In an everchanging digital landscape, understanding and managing specific risks when investing in a technology company makes the difference.
Investing in the technology sector, particularly in emerging technology, can present a unique set of regulatory, reputational and cyber security risks. As such, investment teams must have a clear grasp of the key concerns and mitigation strategies to move forward with confidence. Control Risks’ Business Intelligence and Cyber Threat Intelligence (CTI) teams have significant experience conducting pre-investment due diligence on tech start-ups, scale-ups and unicorns, and have identified two key areas of consideration when examining a technology company.
Be on top of evolving regulatory regimes and the target’s regulatory track record
In recent years, we have witnessed significant developments in areas such as generative artificial intelligence (AI), distributed ledger technology and big data technologies. This in turn has deepened concerns among corporations, investors, legal teams and consumers regarding issues such as intellectual property (IP) protection, data privacy and security, dis- and misinformation, cybercrime and fraud.
Implementing comprehensive, concrete and relevant regulatory regimes without stymying innovation is the perennial challenge for regulators, who have often struggled to keep pace with technology advancements. Nevertheless, there has been a push for stronger regulation in the technology space in recent years. For instance, in a speech to open London Tech Week in June 2023, UK Prime Minister Rishi Sunak spoke about of the “risk of misuse” of AI and his desire for a global AI regulator that is based in the UK. Similarly, the EU’s AI Act, which passed a European Parliament vote on 14 June 2023, is poised to become the world’s first comprehensive legislation governing the use of biometric surveillance, facial recognition and other uses of AI.
Recent trends suggest technology companies violating regulations can and should expect hefty penalties. For start-ups and scale-ups, such penalties can singlehandedly cripple operations, whereas for tech giants they no longer represent mere slaps on the wrist. For instance, in May 2023, Ireland’s Data Protection Commission (DPC) issued a EUR 1.2bn (USD 1.3bn) in relation to the mishandling of user information. At the time of its issuing, the fine was a record for a breach of the EU’s General Data Protection Regulation (GDPR).
In view of the above, it is imperative that investment teams stay abreast of evolving regulations – and the corollary obligations and penalties – surrounding their technologies of interest and across different jurisdictions. Additionally, when conducting due diligence on an investment target, it is crucial to have a clear picture of its regulatory track record and positioning, keeping in mind its historical responsiveness to regulatory changes and whether there are potential legacy issues, vulnerabilities or operational deficiencies that may cast a long shadow well after the investment has been finalised. If there are, investment teams must endeavour to resolve them or lay out mitigation strategies as soon as possible.
In addition to stronger regulations, increased targeting of sensitive technology companies – from high impact ransomware campaigns targeting semiconductor companies to data breaches impacting market-leading pharmaceutical research organisations – has also driven an uptick in interest in integrating cyber due diligence into the investment decision making process. From a cyber security standpoint, it is critical to examine whether the investment target has suffered data breaches in the past or is an attractive target for such operations, and understand the controls in place to mitigate data breaches and cyber-attacks. Not only could such breaches and attacks bring regulatory penalties and litigation, it could also impact an organisation’s reputation and the value of its IP.
For investors, understanding the target’s exposures to past, current and future cyber incidents – as well as its cyber security maturity and preparedness to respond to and recover from an attack – are critical metrics to evaluate the viability, value and risks associated with a potential investment. Pre-investment cyber due diligence can inform investors of the threat facing a target acquisition, and give an understanding of the time and cost of implementing effective security controls and mitigation measures.
Do not neglect the human element
While it is certainly important to evaluate an attractive technology or IP on its on merit, investment teams must also look behind the curtain and examine the key principals of a technology company, looking not only at professional competence, but also behaviour and ethics.
This is particularly pertinent when considering an investment in a start-up with inadequate corporate governance, management and control structures, as well as any target whose brand, achievements and activities are intrinsically linked with a limited group of people, or in some cases, a single charismatic “tech genius”. The demises of cryptocurrency exchange FTX and health technology company Theranos – which saw their leaders’ equally spectacular fall from grace – are prime examples of how poor human behaviour can not only create significant problems for a company itself but also for investors and the wider sector in general.
In one case in which Control Risks was involved, the target – a technology start-up providing a human resources management platform – and its co-founders were presented in a positive light in press releases and various news articles. However, through examining online employee reviews and enquiries with former employees and commercial partners of start-up, we identified claims the co-founders were poor leaders and managers, and that there was no room for other senior or mid-level executives to act independently. This in turn fed into poor corporate governance and culture at the company.
When considering the cyber security of a target organisation, it is also imperative to consider the human element. Our cyber due diligence investigations have previously identified IT staff sharing sensitive information related to source code and demonstrating poor operational security when it comes to sensitive technical information related to the organisation. Not only does this potentially provide threat actors with relevant information to target the organisation in a cyber attack or breach, it could also degrade the value of the organisation’s IP and – with it – the value of an investment.
Taking this into account, due diligence on management and key personnel (e.g., senior developers and engineers) cannot play second fiddle to technology due diligence. In practice, this means speaking to well-placed sources with intimate insights about the inner workings, dynamics and internal culture of a target, especially when the target is a relatively young company with no discernible online profile or public track record. It can also involve thorough searches across open sources, social media and deep and dark web sources to identify chatter that would indicate something untoward. Without these insights, investment teams risk leaving the door open to significant reputational, financial and operational risks down the line.