Weekly Video: November 14, 2022
11–14–2022 (Monday)
Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for investors, deal teams, and the management teams of portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday, November 14th, and what a week it’s been. So much news that we won’t even have a single comment on this past week’s midterm elections here in the US.
Let’s got to the stories:
Medibank Update
Twitter (Again)
FTX (Of Course)
Medibank Update
Australia appears to release the hounds. After Medibank leaders refused to pay the ransom, noting that they had no guarantee the threat actors would release the data. The threat actors, of course, released the data.
But they did so with malice -crafting a “naughty list” of people who had medical records for substance abuse, abortions, or other medical procedures.
As a result, Australia has come out swinging, including setting up "a permanent standing operation" comprised of 100+ personnel from the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD) that will "scour the world" and "hunt down the criminal syndicates and gangs who are targeting Australia in cyber attacks and disrupt their efforts."
Time will tell how this plays out, but between the Ransomware Summit at the White House last week, and this effort from a fellow Five Eyes country with significant investigative and cyber capabilities, we may be seeing the start of the turning tide.
Twitter (Again)
While it’s been tempting to focus on the slow-motion car crash of the firings and blue checks and other mis-steps from the past week, I think it’s most relevant for us to focus the coordinated overnight departure of the security and compliance functions - CISO, Chief Privacy Officer, and Chief Compliance Officer all resigned overnight. especially while being under an active consent decree from the FTC relating to its “comprehensive information security program”.
This decree requires them to notify of changes that might impact customer security, and now Twitter wants individual engineers to self-certify their code is compliant with the decree. Reports are the Elon’s personal attorneys are telling the engineer’s that’s okay. I dunno.
The FTC Director of Public Affairs noted ominously: “We are tracking recent developments at Twitter with deep concern. No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.” Reports from Elon’s lawyer is that “Elon puts rockets into space, he’s not afraid of the FTC.”
Remember, this is an agency who has recently targeted individual CEOs with requirements that stretch to any company they lead, meaning that there’s actually the potential for spillover to Tesla, SpaceX, Neuralink, and the other companies here - not just Twitter.
Reports indicate that the security team was given an overnight period to review the new “verified” blue check implementation, and that none of their recommendations were implemented prior to Twitter Blue launching. Of course, brand and celebrity impersonation ran rampant, mostly with parody and comedy-focused exchanges, but clearly lots of people are not happy about this and the rollout of the feature…stumbled, at best.
FTX (Of Course)
I saved it for last not because it’s the best, but because if I started with it, there wouldn’t have been room for anything else.
For our perspective, here’s what I think we need to takeaway from FTX’s spectacular collapse:
Governance remains critically important - and boards are going to have even more spotlight pointed on them in terms of risk management.
Regulation is coming for crypto. $1-2B in missing client money will tend to do that. Remember that FTX was based in the famously under-regulated Bahamas, but that won’t stop regulators from making their stances known.
Threat actors love to use distractions - as evidenced by a reported $473M hack that took place while FTX was busy trying to move the remaining assets into a multisig cold storage wallet.
We’ll learn much more over the coming week(s), and should absolutely watch this space.
Fundraising
Another relatively small week for funding announcements, coming in at about $4.5B in newly committed capital. Hard to extrapolate anything too meaningful from this number - raise announcements are a lagging indicator, of course, since the process is often longer than anyone would like.
I do think it’s a bit of an open question as to whether we are we going to fizzle or a flourish as we get towards the end of the year here. Stay tuned!
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.
Links
https://www.theverge.com/2022/11/10/23451198/twitter-ftc-elon-musk-lawyer-changes-fine-warning