Preparing for the (Inevitable) Data Breach
An estimated 70% of Canadian businesses have been victims of a cyber-attack. It is not as much of a question of if but rather when your business may face its own cyber-attack. Startups, in particular, are especially vulnerable, given the limited number of resources available. With margins being consistently thin, a data breach may be the difference between success and failure. It is, therefore, crucial that you’re aware of the risks and how to best mitigate them.
Cyber incidents typically occur for the following three reasons:
The fallout from a cyber attack is best mitigated by being prepared and being aware of the protocols and responses that ought to be triggered. The NIST Framework outlines five core competencies (shown in the diagram below) underpinning any comprehensive cybersecurity policy. I suggest that as a startup, you may want to be most focused on the identification stage of the NIST framework so that you’re able to assess what needs priority protection given the likely limited funds available.
The following steps help outline the approach that organizations need to adopt to create an effective cybersecurity policy.
1. Governance Team: the executive needs to determine which departments, and which individuals from within those departments need to be assembled on the cyber governance team. A team leader should be appointed. Efforts of the team should be reported to a specialized committee or the board itself to ensure that they are addressing organization-wide concerns relating to potential cybersecurity threats. Understand your requirements under PIPIDA. I have written a more extensive article on how PIPEDA affects you and your business. In short, it applies to most private sector organizations operating in Canada. For more information, see this blog post.
2. Current Inventory: Once a governance team is established, it needs to make an accurate inventory of its data and information system. This inventory should include where the physical systems are located, which information is on it, and who has permission to access it. It should also specify any obvious existing vulnerabilities. The key here is to recognize what your systems are so that you can adequately do a full risk assessment in the next step
3. Risk Assessment: Assess the most common threats that the organization is susceptible to. This could range from malware to phishing attacks. Depending on the complexity of your business and the data it handles, you may wish to seek guidance from a cybersecurity expert to help triage your systems.
4. Target Profile: Upon completion of the risk assessment, your organization should create a target profile and assess where the threat is most likely to stem from. This could include internal threats such as employees being unaware of various phishing or malware threats that may inadvertently expose your system.
5. Determine and Prioritize Gaps: By analyzing the gap between your target and current profile, you’re able to detect any significant discrepancies that need to be addressed by the governance team.
6. Implement Action Plan: Assess deficiencies in the existing cybersecurity regime:
Daniel Frederiks is a member of the BLG Business Venture Clinic and is a second-year law student at the Faculty of Law, University of Calgary.
 Imran Ahmad, Cybersecurity in Canada: A Guide to Best Practices, Planning, and Management
Stock Grants vs. Stock Options – the Basics
Both stock grants and stock options are tools which employers use to motivate their employees to keep up the hard work. These tools would align the interests of the employees with that of the shareholders. They benefit the employees when working for a startup that lacks the pay/job security. These two forms of compensation will also discourage employees from quitting their jobs until the options or stocks vest. Options and grants, however, are very different from each other.
Stock grants occur when the company pays part of the compensation of the employees in the form of corporate stock. In most instances, there are some restrictions on these granted stocks so that they can be designed to keep the employees working for the company for a set period of time. For example, if the company awards an employee 1000 shares of stock which will vest over two years, the employee will retain the stock only after two years of employment. He will lose the stock if he leaves the company prior to vesting.
When awarded stocks, the employees would have to pay tax on theses stock the same year they were issued. It should be noted that share can only be issued for past, not future, services.
Stock options give the employee the right but not the obligation to buy a set amount of the company’s stocks at a set price within a specified time frame. Stock options are always subject to vesting schedules. In most instances, option agreements expire once an employee leaves the company. As a result, vesting schedules is a great way to induce an employee to stay.
It should be noted that because of the fluctuation of the stock price, stock options can be valued less than the employee cost, making them worthless. By contrast, the net worth of stock grants are much more stable and will not become zero unless the company goes out of business.
Regarding the accounting issues, since 2001, companies have to record the “fair value” of the stock options on the day they are granted, which is recorded as a company expense.
The Advantages of Stock Grants and Stock Options
Both of stock grants and stock options can discourage the employees from quitting through vesting schedules. They are both important for the startup because the company does not need to pay cash directly. As a result, they put less pressure on the cash flow.
The Differences between Stock Grants and Stock Options
One obvious difference has been mentioned above: stock grants are always worth something, however, stock options can be worth nothing at all if the company's share price falls more than expected. Then, what can be done to encourage the employees to stay at the company in this situation? There are two solutions: 1. To keep existing options as is and to issue new options at a new attractive strike price. 2. To cancel old options and to issue new ones (TSXV rules require shareholder approval for this if the company cancels and reissues options within 12 months).
The other side of the argument is equally strong: the returns of stock options can be much higher although they are risky. Therefore, to balance the risk and reward profile of the compensation package, the employer may award some options along with some stock.
From the employee’s perspective, stock options are also more flexible, because, unlike grants, they frequently have an early exercise option, so an employee intending to leave the company can exercise his options before the end of the vesting period and garner some of the benefit without having to stay at the company. 
Rong Gao is a member of the BLG Business Venture Clinic and is a second-year law student at the Faculty of Law, University of Calgary.
 Hunkar Ozyasar, Stock Grants Vs. Stock Options, https://budgeting.thenest.com/stock-grants-vs-stock-options-20564.html
 Alice Stuart, Stock Grants Vs. Stock Options, https://finance.zacks.com/stock-grants-vs-stock-options-5440.html
WeWork: The Rise and Fall of the Real Estate Disruptor
Overview: Founders, Business Plan, Value Proposition, Strategy
To best understand the story of WeWork, it is easiest to start it its origin and founder. Adam Neumann (“Neumann”) appears to be the ‘classic’ entrepreneur. He was ambitious, charismatic, and overconfident. He was also a talented pitch artist, as it is no small feat to bring in over $12.8 billion in financing over his time at WeWork.
It wasn’t until his third venture, GreenDesk, that ultimately began Neumann’s path to start-up stardom. The idea was sustainable co-working space. The business proved to be profitable in its first year of operation, however, GreenDesk was sold as the two founders differed in opinion with their main investor on the company’s direction. The two founders then started WeWork, with the only change being a shift from a ‘sustainable’ to a ‘community’ concept.
The Founders identified an opportunity in the market following the economic crisis in 2008. Neumann stated, “During the economic crises, there were these empty buildings and these people freelancing or starting companies. I knew there was a way to match the two.” This was part of the Founder’s value proposition – individuals and start-ups renting office space without the need and cost of renting out a space larger than they needed. The business model entailed WeWork taking out a cut-rate lease on a floor or two of an office building, chopping it up into smaller parcels and then charges monthly memberships to start-ups and small companies that want to work close with each other. This ‘working close with each other’ was the second part of WeWork’s value proposition. It identified ‘community’ as the main product to sell to its members. The WeWork ‘community’ entailed: open floor plans, lounge amenities, social activities, and floor plan arrangements that were designed to promote entrepreneurs to utilize fellow members' skills and networks.
Setting ‘community’ aside, and looking at the fundamental business plan, it is apparent it could be easily replicated. When a business does not derive its value from any type of intellectual property or technology, it must put rapid growth and brand recognition at the forefront of its strategy. WeWork did this on an incredibly impressive scale. WeWork used a large amount of financing to expand at a rapid pace into over 110 cities across 29 countries.
Financings: (Information from: https://craft.co/wework/funding-rounds)
Over the span of 9 years, WeWork grew to an incredible $47 billion placing it as the highest valued private company in the United States in early 2019, ahead of the likes of Space X, Airbnb, JUUL, etc.
However, the company came crashing down to earth when WeWork filed for its IPO in August of this year. The prospectus faced harsh criticism from public markets as investors and analysts balked at the overinflated valuation and expressed major concerns about the company. This ultimately resulted in WeWork having to pull its’ IPO. Some of the major issues identified by the public market were the business model, profitability prospects, corporate governance and leadership.
a. Profitability and Business Model
The profitability of the company was put into question both short term and long term. WeWork had a net loss of $1.6 billion in 2018, and nearly $700 million in the first 6 months of 2019. It is not uncommon for start-ups to faces losses in their early years but you want to see net loss is shrinking as a percentage of revenue. Whereas, with WeWork the prospectus stated, "These expenditures will make it more difficult for us to achieve profitability, and we cannot predict whether we will achieve profitability for the foreseeable future.”
A major concern was if WeWork’s economics could survive the inevitable real estate slump. WeWork was charging high per-square-foot prices but was also locking itself into long-term leases at record rents. There was clearly the prospect of a tenant exodus amid a recession or to cheaper competition. As of 2019, WeWork had committed to $47.2 Billion in future payment obligations but had only received $4 Billion in committed revenue from memberships.
b. Leadership & Corporate Governance
The issues surrounding WeWork’s corporate governance were also a major issue. First and foremost, Neumann had an incredible amount of power in WeWork. His class ‘B’ and ‘C’ shares carried 20 votes to the 1 of the class ‘A’ shares. This allowed for him to still maintain control of the company, even after SoftBank had invested over $10 Billion. Neumann was also said to have engaged with some questionable conflicts of interest with WeWork. When the company undertook to trademark the ‘We’ name, it was then revealed Neumann and the other co-founder had already owned the ‘We’ trademark in a separate corporation and made the company purchase it for over $5.9 million. WeWork also leased properties that Neumann had an ownership stake in. Neumann also received extremely low interest rate loans from the Corporation in excess of $30 million. Neumann’s wife also received a senior management position with the company and was said to possess the power to appoint a new CEO if Neumann were to become incapacitated or die.
Because of the failed attempt at an IPO, which now appears actually necessary for funding and not just an exit for investors, WeWork was in need of money quickly. SoftBank, which was already its largest investor, came to the rescue with a package of $5 billion. However, that package was not without scrutiny and further showcases the failures of the board. Specifically, criticism surrounding the package that Neumann received, which included: $198 million consulting position, $970 million for his stock, and a $500 million credit faculty. It is no surprise to hear of criticism considering reports stated that WeWork had delayed layoffs because it couldn't afford to pay severance.
There are plenty of learning lessons for the start-up community and investors resulting from WeWork’s fall. Start-ups can mitigate many of these by ensuring proper safeguards developed in their initial startup process. Legal counsel acting for the company needs to ‘founder proof’ the organization, and prepare for the inevitable transition from the initial founder and management team to a more experienced and suitable one, likely endorsed by the major investors of the company.
In WeWork’s case, it faced major financial difficulties removing power from Neumann. This could have been avoided had there been tighter board governance and attention placed on the voting power within the organization. It should have been apparent to the board from the ill-advised spending and poor media attention Neumann was getting for the company that they needed to move on to a better management team. However, the power structure of WeWork made this extremely difficult and extremely expensive. WeWork was not ‘founder-proofed’.
Another oversight was that WeWork had no employment agreement with Neumann. For someone to be as important to a company as they touted, it was irresponsible of the board to not have an employment agreement with him. He could have just walked away at any point and this was even identified as a risk in the IPO disclosing. Ultimately, Neumann’s exit was needed, but this could have been a disastrous oversight.
As noted above, rapid expansion made sense for WeWork, but it must be undertaken at a responsible rate and direction. WeWork began venturing into areas that were not core to its business which required a lot of capital that was not producing income. Those new ventures coupled with its massive debt laden growth in real estate, became too costly for the company to become profitable. This profitability was quickly identified once the IPO disclosures became absorbed in the public market.
Another issue was the extremely optimistic $47 Billion valuation, which clearly wasn’t reality. This can hurt the company two-fold. First, a more realistic valuation would have not received as much push back from the public markets. Secondly, your investors will not be happy when their investment becomes much less valuable when the more realistic valuation is placed on the company.
Lastly, the corporate governance practices remain of vital importance. History shows that start-ups fail more often than succeed, so to reduce those chances of failure, planning and execution of these must be done at the outset of any venture. Ensure your start-up has the proper agreements and bylaws in place.
Ty Buhler is a member of the BLG Business Venture Clinic and is a third-year law student at the Faculty of Law, University of Calgary.
 Jason Sheftell, “WeWork gives alternative to working at home with swanky buildings across NYC” (22 July 2011), online: New York Daily News <https://www.nydailynews.com/life-style/real-estate/wework-alternative-working-home-swanky-buildings-nyc-article-1.1044412>
 Allana Akhtar, “Adam Neumann built a global coworking empire. These are the cities with the most WeWork offices, and how much they cost.” (22 October 2019), online: Business Insider <https://www.businessinsider.com/global-cities-with-the-most-wework-offices>
 Jon Banister and Ethan Rothstein, “Here’s everything you need to know from WeWork’s landmark IPO Prospectus” (14 August 2019), online: Bisnow <https://www.bisnow.com/national/news/coworking/heres-what-you-need-to-know-from-weworks-ipo-prospectus-100361>
 Alex Konrod, “Inside the Phenomenal Rise of WeWork” (5 November 2014), online: Forbes <https://www.forbes.com/sites/alexkonrad/2014/11/05/the-rise-of-wework/#26eaf94a6f8b>
 Supra at note 3.
 Kevin Dowd, “10 big thing: WeWork’s IPO in peril” (8 September, 2019), online: PitchBook <https://pitchbook.com/news/articles/10-big-things-weworks-ipo-is-in-peril>
 Supra at note 3.
Blog posts are by students at the Business Venture Clinic. Student bios appear under each post.