Security risks affecting pre-IPO companies

Companies that suffer data breaches are drawing more scrutiny from federal and state regulators, creating additional expenses for young VC-backed companies that are considering going public, even as the IPO market is expected to pick up this year.

One incident that’s helped raised concern is the attacks on Google, which disclosed last month that dozens of Gmail accounts belonging to people advocating human rights in China had been breached.

“The Google situation has raised [the question] of what happens when you get a breach in security even when you have the best security teams available to you,” says Gilman Louie, partner of early stage venture firm Alsop Louie Partners.

Louie says that security breaches affect not only corporate image and reputation, but a young company’s business strategy.

“If you’re doing business overseas and can’t trust the networks you rely on or the employees who work over there, that has a pretty profound effect on your bottom line,” he says. “It requires a re-questioning of how you operate your business.”

Louie—who previously was the CEO of In-Q-Tel, the venture arm of the CIA—says that he’s not yet seen pre-IPO or acquisition candidates spend more money on security.

Meanwhile, many companies seem reluctant to talk about the issues. Several public and pre-IPO companies contacted by PE Week didn’t return calls or declined to comment.

Anthera Pharmaceuticals, for instance, which raised more than $76 million from Mitsubishi and other investors, according to Thomson Reuters (publisher of PE Week), cited a quiet period related to its IPO. However, in its S-1 regulatory filling, Anthera referred to the difficulty of protecting its trade secrets and the increased cost of complying with regulations on public companies as material risks.

Regulations covering such areas as health care, finance and privacy are going to be more broadly enforced, according to Peter McLaughlin, vice chairman of the American Bar Association’s information security committee and a senior counsel with Foley & Lardner.

Other areas of concern for regulators include theft of intellectual property, which Google claimed last month when it publicly reported the attack on its systems that it said originated in China, and problems with operations that could affect a company’s financials going forward.

McLaughlin advises his clients—which include public companies and private companies that are contemplating an IPO—to look across the laws and see how one action, such as encryption of data, could help them comply with several regulations, including Sarbanes-Oxley and the Health Insurance Portability and Accountability Act at the federal level, as well as Massachusetts’ new data security law, among others.

“One of the most important things for a company is risk assessment, and sometimes you have to make difficult choices,” McLaughlin says. “Even in the best of times, and economically we’re not there…there is only so much money available, and so many hours in a day.”

McLaughlin adds that private companies should be aware that they will be held to a higher standard if they go public, and not just because they’ll be subject to new laws.

“There is the perhaps naive expectation that they will behave a bit more maturely,” he says. “When you look at the alleged cyber attacks against Google, well-known investment banks losing control over core IP, and any number of reported instances of corporate espionage, whether electronic or otherwise, companies in the pre-IPO stage are going to be given a more rigorous review [before VCs and regulators will put their names behind them].”

McLaughlin says he doesn’t see the emphasis on security deterring IPOs, just causing more expenses.

However, companies don’t always know about the data breaches they do have; sometimes they’re discovered by regulators doing routine examinations or by security consultants brought in for assessments.

Nick Lantuh, president of NetWitness—a venture-backed company that monitors and detects security threats and compliance problems for companies and government agencies—says NetWitness customers that acquire other companies are finding that their acquisitions have security problems “100 percent of the time.”

Lantuh notes that the regulatory pressure is building.

Customers of NetWitness—which has raised $10.75 million from Alsop Louie Partners and Summit Partners, according to Thomson Reuters—are performing more due diligence on their data before regulators or law enforcement agents uncover the breaches, Lantuh says.

In one recent case, a customer found that someone had accidentally published the details of its employees’ 401K plans, which included their social security numbers, on the Internet because a supposedly secure switch was misconfigured.

“It’s not what you know but what you don’t know that should be scary,” he says. “Regulatory pressure is building.”