CYBER GUIDELINES FOR SAAS INVESTING

2024 Series: Topic 1

14 January 2024

Eric Bruzek

4 min read

Although the appetite for SaaS companies remains as insatiable as ever, institutional and corporate investors are no longer willing to trade high capital growth for high risk exposure.

This is a picture illustrating the focus of this insights piece: Cyber Guidelines for Software as a Service (SaaS) investing.

There continues to be endless ways for software-as-a-service (SaaS) companies to add value to businesses through digitisation and automation. As a result, institutional investors will continue to have a healthy amount of SaaS holdings in their portfolios. Similarly, corporate investors will continue to acquire SaaS companies to inorganically transform their businesses, for speed-to-market and buy versus build risk profile advantages.

There has been a rapid increase in cybercrime and its associated damages. Small-to-medium businesses (SMBs), inclusive of SMB SaaS companies, are easier targets due to their lower levels of cyber protection. From reputational damage to financial hardship, the stakes are too high for investors to treat cyber due diligence any less than a mandatory activity.

Cyber due diligence is a maturing space, but done correctly, it will answer the following key strategic investment questions.

1. What is the current investment risk profile of the target, as it pertains to its cyber posture?

2. How much is needed to be spent to get the target to an acceptable level of risk?

3. How long will it take to attain that acceptable level of risk?

SaaS Market Growth

Size: US$237.5b in 2022

CAGR: 18.7% until 2023 [1]

Increasing Cybercrime

Nearly 94k cybercrime reports in Australia in 2022 - up 23% from 2021[2]

Increasing Damages

Global: US$10.5t pa by 2025 - Up 200% from 2015

Aus: Avg cost per cybercrime report up 14% [3,2]

Soft Targets

43% of attacks in Aus target SMBs [4]

At Amerinda, answering these strategic questions involves comprehensively understanding an investment target’s cyber capabilities across the following functions [5].

Identify: Capabilities to understand how to manage cyber risk and to prioritise mitigation measures

Protect: Capabilities to limit or contain the impact of a potential cyber event

Detect: Capabilities to identify the occurrence of a cyber event

Respond: Capabilities to take action regarding a detected cyber incident

Recover: Capabilities to maintain plans for resilience and restore services post a cyber incident

To be of value to an investor, a target’s cyber capabilities must then be compared against a baseline set of capabilities appropriate for a SaaS target’s stage of growth. This enables investors to arrive at a set of necessary, minimum cyber capabilities and spend to enable an acceptable level of investment risk. For this we have devised the Capability Maturity Framework for cyber due diligence.

This is a high-level picture of Amerinda Advisory’s Cyber Capability Maturity framework.

Product Validation (Pre-Seed) Stage Guidelines

SaaS companies at the Product Validation stage are focused on demonstrating customer affinity, acquiring initial customers and validating their value propositions. Their cyber postures are just starting to take shape. Inconsistent, undocumented cyber practices are common.

What Good Looks Like

Awareness: Importance and understanding of ongoing cyber risk level and remediation exists

Essential Protection: Protection of what matters most to a SaaS company in place (software, customer data, etc.)

Basic Governance: Simple, comprehensive operational governance evident (activities put into practice, etc.)

Business Validation (Seed) Stage Guidelines

SaaS companies at the Business Validation stage are focused on validating their target market and establishing an initial set of anchor customers. Consistent, formalised cyber practices are common.

What Good Looks Like

Standards: Alignment to industry-standard cyber protection and software development practices

Regular Monitoring: Key points of risk / entry are consistently monitored (e.g. access rights)

Top-Down Governance: Governance formally reaches the executive and the board

SaaS Company Building (Series A) Stage Guidelines

SaaS companies at the Company Building stage are focused on commencing hiring (i.e. beyond founding levels) and building scalable operations and systems. Documented, unmeasured cyber practices are common.

What Good Looks Like

Playbooks: Cyber playbooks and system documentation in place (technology stack, development, etc.)

Automation: Broad-based integration and automation of security and development systems in place

Compliance: Enforcement of cyber practices and assurance of standards compliance in place

Company Scaling (Series B / C) Stage Guidelines

SaaS companies at the Company Scaling stage have demonstrated high, double-digit growth for 2+ years and are focused on scaling back market experimentation and enabling greater employee specialisation. Measured, quality-focused cyber practices are common.

What Good Looks Like

Responsiveness: Defensive responses approach machine speed

Advanced Capabilities: Introduction of advanced cyber capabilities (cyber mesh, zero trust, etc.)

KPIs: Demonstrated ability to measure and improve key cyber KPIs

Sources

[1] Fortune Business Insights

[2] Australian Signals Directorate

[3] McKinsey

[4] Savvy

[5] National Institute of Standards (NIST)