Data breaches have become pervasive over the past couple of years. In February 2021, more than 2 billion records were breached. One of the targets was venture capital firm Sequoia Capital, which confirmed that one of its employees fell victim to a successful phishing attack that jeopardized confidential information of its portfolio companies, including the likes of Airbnb, DoorDash, and Robinhood.
The Sequoia breach was a reminder to many investors that data security is critical to protecting their deal flow. Your firm deals with highly sensitive financial information every day, making the risk of a data breach a very real concern.
Stay informed about cybersecurity
Although criminals evolve their tactics daily, the first defense is to stay current about data risks related to CRM software as well as your other data platforms. Just a couple of months prior to Sequoia Capital’s breach, the FBI issued a Private Industry Notification warning to US businesses.
They announced that cybercriminals had started to use auto-forwarding rules in web-based email clients to increase the chances of success of their business email compromise attacks, a form of email fraud—the same method used against Sequoia. Give your firm’s data security the respect it deserves by staying up-to-date with current security protocols and ask your CRM vendor how they manage updates and new notices as well.
Address security risks related to third-party vendors
Any lax in security by one of your software vendors can put your firm at risk. Even in this digital day and age, venture firms need to review their vendors’ security policies and get written confirmation that their vendors are committed to secure environments.
At Affinity, we regularly work with independent experts to verify our security, privacy, and compliance controls. We display our security certification against stringent global standards for all of our customers to access and assess as needed.
Build a company culture committed to cybersecurity
The Sequoia Capital breach involved an employee who fell victim to an unauthorized third party who gained remote access to their Sequoia email mailbox. One vulnerability led to months of investigation, and financial and reputational costs.
All employees need to be continually made aware of and trained on proper cybersecurity protocols. Before investing in a CRM, make sure you have developed a culture of cybersecurity that pervades your firm. If you’re already using a venture capital CRM, ensure your team recognizes how and where to store valuable data. Increasing adoption rates among your team members will help keep your data in a single, secure system, rather than in disconnected spreadsheet files.
Discuss security with your portfolio companies
Even if your CRM is helping protect your own data, and your team members are trained, This vigilance needs to extend to your portfolio companies as well. It’s never too early to start—discuss data security within and beyond CRM platforms when evaluating new prospective portfolio companies to invest in and when conducting due diligence.
Greg Dracon, a Partner at technology-focused venture capital firm, .406 Ventures, explains that security must be a part of your due diligence process with a potential investment. “A startup’s customers assume and demand that their confidential data is safe. It’s table stakes.” While your CRM can’t protect your portfolio companies’ internal data, offering recommendations based on your own security best practices can create a secure investment portfolio.
Manage your VC tech stack’s security risks
Your SaaS tech stack should integrate directly with your venture capital CRM. Before you decide on a new tool, conduct a thorough security check before connecting them to your existing data management solution. Mayer Hoffman McCann, an independent CPA firm, has shared some security guidelines that every VC and private equity firm should follow when adopting a new SaaS:
- Ensure that each SaaS provider that your firm relies on has completed a risk assessment and has security frameworks in place that meet or exceed industry guidelines.
- Assess third-party vendor agreements to ensure that your existing tools—like your VC CRM platform—are protected from third-party risks.
- Ensure that critical cybersecurity protocols such as encryption and firewall are current
- Consider purchasing insurance policies to cover data breach losses. Mark Sherman, managing director at Telstra Ventures, an increase in cyber-attacks means it could be time to invest in insurance.
A data breach can cause irreparable damage to your firm; both the value of your data and your reputation as a great VC are at risk if your data is compromised. Although all institutions today must behave proactively, you need to be especially vigilant as a venture capitalist due to your involvement with sensitive pro data. Follow the tips listed here to proactively manage your risk, create a secure relationship management process, and avoid falling victim to cybercrime.