Sometimes the greatest risk to a company is not the investor, the regulator, or the hacker — but the fact that the company failed to examine itself in time.
One of the main problems companies face when raising investment is a lack of readiness for investor review. This may be reflected, for example, in the absence of proper constitutional documents with minority protections, poor financial management, cyber risks, or non-compliance with legal requirements relevant to the company’s field of activity.
When an investor conducts due diligence before making an investment, they may refuse to proceed, demand control rights, reduce the valuation, or require specific corrective actions as a condition to the deal. At that stage, the company often has little real choice but to accept those terms.
The solution is to conduct an internal due diligence and risk review in advance — before the investor arrives, not after the gaps have already been exposed.
But sometimes the company is not preparing for an investment, merger, or public offering at all. In many cases, it discovers its risks only when administrative or criminal proceedings are initiated against the company or its officers. An early risk survey can prevent that outcome, or at least significantly reduce the exposure.
Many companies in their early stages, though certainly not only early-stage companies, operate without full legal support, or with lawyers who do not possess the full range of expertise required. In many cases, the company’s accountant is someone who “meets” the company only once a year — and sometimes with a delay of a year or more — merely to prepare the financial statements.
That means there is often no true examination of the company’s day-to-day conduct and tax exposure. Certainly, there is no deep review of the broader business side, only a narrow accounting perspective. And as for information technology and cyber risks — in many cases, they are not meaningfully reviewed at all.
This kind of conduct does not only harm the company’s valuation or profitability. In some situations, it may also lead to personal liability for directors and officers.
For example, failure to make proper employee provisions creates accounting and legal exposure. Failure to comply with cyber regulation may not only create legal exposure, but may actually prevent customers from engaging with the company. A deal with an important European client may be commercially agreed — only to be stopped by that client’s legal department because of failure to comply with NIS-related requirements.
Beyond that, there is a long list of laws that impose passive personal liability on officers even where they were not directly involved in the conduct in question, including in the areas of labor law, environmental law, planning and construction, and antitrust law.
All this comes even before addressing privacy issues in light of Amendment 13, which further increases the personal responsibility of directors and officers who failed to appoint a DPO properly or failed to act correctly in this area.
An integrated risk survey gives management a basis for informed decisions: what should be fixed, what requires immediate attention, and which risks the company is willing to carry.
So what is the solution? An integrated risk survey conducted by a combined legal-accounting-cyber team, examining the company holistically — first at a general level and, where necessary, at a more detailed one — and identifying deficiencies that should be addressed.
Such a review enables the company to make informed decisions: what it wants to fix, what it must fix, and which risks it is willing to tolerate. It is important not only that this review be carried out by experienced external professionals, but also that where additional experts are involved, they should all be engaged under the lawyer’s direction in order to preserve attorney-client privilege.
Ultimately, it is always better to act before the crisis, to avoid unpleasant surprises with investors or regulators, or at the very least to understand the risks in advance and ring-fence them as much as possible.