- Secure Innovation for investors
- Know the Threats
- Pre-investment
- Post-investment
- Secure Environment
- Secure Products
- Secure Partnerships
- Investments
- Collaborations
- Supply Chain
- Security Growth
- Expanding into new markets
- Security for a growing team
- Preparing for security incidents
- Secure Innovation Principles
Secure Innovation for investors
Competition to succeed in emerging technology can be intense. This guidance offers advice on how you can empower the companies you invest in to protect their innovation, business, and profitability. Good security practices are also good investment practices.
Good security practices protect a business’ competitive advantage, making them more attractive to future investors and customers. Laying strong foundations from the start will help their security to be more effective and less costly as the business grows.
Know the Threats
Investors are not the only people interested in emerging technology companies.
The UK has a strong record in research and development and a vibrant startup ecosystem. This can make innovative UK companies attractive targets for a range of actors, such as:
- Competitors seeking commercial advantage
- Criminals looking to profit from companies with weak security
- State actors looking to steal your technology
In December 2020, the Netherlands expelled two alleged Russian intelligence officers for espionage against the Dutch high-tech sector. The officers had reportedly built a network of individuals with experience in the Dutch science and technology sector. The technologies in which these officers were reportedly most interested had military as well as civilian applications. The Dutch Interior Minister said that the actions taken by the alleged Russian intelligence officers had “likely caused damage to the organisations where the sources are or were active and thus possibly also to the Dutch economy and national security”. 1
Emerging technology companies of all sizes are being targeted by certain states. Companies with weak security are most at risk. Those states may steal technology to:
- Fast-track their technological capability, undermining your competitive edge
- Target, harm, and repress their own people to prevent dissent or political opposition, damaging your reputation
- Increase their military advantage over other countries, risking our national security
These activities pose a terminal risk to those businesses, jeopardising your investment returns.
There are many ways a state-backed or hostile actor could try to get hold of your portfolio companies’ assets:
- Insider – People are a business’ greatest asset but, in some cases, they can pose an insider risk
- Cyber – Insecure IT can provide an easy way for your portfolio companies to be exploited
- Physical – Your portfolio companies’ assets could be stolen via physical access
- International Travel – State-backed actors can operate more easily overseas than in the UK
- Investment – Investment can be used to gain access to, and influence over, your portfolio companies
- Overseas jurisdictions – International expansion exposes businesses to jurisdiction risk from local laws and business practices
- Supply chain – Vulnerable or malicious suppliers could compromise your returns
Pre-investment
Questions to ask:
- Does the company have any high-risk investors?
- Could the involvement of other investors inhibit future fundraising or sale of the company because of legal, ethical, or compliance issues? Particularly in relation to sanctions, the National Security and Investment Act or export control
Consider security risks during your pre-investment due diligence into the company and other investors involved. The questions above will help you consider issues that could affect the chances of your investment being a financial and reputational success.
Post-investment
Startups struggling to establish themselves may find it difficult to prioritise security. As an investor, you have a unique opportunity to influence your portfolio companies' attitudes to security to help them to succeed and protect your investment. You should consider building certain security requirements into your funding agreement.
Secure Innovation for companies provides guidance to young emerging technology companies on cost-effective measures they can take to lay the foundations for strong security from day one. It is based on an approach to security that focuses on:
- Identifying the companies’ most valuable assets
- Assessing the risks those assets face
- Putting in place proportionate protections
The following questions follow this approach. They are intended to aid your early conversations with prospective ventures, both as part of your due diligence and to support their growth into secure and prosperous companies developing cutting-edge technology.
Secure Environment
Questions to ask:
- Is security owned and discussed at the Board level?
- Has the company identified its most valuable assets?
- Is security included in the company's risk register?
- Are security measures centred around the company's critical assets?
Enduring roles and responsibilities for security need to be established early. One of the first things that will show you that a company is taking security seriously is clear accountability at the top. This means that the company has identified a senior leader with the authority and responsibility to ensure that security risks are considered alongside other risks to the business. As the investor, this will also provide you with a point of contact within the company for security matters.
Your early involvement means that you can help shape the company’s culture to be one in which security, and any security incidents, are openly discussed so that the company can learn from experience. A good security culture at a startup level is an essential component of a robust security regime, which can be built upon for future success. By making security part of your due diligence process and having an open security dialogue, you will reinforce the message that security is an important component of doing business.
Useful resources
- NPSA’s Passport to Good Security for Senior Executives
- NCSC’s Board Toolkit
The return on your investment is reliant on the startup understanding which assets form the basis of their competitive advantage and ensuring that these are effectively protected. This could include the people, premises, products, services, information, technology, and knowledge that the company’s value is centred around.
Security risks should be assessed and managed alongside any other risks to the business. By incorporating security risks into the company’s risk register, they are demonstrating an awareness and commitment to managing the risks they face.
The following questions will help you to discuss this further with companies you are investing in:
- What are your company’s goals and priorities?
- What are your most critical assets?
- What are the threats to those critical assets?
- What is the likelihood and consequence of a threat affecting you?
In 2011, several laptops were stolen from a Scottish renewable manufacturer. Two months previously, the company had been visited by a 60-strong delegation led by a senior Chinese official. A few years later, pictures began emerging which showed a Chinese firm making a product virtually identical to the UK company’s wave-power device.
The UK company is now defunct, whilst the Chinese product remains under development.2
It is not possible to protect everything against every threat, especially for small companies with limited resources. However, security protections can cost less than expected, and will pay long term dividends. Security decisions should be prioritised, proportionate to the threat, and based on a thorough understanding of what is most important to the survival and success of the startup – and your investment.
Security will be more robust where it is based on a combination of information, physical, people and cyber security measures.
The following questions can help you determine whether the company has built essential security measures into its IT setup:
- Are both firewall and antivirus software enabled?
- Is strong password protection and, where available, encryption enabled for devices and accounts?
- Is all IT equipment regularly updated, ideally using automated updates?
- Are regular backups taken of critical data and stored away from the main system?
- Is consideration given to the trustworthiness of internet connections used?
- Are tools enabled to track, lock or wipe lost or stolen mobile devices?
Secure Products
Questions to ask:
- Have they build security into their products from the beginning?
- Do they have a strategy to identify and manage their IP?
The security of any technology products that the startup produces will likely be central to the success of the product and, consequently, of the startup. Technology is most secure when security has been built in from the start. Have products been designed to be secure by default? Products designed in this way will fare better in the long term, and so be more usable, than products with security added as an afterthought.
How an organisation plans, manages, and protects their ideas should be a crucial feature in their business planning. A company should have the appropriate Intellectual Asset (IA) and Intellectual Property (IP) protections in place (whether through registered rights or contractual terms and conditions) for the jurisdictions in which they want to operate. You don’t want to invest time and money in a business to later find their IP belongs to someone else or is ineligible for IP protection.
However, having the right legal protections for IP in place does not mean it is no longer at risk. Access to a company’s most sensitive information should be actively tracked, reviewed, and managed to ensure it remains protected.
Secure Partnerships
Questions to ask:
- Does the company conduct due diligence on all prospective partners - investors, suppliers and collaborators?
- Has the company limited the data, information, and knowledge it shares to only what is necessary and within its risk tolerance?
As an investor, collaborations will be a welcomed way of growing your investment by attracting more customers and partners. However, it is also worth making the company aware of how their choice of third parties may impact upon your, and potential customers', ability or willingness to do business with them.
Investments
Smiths (Harlow) Limited, a UK precision engineering company, agreed an £8m deal with China’s Future Aerospace in October 2017. On receipt of the first £3m, the company shared sensitive details and committed to train Future Aerospace’s engineers.
According to press reports in January 2020, Future Aerospace subsequently cited difficulties in approval processes within China and withdrew from the deal without paying the rest of the agreed amount.
Smiths (Harlow) Limited’s competitive advantage and intellectual property may have already been compromised. Their links to China also reportedly cost them their licence to make military equipment for western powers. The company was left facing administration in February 2020, citing Future Aerospace’s alleged theft of their IP and reneging on the deal as the cause.3
The identity of other investors also involved with your portfolio companies may impact you too, especially when considering the following:
- The investor’s reputation and track record
- The source of their funds (because some hostile investors may seek to obfuscate their involvement)
- Any implications of the legal regime they are subject to (especially for an overseas investor)
- Whether they have any unexpected commercial, political or military ties
- Whether they are on the entity listing of other countries, particularly those the startup is, or may consider, doing business with
The National Security and Investment Act 2021 (NSI Act)
The NSI Act gives businesses and investors the certainty and transparency they need to do business in the UK while protecting the UK's national security. It provides the Government with powers to screen investments to assess and address any national security risks.
Investors and businesses must notify and receive clearance from the UK Government before making qualifying acquisitions relating to 17 defined areas of the economy. The UK Government can request to review any qualifying acquisition that may pose a national security risk.
Further information on the NSI Act is available at GOV.UK.
Collaborations
Increased collaboration can help companies grow. However, it also introduces additional risks which need to be managed.
Regardless of the collaboration partner, companies should always ensure that any risks they are exposed to are managed in line with their risk appetite (and your own as the investor).
The following questions will help you discuss this further with the companies you are investing in:
- Has the company limited the data, information, and knowledge it shares to only what is necessary and within its risk tolerance?
- Are the values and objectives of the parties that the company wishes to collaborate with aligned to your own?
- Are their networks segregated?
- Are there appropriate technical and policy protections to ensure that data shared with partners (customers or other potential investors) is limited to what is necessary?
- Do partners’ approaches to managing data or security breaches or incidents align with your own?
Supply Chain
In 2021 the NCSC and US allies revealed that Russia's Foreign Intelligence Service was responsible for a series of cyber intrusions, including the compromise of global software supplier SolarWinds.
A US cyber security firm, FireEye, found that an attacker had been able to add a malicious modification to SolarWinds Orion products which allowed them to send administrator-level commands to any affected installation.4
Many startups benefit enormously from outsourcing certain functions to external providers with specialist expertise. Companies can take control of these risks by seeking suppliers whose security offer and level of assurance meets their requirements. However, as an investor, you should always assess how a company’s suppliers affect their risk profile.
Supply chains present complex security risks for startups so considering them should be a part of your due diligence process. A series of high-profile attacks on companies has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security, often having detrimental consequences for the success of the company.
The following questions will help you to discuss this further with companies you are investing in:
- Has the company considered security at each stage of the procurement process?
- Has the company conducted due diligence on its suppliers?
- Has the company sought suppliers whose security arrangements meet company requirements?
- Does the company have a risk assessment process for using external suppliers?
- When using third party services, has the startup considered the impact of relevant regulation, such as the GDPR?
Useful resources
Security Growth
The risks you take on as an investor are not static: a company’s resilience against security threats will change over time. As the startup evolves, so can both the threat and the company’s resources to deal with it. You should continue to discuss and champion security for the duration of your involvement with the company.
Expanding into new markets
Questions to ask:
- Has the company put in place proportionate and effective security procedures for any international travel?
- Is the company compliant with UK export legislation and any other international export legislation which may apply (for example the US International Traffic in Arms Regulations)?
- Are you and the company aware of local laws in countries into which they are expanding, and how they could affect their business?
In March 2017, a GE Aviation employee was solicited to give a report and travel to China to present their report at a university. Whilst in China, they were introduced to a Ministry of State Security (MSS) officer, who paid the employee’s travel expenses and a stipend. The following year, the officer arranged a meeting with the employee during a business trip to Europe and asked them to send a copy of the file directory from their company-issued computer. The MSS officer was arrested in Belgium at the arranged meet, and extradited to the US where they were charged with conspiring and attempting to commit economic espionage and theft of trade secrets.5
Exports may be subject to UK and international sanctions or export control regulations, including the US International Traffic in Arms Regulations (ITAR), particularly when items may have military as well as civilian applications.
Useful resources
- The Export Control Joint Unit (ECJU) provides support and advice
In 2004, China launched several tenders to make 200 high-speed trains. Each tender stipulated that foreign companies had to collaborate with a domestic partner and transfer key technologies to China; and the final products had to be marketed under a Chinese state-owned enterprise’s brand. Bombardier, Kawasaki, Siemens, and Alstrom each formed joint ventures (JVs) with one of two Chinese state-owned enterprises.
Within three years, Chinese firms allegedly started producing high-speed trains based on the foreign technology. The Chinese firms allegedly violated licensing agreements in which they committed to only use the technology domestically. Chinese firms are now selling their technologies back into foreign markets in competition with the companies from which they allegedly stole the technology.6
Different countries have different export control laws, as well as laws regarding the handling and storage of IP and data (possibly including requirements to install certain hardware or allow configuration to permit remote access to data by governments). National security laws in foreign countries can allow that country’s government to access data or information stored in, or transmitted via, that country.
Understanding local laws will ensure that you understand the additional security risks involved in expansion into new markets.
Useful resources
- The GOV.UK collection on Overseas Business Risk provides information for UK businesses on political, economic, and security risks when trading overseas
Security for a growing team
Questions to ask:
- Has the company put in place pre-employment screening processes for all recruits?
- Does the company provide security training for all staff, including at the point of induction?
In 2011, a Chinese wind turbine maker was convicted of stealing trade secrets from a US semiconductor company, causing the company to lose more than $1 billion in shareholder equity and almost 700 jobs. The Chinese company recruited an employee of the US company to secretly copy information, including the source code for its wind turbine control system. In court, the employee's lawyer said his client's actions stemmed from "frustration" about a failed marriage, which had been strained by his trips abroad for work, followed by a demotion to the customer service department, resulting in the employee feeling undervalued.7
As the company grows, it is likely to hire new employees, contractors, and suppliers, and may no longer be able to rely primarily on personal relationships to establish trust. Companies operating in sensitive sectors should effectively screen new recruits and staff moving into sensitive roles. An established security training package and willingness to openly discuss security will help to ensure that everyone shares responsibility for security.
Staff access controls should be role-specific, with access to sensitive assets restricted to only those individuals who need it and are trusted to use it securely.
Preparing for security incidents
Questions to ask:
- Has the company established and tested an incident management plan?
- Does the company detect and investigate unexpected behaviour in IT and staff?
You cannot protect against all eventualities, but the damage caused to your investment by a breach can be reduced through a well-planned and executed response. This means the company needs to establish and test an incident management plan and processes to detect and explore unexpected behaviour.
When handled sensitively, an understanding of any uncharacteristic behaviour in staff can help to prevent, as well as detect, an increased insider risk by improving the relationship between staff and the company.
Secure Innovation Principles
1. Know the Threats
Innovative UK companies, particularly those with weak security, are targets for state actors, competitors, and criminals looking to steal technology for their benefit. Use your unique position to influence your portfolio companies’ attitudes to security to help them to succeed and protect your investment. Consider security risks during your pre-investment due diligence into the company and other investors involved.
2. Secure Environment
Encourage your portfolio companies to take the steps to create the right environment for effective security: establishing security leadership, initiating a positive security culture, identifying their critical assets, incorporating security risks into their risk register, and centring security measures around their critical assets.
3. Secure Products
Technology is most secure when security has been built in from the start.
4. Secure Partnerships
A company’s investors, suppliers, and collaborators can limit their future business opportunities and increase their security risk exposure. Building in security from the start of a partnership will help mitigate these risks.
5. Secure Growth
Successful international expansion requires compliance with UK regulations and an understanding of how local laws and regulations could affect the business. As a business grows, a positive security culture and a trusted workforce become increasingly important. The damage caused by a security breach can be reduced through a well-planned and executed response.
Footnotes
1Netherlands expels two Russians after uncovering 'espionage network' - BBC News
2Mysterious factory break-in raises suspicions about Chinese visit | China | The Guardian
3 https://www.thetimes.co.uk/article/chinas-future-aerospace-stole-trade-secrets-says-smiths-harlow-03pg2m90j
4 https://www.ncsc.gov.uk/collection/ncsc-annual-review-2021/the-threat/solarwind
5 https://www.justice.gov/opa/pr/jury-convicts-chinese-intelligence-officer-espionage-crimes-attempting-steal-trade-secrets
6Heading Off Track: The Impact of China’s Mercantilist Policies on Global High-Speed Rail Innovation | ITIF
7 https://www.reuters.com/article/us-sinovel-wind-gro-usa-court-idUSKBN1FD2XL