Weekly Video: August 29, 2022
Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for investors, deal teams, and the management teams of portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
This week, we have three stories that tie together with the idea that in cyber, what happens internally likely won’t stay internal for long. How do you make management and leadership decisions in a hyperconnected world?
And we’re going to do it in 5 minutes or less
Mudge vs. Twitter
Lloyd’s vs. Nation States
Follow-Up: Okta
This week I’m going to lead with the bottom line:
your companies need to have fundamental cybersecurity controls in place;
leadership - including the board - should be regularly briefed on these efforts and associated challenges; and
companies must be ready to handle incident response in a public-facing way. The days of keeping things quiet and handling them internally are gone.
Mudge vs. Twitter
By far the biggest story of the week centered around the whistleblower report from ex-Twitter security lead, Peiter Zatko, aka Mudge, who was fired from Twitter in January.
The stated reason was poor performance, but the fact that he had been raising these security issues to executive leadership and the board likely had something to do with him being shown the exit.
Here’s what’s important for us to take away from Mudge’s story in the context of private equity investing:
Boards are going to play an increased role in managing cyber risk for their companies. When issues are raised, they need to be addressed. If not, they’re likely to result in incidents and breaches or public conflict like this.
CNN noted that a big point of conflict for Mudge centered on leadership, particularly the new CEO Parag Agrawal, who “discouraged Zatko from providing a full accounting of Twitter’s security problems to the company’s board of directors.”
CNN notes “The company’s executive team allegedly instructed Zatko to provide an oral report of his initial findings on the company’s security condition to the board rather than a detailed written account, ordered Zatko to knowingly present cherry-picked and misrepresented data to create the false perception of progress on urgent cybersecurity issues, and went behind Zatko’s back to have a third-party consulting firm’s report scrubbed to hide the true extent of the company’s problems.”
These are very serious allegations, and worth noting that regulators are already looking to address this issue - NYDFS is currently proposing amendments to its Cybersecurity Regulation that require CISOs to provide written reports to the Board for just this reason.
The extent of the security weaknesses at Twitter - if true - are stunning, and range from poor security hygiene and missing best practice controls to existential challenges such as capitulating to hiring foreign intelligence services assets and being unable to restore the core functions of the service.
Regardless of how this plays out, things clearly haven’t been well-managed from a security perspective for quite some time, and it should highlight just how critical prudent management of the people, process, and technology that secure our investments should be: Twitter’s stock price is down nearly 40% over the last 12 months.
Beyond that, it also demonstrates the power of Public Relations and Crisis Communications. Twitter’s tactic here has been to paint Mudge as a disgruntled poor performer, which isn’t playing particularly well in the security community.
Lloyd’s vs. Nation States
Insurance giant Lloyd’s has released a bulletin indicating that starting March 2023, all cyber insurance policies “must exclude liability for losses arising from any state-backed cyberattack.”
While this move is clearly targeted at cyber war, and avoiding being stuck with the risk generated by any number of the geopolitical conflicts across the globe that could have cyber implications, the language may be seen as overly broad and some are suggesting it could result in dramatic shifts for the cyberinsurance market.
It will also open the can of worms that is attribution - who was actually behind an attack. Threat actors can disguise their identities and true motivations in any number of ways, and it is unclear who will make the determination of “state-backed” activity, which is also further muddled by the fact that many threat actors are loosely affiliated with governments (tacit or explicit).
The insurance market, already adjusting to higher premiums, larger deductibles, and reduced coverage, will now have to adapt to this additional requirement, which will likely be in place by next year’s renewal cycle.
Businesses, on the other hand, are working hard to balance their ability to manage down cyber risk, particularly when it’s getting harder and harder to effectively transfer that risk.
‘0ktapus’
Last week, we covered some supply chain attacks, and highlighted how they are now growing more complex - breaching one or more external organizations in order to gain access to the actual target.
This week, threat intelligence researchers at Group-IB shed more light on the threat actors we talked about, indicating that they have actually used their attack against Okta (hence the fancy moniker of ‘0ktapus’) to target over 130 organizations in industries ranging from legal to video games to education and even retail.
It’s likely that we’ll continue to see the fallout from these attacks - there are still over 100 companies who have yet to publicly disclose their breach - and it brings a renewed spotlight on disclosure requirements (like the SEC’s proposed cyber rules and draft NYDFS amendments, among others).
The bottom line here is that your companies need to have fundamental cybersecurity controls in place, leadership - including the board - should be regularly briefed on these efforts and associated challenges, and companies must be ready to handle incident response in a public-facing way. The days of keeping things quiet and internal are gone.
Fundraising
The dog days of summer are coming to a close, and especially at the end of August, activity slows as we head back to school and into a long weekend. We’re seeing that slowdown this week in the fundraising numbers - capping out at $1.6B in newly committed capital.
We’ve had a run of big weeks, so let’s not over-index this dip (even if last week was 10x this volume, two weeks before that was 20x, and three weeks before that was nearly 40x). Remember, it all adds up as dry powder to help these companies grow.
Best of luck to all the funds with new capital to deploy.
You can find all the links to the stories we covered in the comments section, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.
LINKS:
https://riskybiznews.substack.com/p/risky-biz-news-explosive-whistleblower
https://www.cnn.com/2022/08/23/tech/twitter-whistleblower-peiter-zatko-security/index.html