It’s IPO season again and things seem to be looking up in the markets. Thanks to structural changes, we are seeing the burgeoning of a new set of companies being listed on the bourses, some of which would not have made the cut earlier. As more new-age enterprises get listed, their business models have come under higher scrutiny, especially since most of them are technology companies at heart, dealing with copious amounts of personal data. With all the noise around data privacy, it is not a matter of faith anymore, but of being secure.
The pre-IPO buzz around an enterprise is exciting not just for investors, but also investigators. When one of the real estate companies announced it was going public, instances of poorly secured networks in the shared co-working spaces hit the spotlight. Did it impact the IPO? Probably not, because it wasn’t the firm’s actual data being compromised. Ultimately though, there was no IPO.
Another instance where data security and data ownership came into play was vehicle for hire company. The company traded as one of the highest companies in the New York Stock Exchange listing, but when country regulators found instances of a massive data breach that wasn’t entirely out in the open until the pre-IPO due diligence began, it was banned across all app stores.
What you see here is not just an impact on the business, but also on the brand value of the firm. We live in a world where the value of physical and liquid assets is now nearly equal to the brand value of an enterprise. As is evident from the way this vehicle for hire company’s valuation plummeted once news of the breach leaked, a cybersecurity incident can result in quick erosion of brand value.
While the value of personal data is being realised by individuals across the world, enterprises have been slow on the uptake and have not fully grasped the magnitude of cyber threats.
Structured approach
A structured approach is required to ensure that cybersecurity doesn’t appear as an after-thought during the pre-IPO phase, but is given the importance it deserves.
* Invest in cybersecurity right from the beginning. Your consumers’ data is important for you. A security breach doesn’t only mean a loss in reputation but can also result in a class-action suit.
* Appoint an internal Chief Information Security Officer and let them establish an information security office.
* Have an updated and appropriate cybersecurity framework in place.
* Establish cybersecurity processes, especially when dealing with consumer and corporate data. A common misconception is only large organisations need cybersecurity, but with the mushrooming of unicorns and start-ups, it is imperative even for an enterprise with a smaller footprint to establish key cybersecurity practices and processes.
* Ensure cyber risk is a part of the Enterprise Risk Management programme, as well as part of Board level discussions, with a separate focus on data security, disaster recovery and business continuity.
* Create a separate cybersecurity firm level policy that is separate from the IT policy, and includes incident escalation channels and matrices, clear delegation of authority, critical asset management and regular training sessions for employees.
* Ensure that key assets core to your business are always secure. Imagine if a product company loses the codebase of its key revenue earner to a cyberattack – it would lead toa complete decimation of value!
* Establish processes to respond to attacks to mitigate their impact.
* Test your preparedness in terms of external reviews, audits, penetration testing, wargaming and other stress tests to find whitespaces and plug the gaps proactively.
* Embed cybersecurity and ‘privacy by design’ in the overall IPO readiness roadmap.
Due diligence
It is imperative for your organisation to perform due diligence in areas such as investors relations, corporate governance, tax, human capital, system process and controls, including cybersecurity posture and financial reporting and identify possible gaps.
This will help with time-bound rectification of the gaps and allow for a smooth transition. From an investor’s perspective, this exercise helps assess your organisation’s cyber preparedness, which is critical in the evaluation of a potential investment option.
Effective planning is critical to seize an IPO opportunity and develop the structure necessary for a public company. Once an organisation goes public, cybersecurity becomes an even greater challenge to protect intellectual property and customer information, supply confidence to your Board, and comply with industry regulations.
I would say that an IPO is a great time for enterprises to bring in a fresh perspective to their cybersecurity setup. If leakage of business secrets is a challenge that enterprises were already trying to address, cybersecurity attacks make it even easier to obtain business secrets as hackers don’t even require an ‘insider’ to get the job done for them.
The writer is Partner, Deloitte India