseling on the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. She has designed and implemented data protection compliance programmes for clients in a range of sectors, including technology, gaming, manufacturing, and private equity.

Kelly has worked with companies to respond to data incidents that range from small-scale issues that do not attract regulatory attention to large, multi-jurisdictional breaches requiring coordination across numerous different regulatory regimes. She has also advised extensively on litigation matters involving allegations of fraud and financial crime, and in connection with securities laws.

During her career, Kelly has undertaken secondments to the Serious Fraud Office and a major telecommunications company. At the Serious Fraud Office, she worked on a number of cases dealing with restraint and confiscation matters. During her time with the telecommunications company, she helped develop and implement the company’s group-wide anti-bribery compliance programme security associated with data retention, processing, and transfer.

Hanna Hewitt Associate, Global Compliance & Regulatory, Cyber, Privacy & Data Innovation

London

See my bio

D:+442078624681
E: [email protected]

Practice:

Global Compliance & Regulatory
Cyber, Privacy & Data Innovation

vCard

See full bio

Hanna Hewitt Associate

London

Hanna works with a range of clients from FTSE100 companies to early-stage companies across a breadth of sectors helping them to handle cyber incidents. She supports clients with immediate response to cyber incidents, including working with forensic providers to eradicate and contain cyber threats as well as advising clients on their obligations in relation to regulatory bodies and third parties. Hanna also supports clients with ongoing cyber risk management and privacy compliance uplift programs to help clients mitigate regulatory and third-party risk.

She also provides privacy advisory support to clients, working on multi-jurisdictional matters. She assists clients with privacy compliance uplift programs and advises on privacy documentation relating to data retention, processing and transfer.

Hanna trained at Orrick and during her training contract also gained experience in litigation, corporate (Technology Companies Group) and competition.