Better brand recognition, a lot more working capital, and a chance to liquidate life-changing equity grants: staff at any business about to go public might be looking forward to these kinds of benefits. However, what most also invariably get on the side is a great deal of attention—not always the good kind.
No pre-IPO company can isolate itself from short-selling naysayers and criminals completely. But removing executive and employee personally identifiable information (PII) from the open web can help organizations mitigate some of the worst personal and organizational threats during this busy and stressful time.
1. The Personal Privacy Impact of an IPO
From shareholders to executive staff, when a business announces an IPO, anyone with a stake in the company can suddenly find themselves a target for harassment.
Whether it’s disgruntled former employees, individuals who lost out on the deal, or scammers, wealth and prominence (or the promise of these things) can render those involved in an IPO an attractive target for anyone looking to cause harm or make a quick buck. Case in point: more than 8 in 10 of the top 25 Fortune 500 CEOs have been victims of threats or harassment.
Besides causing immense stress and in the event that personal harassment campaigns become public, even reputational damage to individuals themselves, these types of incidents can also affect how customers and investors perceive the organization and its public persona.
2. The Cybersecurity Impact of an IPO
Regardless of how big or small a company is, the organizational, technical, and legal maneuvring that comes with the sudden shift from private to public ownership is a period of great change for any organization—one that cybercriminals are only too keen to exploit.
According to the FBI, ransomware groups often use time-sensitive financial business events like IPOs and mergers and acquisitions as leverage.
Specifically when targeting companies involved in these types of events, threat actors will often do the following before an attack:
- Search their target’s documents and emails for keywords like “NASDAQ.”
- Research a company’s likely stock valuation.
- Look for other material nonpublic information, including sensitive assets like intellectual property.
They will then threaten victims to expose their findings, which could result in potential investor backlash and stock price declines, to pressure them into paying a ransom quickly.
It’s a great strategy. Research shows that ransomware attacks can affect the price of a victim’s shares by up to 30%. Looking at hacking forums, cybercriminals sometimes even encourage others to use the NASDAQ stock exchange to adjust their extortion process.
Personal Information Exposure during an IPO
One thing harassment campaigns, doxxing incidents, and breaches tend to have in common is that they more often than not exploit executive and/or employee personally identifiable information.
That makes sense. After all, if an aggrieved individual can’t find an executive’s phone number, how will they harass/stalk/threaten them? And if a cybercriminal can’t get their hands on an employee’s email address, how will they send them a spear-phishing email?
Unfortunately, finding this information is remarkably easy. It doesn’t even require a trip to the dark web.
Because of data brokers—i.e., firms that trade in people’s personal data—anyone can get their hands on an employee’s contact details and other sensitive data via the open web (i.e., with a simple Google search). Today, over 230 data brokers hold information on 99% of all American adults. What’s more, the average data broker lists three personal email addresses per executive, and 40% of data brokers hold IP addresses that can be linked to executives’ home networks.
Stopping Pre-IPO Threats at Source
Removing executive and employee PII from publicly accessible sources may not dissuade determined individuals from causing harm to an organization that’s about to IPO. But it will certainly make a company a less attractive target. When they’re unable to locate useful PII, malicious individuals are more likely to move on to the next target.
Although it’s possible to delete PII from data brokers manually, it’s a time-consuming and, at times, complex process. Not only does each data broker have different opt-out procedures (i.e., one might let people opt out online, whereas others may require you to mail in a physical form or even make a phone call), but they also periodically relist people’s information. As such, for it to be effective, removal needs to be continuous.