Secure INNOVATION

Emerging technology companies of all sizes are being targeted by certain states. Companies with weak security are most at risk. Those states may steal technology to:

• Fast-track their technological capability, undermining your competitive edge
• Target, harm, and repress their own people to prevent dissent or political opposition, damaging your reputation
• Increase their military advantage over other countries, risking our national security

These activities pose a terminal risk to those businesses, jeopardising your investment returns.

There are many ways a state-backed or hostile actor could try to get hold of your portfolio companies’ assets:

• Insider – People are a business’ greatest asset but, in some cases, they can pose an insider risk
• Cyber – Insecure IT can provide an easy way for your portfolio companies to be exploited
• Physical – Your portfolio companies’ assets could be stolen via physical access
• International Travel – State-backed actors can operate more easily overseas than in the UK
• Investment – Investment can be used to gain access to, and influence over, your portfolio companies
• Overseas jurisdictions – International expansion exposes businesses to jurisdiction risk from local laws and business practices
• Supply chain – Vulnerable or malicious suppliers could compromise your returns

Consider security risks during your pre-investment due diligence into the company and other investors involved. The questions above will help you consider issues that could affect the chances of your investment being a financial and reputational success.

Enduring roles and responsibilities for security need to be established early. One of the first things that will show you that a company is taking security seriously is clear accountability at the top. This means that the company has identified a senior leader with the authority and responsibility to ensure that security risks are considered alongside other risks to the business. As the investor, this will also provide you with a point of contact within the company for security matters.

Your early involvement means that you can help shape the company’s culture to be one in which security, and any security incidents, are openly discussed so that the company can learn from experience. A good security culture at a startup level is an essential component of a robust security regime, which can be built upon for future success. By making security part of your due diligence process and having an open security dialogue, you will reinforce the message that security is an important component of doing business.

The return on your investment is reliant on the startup understanding which assets form the basis of their competitive advantage and ensuring that these are effectively protected. This could include the people, premises, products, services, information, technology, and knowledge that the company’s value is centred around.

Security risks should be assessed and managed alongside any other risks to the business. By incorporating security risks into the company’s risk register, they are demonstrating an awareness and commitment to managing the risks they face.

It is not possible to protect everything against every threat, especially for small companies with limited resources. However, security protections can cost less than expected, and will pay long term dividends. Security decisions should be prioritised, proportionate to the threat, and based on a thorough understanding of what is most important to the survival and success of the startup – and your investment.

Security will be more robust where it is based on a combination of information, physical, people and cyber security measures.

The security of any technology products that the startup produces will likely be central to the success of the product and, consequently, of the startup. Technology is most secure when security has been built in from the start. Have products been designed to be secure by default? Products designed in this way will fare better in the long term, and so be more usable, than products with security added as an afterthought.

How an organisation plans, manages, and protects their ideas should be a crucial feature in their business planning. A company should have the appropriate Intellectual Asset (IA) and Intellectual Property (IP) protections in place (whether through registered rights or contractual terms and conditions) for the jurisdictions in which they want to operate. You don’t want to invest time and money in a business to later find their IP belongs to someone else or is ineligible for IP protection.

However, having the right legal protections for IP in place does not mean it is no longer at risk. Access to a company’s most sensitive information should be actively tracked, reviewed, and managed to ensure it remains protected.

As an investor, collaborations will be a welcomed way of growing your investment by attracting more customers and partners. However, it is also worth making the company aware of how their choice of third parties may impact upon your, and potential customers', ability or willingness to do business with them.

The identity of other investors also involved with your portfolio companies may impact you too, especially when considering the following:

• The investor’s reputation and track record
• The source of their funds (because some hostile investors may seek to obfuscate their involvement)
• Any implications of the legal regime they are subject to (especially for an overseas investor)
• Whether they have any unexpected commercial, political or military ties
• Whether they are on the entity listing of other countries, particularly those the startup is, or may consider, doing business with

Many startups benefit enormously from outsourcing certain functions to external providers with specialist expertise. Companies can take control of these risks by seeking suppliers whose security offer and level of assurance meets their requirements. However, as an investor, you should always assess how a company’s suppliers affect their risk profile.

Supply chains present complex security risks for startups so considering them should be a part of your due diligence process. A series of high-profile attacks on companies has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security, often having detrimental consequences for the success of the company.

Exports may be subject to UK and international sanctions or export control regulations, including the US International Traffic in Arms Regulations (ITAR), particularly when items may have military as well as civilian applications.

Different countries have different export control laws, as well as laws regarding the handling and storage of IP and data (possibly including requirements to install certain hardware or allow configuration to permit remote access to data by governments). National security laws in foreign countries can allow that country’s government to access data or information stored in, or transmitted via, that country.

Understanding local laws will ensure that you understand the additional security risks involved in expansion into new markets.

As the company grows, it is likely to hire new employees, contractors, and suppliers, and may no longer be able to rely primarily on personal relationships to establish trust. Companies operating in sensitive sectors should effectively screen new recruits and staff moving into sensitive roles. An established security training package and willingness to openly discuss security will help to ensure that everyone shares responsibility for security.

Staff access controls should be role-specific, with access to sensitive assets restricted to only those individuals who need it and are trusted to use it securely.

You cannot protect against all eventualities, but the damage caused to your investment by a breach can be reduced through a well-planned and executed response. This means the company needs to establish and test an incident management plan and processes to detect and explore unexpected behaviour.

When handled sensitively, an understanding of any uncharacteristic behaviour in staff can help to prevent, as well as detect, an increased insider risk by improving the relationship between staff and the company.

Footnotes

¹Netherlands expels two Russians after uncovering 'espionage network' - BBC News

²Mysterious factory break-in raises suspicions about Chinese visit | China | The Guardian

³ https://www.thetimes.co.uk/article/chinas-future-aerospace-stole-trade-secrets-says-smiths-harlow-03pg2m90j

⁴ https://www.ncsc.gov.uk/collection/ncsc-annual-review-2021/the-threat/solarwind

⁵ https://www.justice.gov/opa/pr/jury-convicts-chinese-intelligence-officer-espionage-crimes-attempting-steal-trade-secrets

⁶Heading Off Track: The Impact of China’s Mercantilist Policies on Global High-Speed Rail Innovation | ITIF

⁷ https://www.reuters.com/article/us-sinovel-wind-gro-usa-court-idUSKBN1F…