Orrick’s Founder Series offers monthly top tips for UK startups on key considerations at each stage of their lifecycle, from incorporating a company through to possible exit strategies. The Series is written by members of our market-leading London Technology Companies Group (TCG), with contributions from other practice members. Our Band 1 ranked London TCG team closed over 310 growth financings and tech M&A deals totalling US$26bn in 2021 and has dominated the European venture capital tech market for 27 consecutive quarters (PitchBook, Q3 2022). In our previous instalments, we have guided founders through the process of incorporating a private limited company, building their team, how to use share options to attract and incentivise their employees, protect their ideas, identify key compliance considerations and get ready to raise.
For many, cybersecurity is an area that is intimidating and hard to navigate – especially for smaller companies who often lack the resources (and sometimes knowledge) to protect effectively against cyber risks.
Individuals or groups which target companies with cyber threats (often called "threat actors") continue to aim primarily at companies which are highly likely to pay a ransom, or those lacking cybersecurity defences, including: companies which are IP or data-rich, important to supply chains, those in industries such as financial services, healthcare and energy, or which are perceived to work with governmental bodies, and small or earlier stage companies with limited cybersecurity defences.
Failing to implement appropriate cybersecurity defences has a real cost: data breaches can cost millions, even for small companies. This includes the expense of investigating and notifying regulators, legal costs, as well as downtime, customer, and reputation loss.
It is never too early to get clued up on cybersecurity – our Cybersecurity Jargon Buster is available here (produced in collaboration with S-RM and Thomson Reuters Practical Law).
Read on for our summary of the top 10 cybersecurity considerations for startups.
What and how you protect should also be adapted to reflect the risks of the industry you are in, including any industry-specific laws (e.g. the Network & Information Systems Regulations/Directive in the UK/EU and the Electronic Communications (Security) Measures Regulations in the UK).
To protect your company’s systems, you should be continually working with your security teams to identify areas of weakness and deploy proportionate solutions, such as implementing secondary authentication mechanisms (e.g. multi-factor authentication), regularly rotating user passwords and auditing privileged accounts on a regular basis. Third-party vendors can also be used to monitor threats internally and externally.
This plan should be reviewed and updated on an ongoing basis to ensure it grows with both the company and the evolving threat landscape.
In response to increased regulatory attention to supply chain cybersecurity attacks (particularly following high-profile incidents such as the 2020 SolarWinds attack), the UK National Cybersecurity Centre released new guidance in October 2022 (available here), aimed at helping companies assess cybersecurity in their supply chains.
Investing in large scale capital projects, including those that ensure safety against potential cyber threats, is essential for long-term economic growth and ensuring a company’s ongoing resilience.
Along with the steps above, which can help demonstrate compliance to regulators, you should examine the activities of your business and consider whether they expose you to regulatory risks. Regulators are particularly concerned about incidents involving large quantities of personal data or sensitive personal data (such as health data). In some cases, an incident can expose you to risks from several regulatory regimes across multiple jurisdictions. For example, if your health tech company controls or processes health information, you should consider whether you have obligations under the UK and EU GDPR, as well as the Health Insurance Portability and Accountability Act in the USA.
A key indicator of cyber maturity and company maturity growing alongside each other is the ease and speed at which cybersecurity discussions shift in relation to developing demands, such as in the event of a merger or acquisition, or if your company is looking to introduce a new product or service.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Orrick, Herrington & Sutcliffe LLP | Attorney Advertising
Refine your interests »
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC