SPACs, IPOs Uncover Security Vulnerability In Digital-First Economy

Taking a company public used to be an occasional, well-celebrated event on Wall Street, complete with the signature moment of the newly-minted CEO ringing the opening or closing bell at the New York Stock Exchange. That, however, is a nostalgic look at the process. So far this year, more than $87 billion has been raised by special purpose acquisition companies (SPACs), more than all of 2020, and reports say more than 400 companies are seeking SPAC deals. In 2020, 494 companies went public either via SPACs or direct listings.

In the second decade of the new millennium, success may well be defined by bringing a company from mere concept through the bootstrap phase, raising money through the early years, and then going public, following in the footsteps of Bezos, Dorsey, Musk and other rock-star CEOs. There are ascendant media profiles, social media followers by the millions and huge sums of money pocketed by the C-suite executives along the way.

There’s a downside here, too.  Nothing draws a target on a company like success. The cloak and protection of anonymity fall away.  And then it comes time to institute a risk management system — to combat digital and physical threats — that was not needed before. The plethora of public filings has made security for the company and its employees a different situation. For example, security companies for public companies are no longer focused solely on the social media stalker looking to make a name. As Roderick Jones, executive chairman of security and data protection company Concentric, told PYMNTS recently that protecting the assets of the newly public or gunning-to-go company (and of its employees) gets harder when a company files its S-1 with the U.S. Securities and Exchange Commission.

The mind’s eye may draw a picture of how such CEOs are protected: A phalanx of burly be-suited men with earpieces and discreet weaponry. But now, with so much data flying around, with hackers and online criminal networks forming or already operational, the threat is less physical than digital (though the former is certainly always there), with bad actors targeting reputations and bank accounts.

The vulnerability issue is especially timely, given the hundreds of initial public offerings (traditional and tied to special purpose acquisition companies, or SPACs) that have lured technology, payments and digital-first firms to new heights of prominence. And as they do, there has emerged what Jones described as more organized, Internet-based opposition to companies, looking to steal data and money. With a nod to one conduit of criminal activity, Jones said that “the amount of ransomware being raised is just insane.”

Jones pointed to the IPO as a key point of vulnerability. It lifts the curtain on what had, up till then, been largely opaque: The inner workings of a firm, how it views its competitive landscape and which firms are part of its supply chains, with individuals’ ownership stake and options grants laid out in black and white.  With just a few search terms and mouse clicks, observers can see who the main executives are, who the main investors are, who sits on the board — and estimate how much they are all making from the public market debut.

Dig a bit deeper online, and the interconnectivity of the web maps out how to contact individuals, vendors and by extension, their families, philanthropic firms — the thread stretches a long way. The attacks, and damage, can be successfully waged in hours or minutes. Even long past the IPO, Jones said, Concentric has had to tell billionaires that have longed to give away huge sums in charitable endeavors: They’ll make quite a few enemies along the way.

Relying On $200 Routers 

Concentric’s core business is the physical and digital security of high-growth companies. In the pandemic era, that has meant protecting data that has gone from a central location to far-flung home offices. The company says its enterprise customers using Concentric have already found millions of unprotected or inappropriately shared documents accessible by thousands of employees. Even before the pandemic, in January 2020, the company announced it would leverage deep learning capabilities to quantify risk by developing detailed semantic tools.

Managing data, then, becomes critical — and Jones acknowledged that there’s a great divide between how public and private firms operate — indeed in the very nature of what private companies might disclose and what they, as public entities, must disclose.

Even the geographic footprint of these smaller firms changes as they start to scale, he said — the startup’s single office in Silicon Valley may morph into several locations around the U.S. or around the world.  More offices and more employees (working from home right now, of course) translates into a greater surface area, you might say, for malevolent forces to explore and attack.

“Once you remove your executives or your team from the corporate firewall,” said Jones, “and you put them in remote locations, not every organization had the ability for security to ‘travel’ with them to that home office. You’ve ended up relying on a $200 router to provide you with all kinds of security at home.”

Those same employees, he said, have been dealing with sensitive corporate data — and hackers know that. So, he said, the criminals make sure they hit lower rungs of management and the accounting team rather than senior executives.

“You can literally time it,” he told Webster. “The S-1 comes out and then 24 hours later, it’s ‘we’ve got a stalker.’”

Breaking The Information Chain  

To plug those vulnerabilities, he said, companies need to redirect their resources fluidly, before, during and after the IPO.  Just as they need to hire bankers and other advisers during the process, so too will they need to hire security advisers and directors.  Concentric, he said, works with its clients to “break the information chain” and “clean up” data profiles that might make firms more vulnerable to cybersecurity threats.

“You need a plan and you need to understand how to manage your risk and this environment where risk is developing online very rapidly,” he said.

Firms also need to explore their core business assets — extending up and down supply chains — and how everyday business flow might be interrupted or even damaged.

“The grievance may still be the same,” as it would have been if someone were to just show up at the physical office and try to disrupt things, he said, “but the ability for people to attack you is in a myriad of ways, because of the information about you that’s out there is completely different.”