Does private equity have the appropriate cybersecurity safeguards in its own operations and at the portfolio level?
“In private equity, the loss or gain of value is what determines a firm’s success, and so understanding cyber risk has never been more important.”
Private equity in pole position
Ian Bagshaw and Steve Chabinsky (White & Case)
Cybersecurity is a rising threat to revenue and reputation. But as Ian Bagshaw and Steve Chabinsky of global law firm White & Case find, it also offers a new opportunity for the private equity industry for those able to master the risks
Cybersecurity is no longer an afterthought. In the past it was considered a vertical market, but today it's needed across all business sectors, not just the technology industry. It has become a fundamental component of a company's infrastructure and therefore a mandatory investment for corporate enterprises, small and midsize businesses, as well as consumers.
There are really two drivers behind this growth: hackers with financial motivations and state-sponsored attackers. Couple that with the fact that every release of technology introduces vulnerabilities, whether it's a new application, or different modalities such as cloud security or bitcoin. There's no silver bullet; these security issues are not going to be solved easily and, consequently, we are having no issues finding good investments.
That said, there is a high volume of security companies out there. There's substantial duplication and a lot of private equity and institutional money funding these companies. In the last three years, we have seen an increase in private equity firms investing in later stages because they needed that shiny object in their portfolio to show limited partners before raising their next fund. This has created an environment that companies are raising larger rounds at higher valuations. If you look at the statistics, about 70 percent of all security exits are less than US$150 million. One of the biggest mistakes made by investors in cybersecurity is failing to understand the endgame of a company. It really is a specialist investment segment.
An area that we find interesting is the DevOps/SecurityOps space. ForgePoint Capital invested in a RASP (runtime application self-protection) company called Prevoty; Its software product enables developers to reduce time to market. The problem for many corporations is that they have hundreds of outward-facing applications that are ripe for hacking. When DevOps teams release or update an application, there are often unidentified bugs and security holes that are found after the application is pushed out live. Prevoty injects code into the DevOps cycle that looks for any potential vulnerabilities, allowing businesses to release their product faster because the security operations folks are comfortable that the threat will automatically be neutralized in case of an attack in production.
Artificial intelligence (AI) is also seeing growing interest in the cybersecurity space. This is a fundamental technology that we see underlying many security products, such as malware inspections. One of our companies, Reversing Labs, uses AI to understand not just if a piece of code is good or bad but to proactively determine how hackers are developing the malware. When they see the remnants of a previous hack, they understand the methodology hackers are using, which helps identify incoming attacks, as opposed to anti-virus companies, which just look at specific malware signatures. The automation of security—the proactive analysis—is going to make AI critically important.
The consumerization of security is another area of opportunity for investors. If you look at the legacy-dominant security companies, the amount of their revenue coming from the consumer sector is phenomenal, with little innovation. Consumers are purchasing more sophisticated security software. Standard anti-virus packages are now commodity products. There is an opportunity to fund companies that build products that have traditionally been targeted at enterprises, now slimming them down for the consumer market. Physical security (home security systems), digital content protection, mobile security and Internet of Things (IoT) systems are in the market. The average home in the United States now has more than 25 devices with connectivity features, and it's very difficult to manage security on a case- by-case basis because these devices often don't talk to one another. The challenge is tying together all of these IoT technologies, as opposed to each device having its own security solution.
ForgePoint Capital has invested in Appthority, which scans applications on smartphones—all of which have been cleared by Google and the Apple stores—and tells you whether they are leaking data back to hackers, or if they are activating cameras and microphones. Appthority is an example of an application that is popular for family protection. This category, coupled with parental controls (digital health) and identity protection/breach remediation, will continue to be a high-adoption area with the continued growth of personal devices.
We continue to see huge potential in cybersecurity. However, it's now an extremely hot sector, so it's critical to understand the trajectory of technology and the security required to protect it, as well as how startups are implementing for these issues and what their endgame is. This will be the key to making successful returns.
* Sean Cunningham is a managing director at ForgePoint Capital, a specialist cybersecurity venture capital fund. He spent 15 years at Intel Capital and has been cited as one of the top cybersecurity investors by market analyst firm CB Insights.