Quantifying Ransomware’s Impact / Supply

2–21–2023 (Tuesday)

Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and portfolio company management teams.

I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io

Today is Tuesday February 21st, coming out of the President’s Day holiday here in the US, and Family Day in most of Canada. Long weekends and short weeks, folks.

This week’s One Big Thing is some additional data points we’ve gotten that might help us quantify the impact of ransomware, and better manage our individual and collective risks.

Let’s dive in.

Quantifying Ransomware

We talked last week about how CISA and the Department of Justice are mounting a government response against ransomware, but we have some additional data points that are useful context in understanding the impact of this threat.

In an earnings call this week, Applied Materials, with a market cap of nearly $100B, noted that a ransomware attack on one of their suppliers would cost them $250M next quarter.

Graciously, they didn’t name the supplier, but it wasn’t long before reporters were able to connect the dots and name MKS Instruments as that supplier.

What we’re seeing here is just how impactful ransomware can be - driven by two things that are core to our modern corporate structures:

1. Speed and scale of technology (including ransomware)

2. The deep interdependence of our supply chains

From a speed and scale perspective, ransomware poses such a destructive threat because it can spread, replicate, and reach entire networks in minutes. Especially when prevention, detection, and response capabilities aren’t as strong as they need to be.

Secondly, we’re also becoming acutely aware of how brittle many of our supply chains are - including “digital supply chains” that involve SaaS tools and software.

Maybe this is just the natural outcome of JiT manufacturing and the adoption of business schools emphasizing a focus on the core value proposition while outsourcing every other function, but between the strains highlighted during the COVID-19 pandemic and these sorts of attacks, we’re just not in a position to endure the volume of attacks that we’re seeing.

So, what do we do about it - particularly when things outside of our control impact our businesses?

First of all, I think it’s worth starting with a self-examination. Ensure that your own portfolio companies are operating at a level of resilience that’s appropriate for their lifecycles, and are able to reasonably defend against and recover from these attacks.

Secondly, we really do need to start investing in our supply chains. Concentration risk is a very real thing, particularly in highly specialized industries (including information technology), and I would imagine that the impact of the attack at MKS is far greater than the $250M being written off by just one of their clients.

Understanding which vendors or suppliers are critical to your business, and then working through the gameplans around how much disruption you could tolerate, what you would do in the even of an outage, and what recovery would look like is the bare minimum.

Once these critical vendors are identified, you can work to ensure that they are meeting your security and resilience expectations. Contractual clauses should be a backstop or last resort - it’s far better to encourage a vendor to up their cyber game than simply throw a new line into a contract and have to enforce it after the fact.

The big takeaway, to me, is that now more than ever - we’re in this together. We’ve got to start acting like it, because I really do think it’s United We Stand, Divided We Fall.

Fundraising

One of the smallest weeks in 2023 so far this year - only $6.4B in newly committed capital. We’ll see if things pick back up this week, but I also noted a report in the Wall Street Journal yesterday on VC funding that as an industry, they only raised $20.6B all of Q4 - and are at their lowest inflow levels since 2013.

All of a sudden, $6.4B in a week doesn’t seem so bad, right? We’re at just over $114B for the quarter, with five more weeks to go. Plenty of encouraging news.

You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.

Links

https://therecord.media/applied-materials-supply-chain-mks-ransomware-attack/

https://www.wsj.com/articles/venture-fundraising-hits-nine-year-low-c2b4774