Orrick's Founder Series offers monthly top tips for UK startups on key considerations at each stage of their lifecycle, from incorporating a company through to possible exit strategies. The Series is written by members of our market-leading London Technology Companies Group (TCG), with contributions from other practice members. Our Band 1 ranked London TCG team closed over 320 growth financings and tech M&A deals totalling US$9.76bn in 2022 and has dominated the European venture capital tech market for 7 years in a row (PitchBook, FY 2022). In our previous instalments, we have guided founders through the process of incorporating a private limited company, building their team, how to use share options to attract and incentivise their employees, protect their ideas, identify key compliance considerations and get ready to raise.
For many, cybersecurity is an area that is intimidating and hard to navigate – especially for smaller companies who often lack the resources (and sometimes knowledge) to protect effectively against cyber risks.
Individuals or groups which target companies with cyber threats (often called "threat actors") continue to aim primarily at companies which are highly likely to pay a ransom, or those lacking cybersecurity defences, including: companies which are IP or data-rich, important to supply chains, those in industries such as financial services, healthcare and energy, or which are perceived to work with governmental bodies, and small or earlier stage companies with limited cybersecurity defences.
Failing to implement appropriate cybersecurity defences has a real cost: data breaches can cost millions, even for small companies. This includes the expense of investigating and notifying regulators, legal costs, as well as downtime, customer, and reputation loss.
It is never too early to get clued up on cybersecurity – our Cybersecurity Jargon Buster is available here (produced in collaboration with S-RM and Thomson Reuters Practical Law).
Read on for our summary of the top 10 cybersecurity considerations for startups.
- Who and what should you be protecting? Using your business plan as a starting point, you should assess the value of your current and future data assets to ensure time and resources are effectively directed to high-risk areas. For many early-stage companies, IP and confidential information can be the most valuable assets. Prioritising the protection of customer personal data is also essential. A comprehensive map of the data you hold can assist with how time, resource and budget is allocated.
What and how you protect should also be adapted to reflect the risks of the industry you are in, including any industry-specific laws (e.g. the Network & Information Systems Regulations/Directive in the UK/EU and the Electronic Communications (Security) Measures Regulations in the UK).
- Ensuring your systems are protected. Most early-stage companies are reliant on third party technological solutions (e.g. cloud-based systems and a remote work force), which pose cybersecurity challenges.
To protect your company's systems, you should be continually working with your security teams to identify areas of weakness and deploy proportionate solutions, such as implementing secondary authentication mechanisms (e.g. multi-factor authentication), regularly rotating user passwords and auditing privileged accounts on a regular basis. Third-party vendors can also be used to monitor threats internally and externally.
- Clear and detailed incident response plan. Your company should map all areas of its business to create an incident response plan, which sets out the processes for managing a cybersecurity incident, outlines the external vendors that can support in an incident and the structure of teams that will collaborate during an incident. Preparation is essential in order to focus key stakeholders during a cybersecurity threat.
This plan should be reviewed and updated on an ongoing basis to ensure it grows with both the company and the evolving threat landscape.
- Documentation. As your company grows, personnel will change. Therefore, it is vital that time is spent documenting your cybersecurity processes to ensure continuity and to demonstrate regulatory compliance. There should be a clear audit trail of security changes, whether for internal or external purposes.
- Vendor security. When negotiating with vendors, your contracts should include cybersecurity provisions detailing your expectations of the vendor to mitigate cybersecurity risks. These may include notification and escalation obligations, warranties that the vendor will comply with their cybersecurity obligations and indemnities to make the vendor liable for any costs arising from a failure to do so.
In response to increased regulatory attention to supply chain cybersecurity attacks (particularly following high-profile incidents such as the 2020 SolarWinds attack), the UK National Cybersecurity Centre released new guidance in October 2022 (available here), aimed at helping companies assess cybersecurity in their supply chains.
- Security culture. You should ensure your security culture is incident ready. During an incident, a disconnect between security teams and the wider company can hinder cooperation and reduce a company's ability to work efficiently towards a containment phase.
- Budgets. According to the UK's Department for Digital, Culture, Media and Sport's 'Cybersecurity Breaches Survey 2022', UK SMEs have taken few proactive steps on cybersecurity, in part because of competing budget priorities. To help overcome this, security teams need to drive cyber awareness at board level at an early stage to enhance buy-in.
Investing in large scale capital projects, including those that ensure safety against potential cyber threats, is essential for long-term economic growth and ensuring a company's ongoing resilience.
- Cyber insurance. Many early-stage companies do not invest in cyber insurance, despite the increasing frequency of cyber-attacks. The cost of cyber insurance can be a deterrent, however, the potential losses arising from a cyber incident can be significant. Insurers are interested in clients who exhibit cybersecurity maturity, which is more important to them than the size of the organisation. A diligent approach to cybersecurity has the ability to reduce an insurance premium dramatically. For more information see: Cybersecurity Insurance and Managing Risk: 10 Things to Know.
- Regulatory compliance. Regulatory fines or sanctions can be the greatest financial and reputational exposure arising from a cybersecurity incident.
Along with the steps above, which can help demonstrate compliance to regulators, you should examine the activities of your business and consider whether they expose you to regulatory risks. Regulators are particularly concerned about incidents involving large quantities of personal data or sensitive personal data (such as health data). In some cases, an incident can expose you to risks from several regulatory regimes across multiple jurisdictions. For example, if your health tech company controls or processes health information, you should consider whether you have obligations under the UK and EU GDPR, as well as the Health Insurance Portability and Accountability Act in the USA.
- Company and cyber maturity. Cyber maturity is important as your company grows and faces more complex issues. At any stage, you should be ensuring that regular discussions are had throughout the company about cybersecurity issues. An early-stage company might hold these conversations at bi-annual or quarterly Board meetings, whereas a larger company may establish smaller committees focused specifically on cybersecurity.
A key indicator of cyber maturity and company maturity growing alongside each other is the ease and speed at which cybersecurity discussions shift in relation to developing demands, such as in the event of a merger or acquisition, or if your company is looking to introduce a new product or service.
Our Cyber, Privacy & Data Innovation team can assist you at all stages of your cybersecurity process from preparation, incident response and post-incident review, kicking off any advice with an introductory meeting where they can learn about your business and objectives, and provide strategic advice on:
- Tackling cybersecurity expectations and requirements from investors, customers, and regulators.
- Key cybersecurity risk areas and controls.
- Cybersecurity insurance.
- Industry frameworks (e.g., NIST, ISO, CIS and SIG) and Certifications (e.g., SOC 1, SOC2, and HITRUST).
If you would like more details on any of the issues above, please contact Kelly Hagedorn or Cameron Carr.