Weekly Video: July 18, 2022
Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for investors, deal teams, and the management teams of portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
This week we’re going to cover a few stories around increased oversight in cyber, and the potential outcomes of this efforts.
And we’re going to do it in 5 minutes or less
NSO Sale a No Go
Cyber Safety Review Board on Log4j
$60B in new fundraising - last week alone
NSO Sale a No Go
News broke this week that US Defense Contractor L3Harris - the result of a 2019 merger between Harris Corp and L3 Technologies, both publicly traded at the time - would not be moving forward with their acquisition of Israeli spyware maker NSO Group.
By way of background, NSO Group produces the Pegasus tool which is a highly sophisticated iPhone and Android surveillance tool that can be deployed remotely and access nearly everything on the phone - including both data and sensors like GPS, camera, and microphone.
PE Firm Francisco Partners acquired the firm in 2014 for $130M, and sold a majority stake in 2019 at a valuation of approximately $1B.
Since then, NSO has hit a streak of bad publicity, stories of employees abusing the technology to spy on love interests, and also has been blacklisted by the United States - making it very impossible to sell into the US market.
The rumored acquisition price by L3Harris was only $150M, but there’s more to the story here that’s worth exploring beyond simply the sharp decline in valuation.
Somebody’s going to end up buying this. Without getting too deep into the geopolitics and intelligence community nuance, this toolset is still incredibly valuable to state-backed actors across the globe. It will end up somewhere, but is still an open question as to where. There was certainly some discussion this week that it’s better to end up on the shelf at L3Harris than in China, Russia, or a developing country in Africa or South America who may use it for repression, espionage, or other malicious activities.
Highlights the very fine line between a defensive product and an offensive product in the cyber domain. There will continue to be things that are “allowed” in one use case but may draw scrutiny in others. Investors and potential acquirers would do well to think through these dynamics.
Cyber Safety Review Board on Log4j
We saw the first piece of output from the newly created Cyber Safety Review Board, established by President Biden to review significant cyber incidents and provide “advice, information, or recommendations for improving cybersecurity and incident response practices and policy.”
The review of the December 2021 Log4j event took about six months, with the first meeting taking place in February 2022 - relatively quickly for a body of this type.
The report delivered a thorough review, distilled into 19 recommendations - which is frankly more than I would’ve thought.
The recommendations come in four categories:
Address Continued Risks of Log4j
Drive Existing Best Practices for Security Hygiene
Build a Better Software Ecosystem
Investments in the Future
The model here is based on the NTSB review board that performs similar reviews of aviation incidents in the hopes that we learn and implement lessons from each crash to prevent future crashes.
The model works quite well in the aviation world - by far the safest way to travel - but requires a tremendous amount of disclosure, transparency, and collaboration between public and private sector.
We don’t quite have that much transparency, disclosure, or collaboration in cyber - but all indications are that this push will continue. For us, that means we need to continue to build security programs within our companies that do intentionally do two things:
Define the security program with policies and procedures, so that we can build awareness and resilience in these measures to benefit both customers and investors; and
Make the most of these lessons learned and implement the recommendations as best we can.
$60+B in Funding THIS WEEK ALONE
Typically, we highlight the funding quickly at the end, but this week saw so much funding that I thought it was worth noting as a story of its own and drawing out a couple of quick implications.
According to the team at Axios, there was nearly $60B in new funds committed this week, which is good news amidst these economically uncertain times.
But from a cyber perspective, it means we’re going to continue to see new growth-stage companies getting the funding they need to grow - and that we need to remain diligent in using cyber to secure that investment.
Indeed, the real reason we invest in cybersecurity in these companies is to enable that growth - a cyber incident is going to distract our senior and technical leaders, flatten our growth curve for a quarter or two, and likely impact our valuation at the next transaction.
Best of luck to all the funds with new capital to deploy.
You can find all the links to the stories we covered below, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.
LINKS:
https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf
https://www.theguardian.com/us-news/2022/jul/10/us-defence-firm-ends-talks-to-buy-nso-groups-surveillance-technology