Pattern Recognition
12–16–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, December 16, 2024, and we’re already seeing things wind down for the holidays and end of year. The mid-week Christmas and New Year’s window are going to effectively shut down the last two weeks of the year, which maybe isn’t a bad thing.
Pattern Recognition
I wish I had good news about the things we’ve been talking about - Blue Yonder, Salt Typhoon, and others - but nobody seems to have made much progress in the past week. Blue Yonder put out another note that the “investigation is ongoing” and they’ve “worked with external cybersecurity firms and strengthened our defensive protocols” - without providing any details. Meanwhile, the threat actors are now dumping Blue Yonder files, so…you know.
This lack of details, turns out, is part of a larger pattern in this space. After a year of the new SEC cyber disclosure rules, Axios noted that “only 16.9% of public 8-K filings disclosing a cyber incident provided specific details.”
Additionally, only 4% of 8-K filings disclosing a cyber incident for the first time mentioned material impact.
Beyond this, the review noted “only 48% of 8-K filings provided any specifics about how the organization was responding to an ongoing incident” while the remaining “52% of filings shared only the same, vague boilerplate language about the incidents.”
So, the pattern here is that the majority of companies who filed this notice over the past year said literally the exact same thing.
What the study did not look at, but I’d be curious to see, is what the language looks like for the other disclosure requirements from these new regulations around overall cybersecurity strategies in annual reports.
Another interesting bit in this pattern recognition space is that only 10% of the company filings specify CISOs as individuals responsible for cybersecurity, while 18% state VPs and below as leaders.
Meanwhile, the pattern on the other side is on full display in a Bloomberg article that lays out the distribution of companies attacked by ransomware in Q3 of 2024, with the vast majority (75.3%) falling between either 11 - 100 or 101 - 1,000.
Larger (and presumably more likely to be public) companies, make up only a minority share - diminishing in targeting frequency as size grows. The pattern, of course, demonstrates the challenges that smaller and mid-sized companies face in terms of lack of talent, aged and vulnerable technology infrastructure.
Unfortunately, the attacks that are being used against all of those companies filing 8-Ks are the ones being successfully leveraged against these smaller companies. By continuing this boilerplate language, we push these externalities downstream. I’m not saying that full disclosure is a silver bullet, but more information gives smaller teams a fighting chance.
Fundraising
From a fundraising perspective, we’re also seeing patterns, and a week almost identical to last week - raising $8.8B, led by a large single fund. In this case, the $7.1B from Carlyle’s third credit opportunities fund pitching in the majority of new commitments.
We will be getting new episodes out the next two weeks to close out the year, and jumpstart, 2025, so please stay tuned.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and with that - I hope you all have a Merry Christmas and Happy Hanukkah, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://blueyonder.com/customer-update
https://www.axios.com/2024/12/10/sec-cyber-disclosure-investors
https://www.breachrx.com/cyber-rules-regulations-research-report/
https://www.axios.com/2023/07/28/hacks-breaches-public-companies-sec-reporting