Asian tech investment: four areas of risk

The temptations of the Asian tech sector are many, but so are the pitfalls

The combination of Asia’s young, internet-enabled population and lots of global capital chasing investment make for a thriving regional technology deal market. Among the countries that make up the Association of South East Asian Nations (ASEAN), the tech sector is awash with capital and government support, while the demographics and economic fundamentals of markets such as Indonesia and Vietnam are very appealing. According to the Financial Times, takeovers of tech companies in South East Asia reached USD 4.9bn in the first half of 2019, up from USD 2.2bn in the same period in 2018 and USD 1.7bn in 2017ⁱ. South East Asia is home to ten technology unicorns, four of which are in Indonesia, four in Singapore and one each in the Philippines and Vietnam.

As with investments in other sectors, the success of technology investment in Asia depends in part on integrity, governance, political connections and ownership. In addition, we have seen from dozens of tech M&A due-diligence investigations that tech investment in Asia carries heightened risks in other areas: regulatory uncertainty, socio-cultural sensitivities, hyper-aggressive competitors, intellectual-property loss and cyber security.

A perilous regulatory patchwork

In Asia, data, the movement of data, and the platforms that generate it are coming under significant regulatory scrutiny. It is common to regard the global digital domain as broadly split three ways along US-European-Chinese axes, which give primacy to commerce, privacy and state control, respectively. However, over the past year, Asian regulators have developed rules that draw on all three concepts, creating a headache for tech firms with regional ambitions, as regulation increasingly diverges across borders. Selling on consumer data can be highly profitable in some parts of Asia but carries stiff penalties on grounds of misuse in others. This puts considerable pressure on compliance teams and regional market-expansion strategies, and companies need to be ready and resourced for this.

As governments across Asia catch up with tech regulation, some savvy and less scrupulous local tech players are using their political connections to make the regulatory landscape friendly to them and hostile to outsiders. Data nationalism wins votes in many parts of the region, and while security is the mantra used to justify forced onshoring, in many parts of South East Asia it looks a lot like a non-tariff barrier.

Politics, society and culture supercharged

With any investment, it is important to understand the political, cultural and social significance of your company, what you sell, and the data you use. Tech companies have increased exposure to these factors because of the wide-ranging and profound impact of their services.

Socially sensitive sectors, such as payment systems, media providers, telecommunications and tax face similar challenges, particularly with respect to data retention and content. Such vulnerabilities, which can lead to populist-driven regulatory scrutiny or direct loss of customers, do not easily escape the attention of competitors.

In a recent project, Control Risks carried out an investigation of a popular social-media influencer in Vietnam, who had spread negative information about our client’s product. The influencer’s message resonated with his 400,000-strong subscriber base and was shared among millions, as various content pieces went viral and received significant media coverage. While the influencer had been incentivised by a competitor to run his smear campaign, his content raised legitimate social concerns about the product. Our client prepared a carefully constructed media campaign to positively counter these sentiments, and eventually resolved the issue.

In a hyper-competitive business space involving hundreds of thousands of users and huge financial value, social vulnerabilities must be anticipated and stringently prepared for. Exploitation of these vulnerabilities either by thought leaders, influencers or – more likely – competitors is almost inevitable. The more intense the competition for downloads, user numbers and daily transactions, the more creative those with vested interests will be in finding new ways to unsettle their opponents’ user base. Depending on the sector, actions can include tactics, such as triggering fake taxi ride orders, IP espionage, implanting employee moles, and negative social media influence-peddling.

Holding on to IP

External issues may be a lesser concern compared with that of avoiding long-term, value-degrading IP loss – in the form of physical electronic data and/or human talent. A wide range of factors affect your company’s exposure to the risk of IP loss. Culture, financial incentivisation, personalities, employee dedication and the extent of distribution of IP knowledge in a team are some of the critical factors that need to be understood to avoid or prevent client or IP loss.

No sector has a higher employee turnover than tech, and IP-critical internal stakeholders can be found across a company from founders through chief technology officers and chief financial officers to data analysts. Mapping the risks of human or data IP loss requires a deep assessment of professional track records, financial incentives, external corporate holdings and behaviour, as well as IT controls and cyber resilience.

Assessing data security and sensitivity (for example, assessing the risk of a regulator seizing it) is no less critical to ensuring the protection of IP and the future viability of the business model. Control Risks found this to be the case in our investigation of a foreign-owned tech company that had partnered with the Thai government to provide a platform that would contain the personal financial information of millions of Thais. To help our client assess the risks, we considered whether the government might consider taking over the service altogether or seize user data which might destroy the public’s trust in the service. We found that the government was highly supportive of the tech company, had signed a long-term agreement, and that government personnel had indicated that the platform could even be a potential acquisition target – what was potentially a problem turned into a solution.

The cyber criminal threat

Fast-growing, tech-based companies are also an attractive target of criminal hackers. Young companies are often disproportionately poorly protected, and even large tech companies that have grown rapidly can find themselves having to retrofit risk management into their core, at great cost and requiring structural change. This leaves them vulnerable to financial and IP loss. For companies that operate in closely regulated sectors, such as fintech and healthcare, falling prey to a cyber-attack also exposes them to a potentially disastrous regulatory sanction, even the loss of an operating licence.

Mitigating risks

Companies that want to make successful tech investments in South East Asia need to factor the true costs of managing regulatory risk, the extended timelines needed to achieve compliance, and the contingency planning needed to cope with often ad hoc changes to the rules of the game.

To anticipate and minimise disruption to their users, companies need to have a thorough understanding of the various operational and security environments across South East Asia, and maintain good relations with relevant government departments, such as ministries of information, finance, communications and internal security.

Critically, when entering a competitive environment involving a small number of well-funded or well-connected rivals, it is important to understand the rivals’ modus operandi and threat capabilities and to develop counter campaigns or engage key stakeholders (particularly in the case of government lobbying or illegal action) to deter and respond to attacks. Furthermore, a detailed analysis of scenarios, partly informed by case studies, can assist mitigation planning before the launch of a major product, as some solutions may already exist but might have involved out-of-the-box thinking.

Finally, tech investors should ensure through cyber due diligence that their target company has sufficient cyber security and controls in place. For example, if IP is at risk of being leaked by internal agents, are there adequate tools in place to protect this IP, as well as track data and user permission logs, so that the culprits can be identified? But this isn’t simply a matter of ensuring that the right technical controls are in place; most cyber security issues that Control Risks sees stem from poor governance and a lack of oversight and planning.