CDK, Ransomware, and the Dangers of Duopolies
6–24–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, June 24, 2024, and we’re finally going to talk about something other than the Snowflake breach, but unfortunately it’s another large, systemic ransomware attack and the picture remains pretty bleak for those impacted.
CDK, Ransomware, and the Danger of Duopolies
I am, of course, talking about CDK Global - a Dealer Management System that is installed in more than 15,000 car dealers here in the United States and who is currently down, experiencing a ransomware event since last Wednesday, June 19.
By way of brief background, CDK was a publicly traded company until it was taken private by Canadian PE firm Brookfield in 2022 for just over $8B.
This particular attack has been getting pretty decent news coverage since it started. Perhaps that’s because it’s a “double ransom” event, perhaps because it’s because of the warning that CDK issued about follow-on phishing calls, the large ransom amount, or the fact that America remains obsessed with automobiles.
Axios had a note on Friday that summed this up nicely:
“Every sector has specialized needs that only a handful of vendors have products to address, creating a concentrated security risk if these specialized vendors face a cyberattack.”
Third-party cyber risk has been a challenge for a huge number of reasons, and this only serves to highlight the impact.
In fact, even though CDK Global is privately owned, we’ve now seen 8-K filings of material cybersecurity events from at least 6 publicly traded auto dealer groups, including AutoNation, Lithia Motors, Group 1 Automotive, Sonic Automotive, Asbury, and the Penske Auto Group - with the expectation that we’ll see even more in the days ahead.
It has been reported that the ransom demand here is in the “tens of millions,” and that CDK is planning on paying. That’s all well and good, but it doesn’t guarantee recovery - and it’s still a significant amount of work to stand back up an infrastructure of this size.
Many dealerships utilize this platform not only for sales, but also for service support, making a significant portion of their businesses either hard down or utilizing pen and paper to make it all work.
Not to mention, dealers are facing end of month, end of quarter, and end of half for sales incentives and bonus / rebate plans - all of which will have to be reconciled after the application comes up (timeline still TBD, as is the status of any data within that application).
It’s going to make life very hard for these dealerships - and their employees and customers - but I don’t know that it’s going to incite any amount of change. And, it’s a reminder that we need to have backup plans in place for when critical third parties are not available. An SLA in a contract isn’t much help when you’re number 14,578 in line to get paid after an outage.
This sort of thinking makes for great table top exercises and thought experiments, and it can be very enlightening to think through how it might work - manually, or with another tool, or perhaps with another vendor entirely.
Just make sure you do the thinking, planning, and procuring ahead of the cyber event!
Fundraising
From a fundraising perspective, we saw more than $13.5B in newly committed capital, including a $5.6B raise for Hamilton Lane’s sixth secondaries fund (the largest fund in the firm’s history) as well as $2.75B for Kinderhook Industries’ 8th fund. Again, the incumbents with strong track records are the ones setting the pace here.
Finally, we talked last week about the challenges that LPs were giving funds for their lack of exits - and we saw an article this week from The Information title “With IPOs Off Limits, Software Investors Pin Hopes on PE Buyouts.”
Perhaps a bit of rearranging the deck chairs on the Titanic, but I think the theme is the same - investors who are looking for liquidity simply aren’t finding it, and are turning to new means to generate it. What will this mean for the businesses themselves? Likely a range of things, and it depends on the business - but the VC model and the PE model aren’t the same, and I don’t know that we’re going to see many successful transactions across this transom. I could be wrong, but I think there’s very few late stage software companies in 2024 for whom an IPO doesn’t pencil but a PE buyout does.
As always, watch this space.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.cnn.com/2024/06/19/tech/car-dealership-cdk-cyber-incident-outage/index.html
https://www.sec.gov/Archives/edgar/data/350698/000035069824000078/an-20240619.htm
https://www.sec.gov/Archives/edgar/data/1023128/000102312824000079/lad-20240619.htm
https://www.sec.gov/Archives/edgar/data/1031203/000103120324000048/gpi-20240619.htm
https://www.sec.gov/Archives/edgar/data/1043509/000104350924000059/sah-20240619.htm
https://www.sec.gov/Archives/edgar/data/1144980/000114498024000120/abg-20240619.htm
https://www.sec.gov/Archives/edgar/data/1019849/000101984924000089/pag-20240619.htm