Is Safety Tech a new frontier for impact investing?
Through the growth of environment focussed investing we are now all aware of the need to protect the physical world. A global pandemic made our lives more virtual and digital than ever before. New groups were exposed to online activities including those of our children and older more vulnerable adults. We need to pay as much attention to protecting ourselves and each other online as we do protecting the physical world. It could be said that this is a new frontier for impact investment.
The business of safer online experiences, and protecting users from harmful content, contact or conduct is booming and they are finding willing investors.
Over the past decade a growing number of organisations particularly in the UK have developed technology to help manage and reduce these risks, with the shared aim of keeping users safer online. This area of cyber security is now being called “Safety Tech”. Some examples of the work they do¹ :
- Work closely with law enforcement, to help trace, locate and facilitate the removal of illegal content online
- Work with social media, gaming, and content providers to identify harmful behaviour within their platforms
- Monitor, detect and share online harm threats with industry and law enforcement in real-time
- Develop trusted online platforms that are age-appropriate and provide parental reassurance for when children are online
- Verify and assure the age of users
- Actively identify and respond to instances of online harm, bullying,harassment and abuse
- Filter, block and flag harmful content at a network or device level
- Detect and disrupt false, misleading or harmful narratives
- Advise and support a community of moderators to identify and remove harmful content
Ananda’s perspective on why invest now
- Industry size in the UK has got to a good level — over 70 companies in safety tech, with a handful beyond series A, most at seed — a nascent industry but growing in strength and capabilities and network. The UK has 25% of the global market for Safety Tech within Cyber Security² and ranks number 1 in the world on the Global Cybersecurity Index (GCI) 2018³.
- Industry growth — The Safety Tech sector has grown rapidly with an estimated 35% annual growth rate since 2016.
- The past four years have seen external investment in the UK sector increase more than 800%, to a record year in 2019 with £51m raised across 19 deals, as the scale and maturity of companies within the sector has developed⁴.
- Regulation and UK Government support — online harms white paper moving towards regulation and the UK govt publishing sectoral analysis and proposals to stimulate the investment sector.
Calling upon the Industry Experts
Trust Elevate enables companies that handle children and young people’s data to do so in compliance with regulations. Rachel is one of the preeminent authorities on electronic identification and age verification. In 2000, Rachel set up the Cyberspace Research Unit, at the University of Central Lancashire and secured funding from the European Commission to establish and operate the first UK Internet Safety Centre (2000- 2006), which was based at the Cyberspace Research Unit. Rachel’s PhD examined the implications of online paedophile activity for investigative strategies.
Cyan Forensics eradicates content related to Child Sexual Exploitation and Terrorism. They help the police find digital evidence in minutes and are now using the same technology to help block this content at source — on social media sites, cloud platforms and networks.
What are some of the biggest challenges and opportunities in this field
Ian: Cybersecurity activity is often focussed on mitigating economic harms relating to regulatory compliance and protecting assets or reputation. This can be a challenge for companies providing cybersecurity solutions that focus on people, and this is where impact investors can make a really positive contribution to the sector as a whole.
As a society we are increasingly focussed on wellbeing, on understanding the economic impact of exclusion and poor mental health, and on solving big problems whether it is child safety, racism or extremism. Impact investors already understand the value of solving these problems, and can bring that thinking to the cybersecurity sector.
Rachel: According to Cybersecurity Ventures, a research and publishing firm focused on cybersecurity, by 2021, the damage inflicted by cybercrime will cost the global economy $6trn (€4.85trn) every year. Cybersecurity is one of the priority areas for CFO’s to invest in, particularly given that the impact of a data breach can be so far-reaching for the company breached, for other companies in the supply chain and end-users. However, despite cybersecurity being a priority, companies do not allocate sufficient budget to cybersecurity, as evidenced by the number of serious data breaches taking place. The following are a few examples of recent data breaches:
- In 2020, Singapore-based ST Engineering Aerospace’s United States subsidiary has suffered a massive ransomware attack. Hackers exfiltrated about 1.5TB of data resulting in the exposure of confidential data such as details of contracts with various governments, government-related organizations and airlines.
- Facebook’s Cambridge Analytica scandal put the brightest possible spotlight on privacy and users’ data. Eighty-seven million Facebook users’ information was compromised, and Facebook lost $119 billion in a single day, the most significant single-day drop in history.
- Marriott Hotels lost 500 million people’s personal information.
- MyFitnessPal data breach effected 150 million users, whose personal information was sold by hackers on the dark web.
As security breaches become more common, companies and customers alike are re-evaluating their relationships with data. Customers want more ownership of their data and the ability to give it out granularly, while an increasing number of businesses are shifting away from central banks of data and leaning towards a “zero data” approach.
By minimising the amount of information companies store or collect, and thereby mitigating the risks, this creates challenges for cybersecurity companies in terms of getting larger companies to allocate sufficient budget and resource to purchase and deploy cybersecurity solutions. This is the cyber security investment paradox.
If you were an investor, how would you identify a good team in this field?
Rachel: A good team must have relevant experience, and one or more members must have worked at C-Suite level, as e.g., CSIO, Chief Architect, within one or more large enterprise companies. That experience should mean that the start-up understands the nature of the cybersecurity risks their potential clients are dealing with and be able to articulate how that their start-up /scale-up is seeking to address those threat vectors. It is critical to be able to provide the client with an understanding of how their solution will augment /complement the existing suite of cybersecurity solutions the company is using.
Many CSIOs within companies feel bombarded by start-ups offering cybersecurity point solutions that often overlap with the existing solutions the company deploys. It is critical to have someone on the start-ups SMT, or an advisor, who understands the landscape and can position their offering as adding significant value relative to the other solutions the company may be deploying.
The start-up also needs to demonstrate an understanding of the transformation that may be occurring inside client companies and how their solution will operate in an evolving set of circumstances. These may relate to how much data is collected, processed and stored, what devices must be protected, where the vulnerabilities might exist and be able to articulate a clear strategy and set of business benefits. The growth of a zero-trust approach and self-sovereign identity are upcoming issues that may impact on the value proposition.
What kind of IP/USP is a good indicator for future growth potential and therefore impact?
Ian: One of the best questions I get asked is “you’re a small team, and people like Google and Facebook have huge resources, smart people, and a need to solve this problem — what makes you think there’s room for you in this market.” Variants of this question can apply to almost any tech investment.
We answer this as follows
- We’ve already invested a lot in this (e.g. academic research, unique personal experience)
- We’ve got protectable IP in the form of patents
- We’ve built relationships/partnerships that let us punch above our weight
- We’re establishing a brand (becoming the “hoover”)
- We’ve got some strong lead customers/pilots etc.
- Our job isn’t a direct competition with a well funded team at XCorp (Google or whatever company) — it’s to establish our business and tech to the point that when the big guys understand the importance of our area, one of them will buy us to get a lead on their competitors.
Rachel: Zero trust — Zero Trust⁵ was created by John Kindervag, during his tenure as a vice president and principal analyst for Forrester Research. Traditional security models operate on the assumption that everything inside an organization’s network should be trusted. The Zero Trust model recognizes that trust is a vulnerability. Zero Trust is rooted in the principle of “never trust, always verify,” and is designed to protect digital environments by , for example, leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control.
Effective Identity access management is key to cybersecurity, and several experts see the move toward federated SSO, tokenized identity management as the precursor to Self-Sovereign Identity (SSI). SSI is a set of technologies that move control of digital identity from third party “identity providers” directly to individuals.
In terms of regulation, where do we currently stand?
Rachel: Geopolitical risk is any change in a company’s business and security environment that involves a cross border issue. The need to protect critical infrastructure from cyberattacks will continue to grow in importance alongside the effective use of ‘cyber intelligence’ to manage cyber-threats effectively, i.e. to ‘Assess, Protect, Detect & Respond’.
The EU Network and Information Security (NIS) directive⁶, represents the cornerstone of the EU’s efforts to step up its overall cybersecurity. The Directive aims for the attainment of a common high level of network and information security and thus upscaling capacities, cooperation and risk management practices across the EU Member States.
The EU Cybersecurity Act⁷ introduces an EU-wide cybersecurity certification framework for ICT products, services and processes. Companies doing business in the EU will benefit from having to certify their ICT products, processes and services only once and see their certificates recognized across the European Union.
From an investors’ perspective, it is worth researching and carefully considering the potential impact on trade and investment of the EU certification framework, and how this might affect the UK when it assumes third country status.
Ian: In addition to what Rachel has mentioned I would add that regulation in this area of cyber security is an unstoppable trend we have GDPR in the EU, French social media laws, a new California consumer privacy law,the EARN-IT act in the US and proposed legislation in Australia, New Zealand and the UK.
In the case of cyber security and this emerging area of Safety Tech the impact that we seek to scale as investors is digital rather than tangible, but we believe it is every bit as important as protecting our oceans, forests, improving health outcomes and combating poverty.
At Ananda Impact Ventures we believe that startups can contribute to tackling safer online experiences and protecting users from harmful content, contact or conduct with innovative technological solutions. We are constantly looking for opportunities to suport mission-driven founders in this field. If you’re a founder or investor and interested to discuss, reach out to the Ananda team.
Written by Zoe Peden
Investment Manager @Ananda Impact Ventures