The MOVEit Saga Continues: What Lessons Are Left to be Learned?
6–26–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday, June 26th.
This week, we’re still on MOVEit - because it’s really the story that just keeps on capturing the attention of the cybersecurity media cycles here in the US.
Still talking MOVEit:
Let’s start with a quick review of the impact: The victim count is now at 85, and heading higher. New additions to the list include PwC, Ernst & Young, Medibank, Metro Vancouver Transit Police, and Norton LifeLock.
Parent company Progress Software is already facing their first (likely of many) Federal law suits, this one stemming from the loss of Louisiana DMV data.
To date, we’ve been talking about the impact on the victims of the MOVEit incident. And, for the most part, we’ve talked about what you can do as a business to moderate the risk inherent in using third party providers:
Maintain an accurate inventory of the vendors and systems that you use.
Ensure that you’re aware of any issues relating to those vendors or systems (also known as threat intelligence).
Be able to respond quickly when incidents do occur.
Limit data volumes shared with these systems - including potentially types of data, volume of data, but also length of data shared. Data retention policies continue to be a critical tool here.
But we can’t keep re-treading the issues here. It’s all been said, and by now, your portfolio companies are either going to put these best practices into use within their enterprise or they’re not.
I think what’s more interesting to talk about now is not the impacted “victim” side of this equation, but what it’s like from Progress Software’s perspective.
Let’s remember here, again, that they too are victims of a foreign criminal syndicate who has exploited a weakness in one of their products. They’ve had to do their own response activity, including issues we’ve talked about here at length: communication and updates.
The long tail of this incident is only just starting to become clear with this first law suit, and surely more will follow. Progress Software, the parent company of MOVEit, has a bit of an interesting history as to how they get into this position.
MOVEit was originally released way back in 2002, and acquired by a company called Ipswich in 2008. The cloud version launched in 2012, and in 2019, Progress acquired Ipswitch for only $225M.
Progress has a long history of acquisitions, and - in fact - was trading at an all-time high before this issue was discovered. Share prices have since dropped about 11% - which now represents a bigger drop in market cap than Progress paid for Ipswitch.
These aren’t the only metrics that matter, but they’re certainly worth looking at. Progress has upcoming earnings calls and other public filing requirements that will help us get a better sense of things, and this is yet another situation where one imagines the SEC’s forthcoming cyber disclosure rules will begin to have some teeth.
At this rate, MOVEit continues to be a valuable case study of just what might happen if you, or your vendor, find themselves in the crosshairs of ransomware gangs, and how much that impact can really extend.
It’s likely not a coincidence that the US Department of Justice has announced a new National Security Cyber Section, within the National Security Division, charged with dealing with “nation-sate threat actors” (like China) and “state-sponsored cybercriminals” (like Russian ransomware gangs).
Fundraising
We spend a good amount of time talking about fundraising in this portion of the updates, but it certainly feels like the other end of funnel is starting to move.
Just this morning, IBM has announced that they’ll be acquiring Apptio for $4.6B. Recall that Apptio had IPO’d in September of 2016, but was taken private by Vista Equity Partners two years later for $1.94B. That’s a pretty solid Internal Rate of Return for Vista on that one - more than doubling their investment in just under 5 years - a pretty typical PE hold period.
We’re also seeing Private Equity portfolio companies come back onto the public markets, with EQT’s Kodiak Gas Services and Ares Management’s Savers Value Village both targeting an IPO this week (with Value Village at a surprising market cap of $2.8B).
We’ll see if these trends continue through the summer - typically a slower time in Financial Services, particularly August - but a space to watch, for sure.
Meanwhile, we saw just over $5B in newly committed capital spread across 11 raise announcements, with Wellington Management topping the list at $2.6B for their late-stage VC fund - seems well-timed, as late-stage companies are likely in a capital crunch that could yield some good discounted pricing for those Wellington investments.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.
Links
https://www.cybersecuritydive.com/news/progress-software-federal-class-action-moveit/653505/
https://www.barrons.com/articles/lithium-albemarle-ceo-kent-masters-484e4243