Secure Innovation for investors
With the UK’s strong record in research and development, and with its vibrant startup ecosystem, there are plenty of opportunities for those investing in innovative startups. However, companies working in emerging technology may face a number of security risks. Secure Innovation aims to help reduce these risks by providing practical steps to lay the foundations for strong security. This guidance is for early-stage investors in emerging technology companies. It offers advice on how you can engage with the security of the startups you consider investing in. Doing so can help to shape the ways the startups will protect their innovation, thereby safeguarding your investment in the long term. Your ability to guide companies towards greater security and compliance may make you more attractive as an investor. As a responsible custodian of capital, including security considerations in your due diligence process, will increase your likelihood of seeing a return on your investment.
What is the risk?
The UK’s strengths in research, development and innovation can make UK emerging technology startups attractive targets for a wide range of actors. This can put their success - and your investment - at risk.
- Competitors seeking commercial advantage.
- Criminals. Cybercrime is a major threat to businesses of any size and often aims to profit from access to any vulnerable network.
- Hostile actors backed by a foreign state. Although international collaboration can be enormously beneficial when developing cutting-edge technology, startups may be at risk if collaborating with organisations that may be backed by a foreign state. Some states may seek access to emerging technology for reasons that risk undermining the company’s reputation or competitive advantage, or are at odds with UK interests and values. The latter could include:
- To develop a research and innovation base to increase military and technological advantage over other countries
- To deploy their technological and military advantages against their own population to prevent internal dissent or political opposition
In some cases, the threats faced by a company can be varied, overlapping, and hard to distinguish between hostile competitors and hostile actors backed by a foreign state.
Whilst employed by General Electrical Power & Water (GE) in New York, Xiaoqing Zheng allegedly stole multiple electronic files associated with GE gas and steam turbines. According to a US indictment, he is alleged to have shared many of these with his business partner in China, Zhaoxi Zhang. The indictment alleges that Zheng and Zhang used the stolen GE trade secrets to advance their own business interests in two Chinese companies. The information is also thought to have been shared with China’s Shenyang Aerospace University and Shenyang Aeroengine Research Institute, and Huaihai Institute of Technology.
Zheng and Zhang received financial and other support from the Chinese government and allegedly coordinated with Chinese government officials to enter research agreements with Chinese state-owned institutions to develop turbine technology.1
1. Security from the start
Questions to ask:
- Does the company have any overseas investors associated with a country which may be viewed as hostile to the UK or one which has different democratic and ethical values from our own?
- Could the involvement of other investors inhibit future fundraising or sale of the company because of legal, ethical or compliance issues, particularly in relation to sanctions, the National Security and Investment Act or export control?
Before making an investment you will conduct due diligence into the company and possibly other investors involved. As part of this process, you should consider whether there is any publicly available information regarding the company and/or its other investors that might give you cause for concern. The questions above will help you consider issues that could affect the chances of your investment being a financial and reputational success.
The following resources could help inform your decision about the suitability of partnering with companies and other investors:
Startups struggling to establish themselves may find it difficult to prioritise security. As an investor, you have a unique opportunity to influence your portfolio companies' attitudes to security to help them to succeed and protect your investment.
Your early involvement means that you can help to shape their culture to be one in which security, and any security incidents, are openly discussed so that the company can learn from experience. The way you engage with the company can help to set the tone for this. You could consider building certain security requirements into your funding agreement.
Accenture advise companies who wish to innovate that: “The Security decisions your company makes today will determine which side of the innovation divide you land on. Security investment protects overall innovation investment and the resultant return on investment.”2
Secure Innovation for companies provides guidance to young emerging technology companies on cost-effective measures they can take to lay the foundations for strong security from day one. It is based on an approach to security that focuses on:
- Identifying the companies’ most valuable assets
- Assessing the risks those assets face
- Putting in place proportionate protections
The following questions follow this approach. They are intended to aid your early conversations with prospective ventures, both as part of your due diligence and to support their growth into secure and prosperous companies developing cutting-edge technology.
Leading by example
Questions to ask:
- Is security owned and discussed at the Board level?
Enduring roles and responsibilities for security need to be established early. One of the first things that will show you that a company is taking security seriously is clear accountability at the top. This means that the company has identified a senior leader with the authority and responsibility to ensure that security risks are considered alongside other risks to the business. As the investor, this will also provide you with a point of contact within the company for security matters.
Establishing security leadership will also help the company to build an effective security culture, where people feel enabled to protect the things which are most valuable. A good security culture at a start up level is an essential component of a robust security regime, which can be built upon for future success. By making security a part of your due diligence process and having an open security dialogue, you will reinforce the message that security is an important component of doing business.
NCSC’s Board Toolkit and NPSA’s Passport to Good Security for Senior Executives can help you engage with the Board in areas of security they should be aware of.
Protecting the startup's competitive advantage
Questions to ask:
- Has the company identified its most valuable assets and conducted a risk assessment to determine what mitigations should be in place?
- Are IP protections in place?
- Is access to information and assets controlled and limited to just those trusted individuals who need it?
- Have essential security measures been built into the IT setup?
The return on your investment is reliant on the startup understanding which assets form the basis of its competitive advantage, and ensuring that these are effectively protected. This could include the people, premises, products, services, information, technology, and knowledge that the company’s value is centred around.
It is not possible to protect everything against every threat, especially for small companies with limited resources. However, security protections can cost less than expected, and will pay long term dividends. Security decisions should be prioritised, proportionate to the threat, and based on a thorough understanding of what is most important to the survival and success of the startup - and your investment. Security will be more robust where it is based on a combination of information, physical, people and cyber security measures.
In 2020, criminals tried to bribe a Tesla employee to install malware in one of the company’s factories. The malware was designed to exfiltrate data and extort ransom money. The FBI arrested a Russian national for attempting to “recruit an employee of a company to introduce malicious software into the company’s computer network”. The plan was thwarted when the employee reported the incident. The threat of criminals recruiting an insider to exploit their physical access is not new, but is now being used to facilitate cyber attacks.
This incident demonstrates how a company needs to integrate people, physical, and cyber security to protect itself, as well as your investment.3
The following questions will help you to discuss this further with companies you are investing in:
- What are your company’s goals and priorities?
- What are your most critical assets?
- What are the threats to those critical assets?
- What is the likelihood and consequence of a threat affecting you?
The following questions can help you determine whether the company has built essential security measures into its IT setup:
- Are both firewall and antivirus software enabled?
- Is strong password protection and, where available, encryption enabled for devices and accounts?
- Is all IT equipment regularly updated, ideally using automated updates?
- Are regular backups taken of critical data and stored away from the main system?
- Is consideration given to the trustworthiness of internet connections used?
- Are tools enabled to track, lock or wipe lost or stolen mobile devices?
Likewise, the security of any technology products that the startup produces will likely be central to the success of the product and, consequently, of the startup. Technology is most secure when security has been built in from the start. Have products been designed to be secure by default? Products designed in this way will fare better in the long term, and so be more usable, than products with security added as an afterthought.
Securing the supply chain
Questions to ask:
- Has the company sought suppliers whose security arrangements meet company requirements?
- Does the company have a risk assessment process for using external suppliers?
- When using third party services, has the startup considered the impact of relevant regulation, such as the GDPR?
Many startups benefit enormously from outsourcing certain functions to an external provider, who may have specialist expertise that a small organisation would struggle to resource. However, you should always assess how the relationship with any provider affects the company’s risk profile. Companies can take control of these risks by seeking suppliers whose security offer and level of assurance meets their requirements.
Supply chains present complex security risks for startups so considering them should be a part of your due diligence process. A series of high profile attacks on companies has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security, often having detrimental consequences for the success of the company.
The NCSC assess it highly likely that Russia’s Foreign Intelligence Services were responsible for the compromise of SolarWinds software, Orion, and subsequent targeting.
Malicious code was inserted into an update of the Orion software which was installed by over 18,000 of SolarWinds’ customers in 2020, including companies and government departments. The code created a back door into the machines of Orion’s users, allowing the hackers to conduct further targeting under the guise of legitimate SolarWinds activity.
There are many reasons that hackers might want to access an organisation's system. These may include accessing future product plans, holding employee and customer information for ransom, or gaining technology to further their own ambitions.4
2. Security as the startup grows
The risks you take on as an investor are not static: a company’s resilience against security threats will change over time. As the startup evolves, so can both the threat and the company’s resources to deal with it. You should continue to discuss and champion security for the duration of your involvement with the company.
Managing risks from additional collaboration
Questions to ask:
- When collaborating, has the company limited the data, information, and knowledge it shares to only what is necessary and within its risk tolerance?
- Does the collaboration partner share your and the company’s values and objectives?
Increased collaboration can help companies grow. However, it also introduces additional risks which need to be managed.
As an investor, collaborations will be a welcomed way of growing your investment by attracting more customers and partners. However, it is also worth making the company aware of how their choice of third parties may impact upon your, and potential customers', ability or willingness to do business with them. For instance, are the values and objectives of the parties that the company wishes to collaborate with aligned to your own?
Regardless of the collaboration partner, companies should always ensure that any risks they are exposed to are managed in line with their risk appetite (and your own as the investor). For instance, are their networks segregated and are there appropriate technical and policy protections to ensure that data shared with partners (customers or other potential investors) is limited to what is necessary?
Early negotiations with potential investors, customers, or collaborators can reveal sensitive details. This will be especially harmful to a company if they have not made a risk-managed decision on what information is shareable and what is not.
Smiths (Harlow) Limited, a UK precision engineering company, agreed an £8m deal with China’s Future Aerospace in October 2017. On receipt of the first £3m, the company shared sensitive details and committed to train Future Aerospace’s engineers.
According to press reports in January 2020, Future Aerospace subsequently cited difficulties in approval processes within China and withdrew from the deal without paying the rest of the agreed amount.
Smith (Harlow) Limited’s competitive advantage and intellectual property may have already been compromised. Their links to China also reportedly cost them their licence to make military equipment for western powers. The company was left facing administration in February 2020, citing Future Aerospace’s alleged theft of their IP and reneging on the deal as the cause.5
As startups grow, you or their customers may ask them to demonstrate their commitment to security. For instance, acquiring Cyber Essentials certification shows that a company has the technology and policies in place to guard against common cyber threats; it is a minimum requirement for certain government contracts. However, maintaining security certifications may well require ongoing effort as security requirements evolve. Requests that companies do so should be considered and proportionate.
Expanding into new markets and attracting further investment
Questions to ask:
- Has the company assessed the security implications of any proposed investments and considered mitigations for any risks identified?
- Is the company compliant with UK export legislation and any other international export legislation which may apply (for example the US International Traffic in Arms Regulations)?
- Are you and the company aware of local laws in countries into which you are expanding, and how they could affect your business?
- Has the company put in place proportionate and effective security procedures for any international travel?
Exports may be subject to UK and international sanctions or export control regulations, including the US International Traffic in Arms Regulations (ITAR), particularly when items may have military as well as civilian applications. The Export Control Joint Unit (ECJU) provides support and advice.
As above, the identity of other investors also involved with your portfolio companies may impact you too, especially when considering the following:
- The investor’s reputation and track record
- The source of their funds (because some hostile investors may seek to obfuscate their involvement)
- Any implications of the legal regime they are subject to (especially for an overseas investor)
- Whether they have any unexpected commercial, political or military ties
- Whether they are on the entity listing of other countries, particularly those the startup is, or may consider, doing business with
The National Security and Investment Act
The National Security and Investment (NSI) Act has been passed to give businesses and investors the certainty and transparency they need to do business in the UK while protecting the UK’s national security. The Act will provide the Government with powers to screen investments to assess and address any national security risks.
Investors, including UK investors, must notify and receive clearance from the UK Government before making qualifying acquisitions relating to 17 defined areas of the economy. You can also voluntarily notify the UK Government of acquisitions that fall outside mandatory requirements. The UK Government can request to review any qualifying acquisition that may pose a national security risk.
Guidance on the NSI Act will be published in due course and it will aid businesses' understanding around the acquisitions in scope and the steps businesses need to take to notify. Interactions with the UK Government will be simple and quick. A new digital portal will be established to submit notifications of acquisitions, and most acquisitions will receive clearance within 30 working days.
Security for a growing team
Questions to ask:
- Has the company put in place pre-employment screening processes for all recruits?
- Does the company provide security training for all staff, including at the point of induction?
As the company grows, it is likely to hire new employees, contractors, and suppliers, and may no longer be able to rely primarily on personal relationships to establish trust. Companies operating in sensitive sectors should effectively screen new recruits and staff moving into sensitive roles. An established security training package and willingness to openly discuss security will help to ensure that everyone shares responsibility for security.
Staff access controls should be role-specific, with access to sensitive assets restricted to only those individuals who need it and are trusted to use it securely.
Effective screening and security training can help a company not only to protect its ideas and your investment, but also its people. Working on emerging and sensitive technologies can make individuals a target for both hostile state actors and competitors.
Xu Yanjun is reportedly a Senior Officer in the Ministry of State Security in China. He was indicted by the US in 2018 for allegedly targeting US and European aviation and aerospace companies. His methodology involved approaching employees in science and technology sectors under the cover of a Science & Technology promotional body. Xu would offer speaking engagements and trips to China, then attempt to elicit further information once a relationship was established.
In one case, Xu allegedly paid an engineer US$3,500 plus expenses to travel to China and speak at a University. Afterwards, he sought answers to questions on composite materials used by the engineer’s company and requested a directory map of the company.
This example also suggests that following up on uncharacteristic IT or personnel behaviours (including travel) can allow companies to act, in the rare instances where these behaviours may indicate an insider threat.6
Preparing for security incidents
Questions to ask:
- Has the company established and tested an incident management plan?
- Does the company detect and investigate unexpected behaviour in IT and staff?
You cannot protect against all eventualities, but the damage caused to your investment by a breach can be reduced through a well-planned and executed response. This means the company needs to establish and test an incident management plan and processes to detect and explore unexpected behaviour.
When handled sensitively, an understanding of any uncharacteristic behaviour in staff can help to prevent, as well as detect, an increased insider risk by improving the relationship between staff and company.
- US Department of Justice, ‘Former GE Engineer and Chinese Businessman Charged with Economic Espionage and Theft of GE’s Trade Secrets’, 23/4/2019
- Accenture, ‘Innovating at speed and scale with implicit security’
- S-RM, ‘When the virtual and physical collide: the need for a joint approach to cyber and physical security’, 12/01/2021
- Gov.uk, ‘Russia: UK exposes Russian involvement in SolarWinds cyber compromise’, 15/04/2021; BBC, ‘SolarWinds: Why the Sunburst hack is so serious’, 16/12/2020; FireEye, ‘Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor’, 13/12/2020
- The Times, ‘China’s Future Aerospace ‘stole trade secrets’, says Smiths (Harlow)’; 26/01/2020
- US District Court Southern District of Ohio Western Division, Indictment, 04/04/2018; US Department of Justice, ‘Chinese Intelligence Officer Charged with Economic Espionage Involving Theft of Trade Secrets from Leading U.S. Aviation Companies’, 10/10/2018