Tuesday, April 2, 2024

PinnacleOne ExecBrief | Geopolitical and Cyber Risk in the Portfolio

Last week, PinnacleOne examined the geopolitical dynamics and risks facing firms that do business or have key dependencies in China and highlighted principles to frame a China-for-China strategy given firm-specific threat models.

This week, we focus on the intersection of geopolitical and cyber risks facing western firms investing in strategic technologies and the dangers of oversharing.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Geopolitical and Cyber Risk in the Portfolio

In today’s rapidly evolving global landscape, the intersection of geopolitical and cyber risks poses significant challenges for private equity, multinational conglomerates, and venture capital firms. As these firms invest in companies operating in strategic technology domains, it is crucial to understand how the changing risk landscape affects their business interests. This week’s ExecBrief sheds light on the increasing threats faced by portcos, particularly those working on critical and emerging technologies and provides guidance on managing these risks effectively.

The Evolving Threat Landscape

Geopolitical dynamics driving strategic technology competition and the proliferation of offensive tools has created an increasingly hostile environment for high-growth firms. These companies are targeted for their valuable intellectual property (IP) in strategic technologies, their role in the digital supply chain, and their market position. In particular:

  1. The loss of critical IP or talent at an early stage can be devastating for a company, leaving it unable to compete or see its Total Addressable Market cut substantially by a fast-following (foreign) competitor (that may also receive covert state support).
  2. The impact of a cyber event can immediately threaten net asset values booked on the balance sheet. As seen in the case of the SolarWinds attack, a cyber incident can result in a significant drop in company value and create costly litigation expenses.
  3. The increasing scrutiny on board members’ roles and responsibilities in cybersecurity oversight, exemplified by the SEC’s additional rules for public companies, further emphasizes the importance of proactive cyber risk management and governance.

Geopolitical-Cyber Risk Factors

Companies working on critical and emerging technologies will find themselves in the geopolitical bullseye for targeting. No firm is too small to warrant the attention of nation-state actors if their IP, products, military/critical infrastructure customers, or talent are deemed strategically important. This heightened risk requires investment firms to be vigilant in assessing and managing the geopolitical-cyber risks faced by their portcos and strategic business units.

Furthermore, the evolving regulatory landscape–driven by national security, AI risk, and data privacy concerns–introduces additional challenges for multinationals and investment firms. Increasingly stringent policy regulations, export controls, and investment screening policies can impact:

  1. Portco operations
  2. Investment firm growth strategies
  3. IT infrastructures, and
  4. Portco security postures

The Danger of Oversharing

At the frontier of strategic technology investment, there is often an incentive for portcos and their funders to “hype” their capabilities and broadcast technical details and staffing information through media channels. While this may serve to attract investors and customers, success can also inadvertently draw the attention of malicious actors.

This is especially true for those firms conspicuously advertising themselves as aligned with and supporting national defense or intelligence interests. Traditionally, such firms in the Defense Industrial Base follow very strict operational security and eschew publicity for key innovations, except where used for strategic communications or political signaling.

Publicly sharing sensitive information about a company’s technical capabilities, key personnel, and ongoing projects can provide valuable intelligence to potential attackers. This information can be used to:

  1. Target specific individuals,
  2. Identify potential vulnerabilities in a company’s systems and facilities, and
  3. Justify to the attacker’s bureaucracy the prioritization of resources to target the firm.

Investment firms must be aware of these risks and work with their portcos to develop prudent operational security practices. This may involve:

  1. Establishing guidelines for public communications,
  2. Training employees on the risks of oversharing, and
  3. Implementing strict controls on the dissemination of sensitive information.

Managing Geopolitical-Cyber Risks

To effectively manage geopolitical-cyber risks, investment firms must adopt a comprehensive approach that integrates geopolitical-cyber risk intelligence, business strategy, and technology security considerations. This approach should be tailored to the specific composition of the firm’s portfolio and business units.

  1. Developing strategic threat models is a crucial first step in prioritizing risks to portco value chains. By considering the threat landscape, third-party/supply chain exposure, and shared customer exposure, firms can identify the most pressing risks and allocate resources accordingly.
  2. Capability assessments ensure that business objectives align with the security program and existing technical controls, given the identified threat model. This alignment is essential for maintaining the integrity and resilience of portcos in the face of evolving threats.
  3. Mitigating risks and strengthening resilience requires a combination of tactical control improvements and strategic security posture changes. Investment firms should provide business justification for these changes to ensure buy-in from portco leadership.

Finally, establishing cyber risk management programs is essential for long-term success. By integrating continuous geopolitical-cyber risk management into risk governance frameworks, diligence activities, training & exercises, security vendor selection, and strategic investment decision-making, firms can proactively address risks and maintain the value of their investments.

Navigating Towards Safety

The intersection of geopolitical and cyber risks presents significant challenges for private equity, multinational conglomerates, and venture capital firms operating at the technology frontier. As the threat landscape continues to evolve, it is imperative that firms adopt a proactive and comprehensive approach to managing these risks.

By understanding the unique risks faced by portcos operating in strategic technology domains, including the dangers of oversharing sensitive information, firms can take steps to mitigate threats, strengthen resilience, and protect the value of their investments.

Through the integration of geopolitical-cyber risk intelligence, business strategy, and technology security considerations, firms can navigate the complex risk landscape and position themselves for long-term success.



from SentinelOne https://ift.tt/wsZ8OnC
via IFTTT

No comments:

Post a Comment