What Ran can teach us about risk: InfraRansom; Big Tech & Security is Securities Fraud; InfraEnergy; Insurance; Blast Radius; InfraGov
In a mad world, only the mad are sane
- Lord Hidetora Ichimonji
Risk Developments this letter:
Big Tech & Security is Securities Fraud
Succeed, Succession, Succumb
At the peak of his career Japanese filmmaker Akira Kurosawa embarked on an ambitious project to invert the parable of Mōri Motonari, a 16th century warlord with three loyal sons, by imagining what would happen if the sons were not loyal. Having hit upon the timeless theme of transition of power and succession, he realized Shakespeare’s “King Lear” had many parallels with, Ran, the story he wanted to tell. The result is an impressive retelling of a classic narrative, layered with Japanese subtlety with a modern perspective on a distant era. By making the story his own, Kurosawa pulled off the difficult feat of maintaining the weight and intelligence of Shakespeare while adding Eastern philosophy, modern cinematic drama and an instructive addition that speaks to today’s risks.
The most important lessons are to pay close attention to the troublemakers, don’t expect others to have higher moral standards than you would, and beware of pride. Like “King Lear” the story begins with the handing over of power from the great lord to his progeny, but in Kurosawa’s version it is sons, not daughters that are the heirs, and the lord has an explicitly violent backstory, as opposed to Shakespeare’s Lear, who is more innocent. When the youngest son speak up to criticize his father’s plan to split the kingdom, he is banished along with the lord’s loyal servant who also second guesses the succession plan. Predictably, the two remaining sons turn on their father and begin fighting for the whole of the kingdom. I’ll leave the rest of the plot and the minor characters for you to discover, but it is worth noting that Kurosawa expanded the role of the fool, an archetype we have discussed at some length before.
The lessons above are useful for more than just the personal politics of inheritance, but also geopolitics, technology and business. Success means achieving an elevated position, whether that is economic or military might, becoming the dominant platform or technology standard, or achieving a durable competitive advantage to gain market share and set prices. The corollary of success is that it makes you a target and the skills that help achieve success are not the same that maintain an equilibrium. There is then, the final problem of how to exit gracefully. Some companies manage to dominate a market, generating cash flow for years to fund entrance into new and growing markets. Some countries manage to use growth to transition to higher standards of living and alternative economic structures. Some technological standards persist across centuries despite great leaps in innovation. The norm, however, is that success is followed by failure of succession and leads to succumbing. To avoid the common path, we should take one more lesson from Kurosawa and invert his parable 360 degrees back to Motonari.
Let’s jump right in! Cybersecurity infrastructure firm Kaseya has been hit with ransomware. As a key vendor to many managed security service providers, this incident is notable not only for the brazen continued deployment of ransomware like with Colonial Pipeline and JBS, but also the scale like the SolarWinds hack. Already people are comparing it to SolarWinds, despite the impact and sensitivity of customers seems to be down a notch.
While SolarWinds is thought to be a nation state attack targeted at major U.S. Government buyers of the software, there is no evidence yet that the Kaseya incident poses similar risks, but as with any infrastructure compromise, the story will likely unfold over weeks, if not months. SolarWinds is itself, still playing out, although most of the facts that can be known seem to be known at this point, but the litigation could take years.
Here’s cybersecurity board member and industry veteran Amit Yoran on the topic:
Big Tech & Security is Securities Fraud
While we’re on the topic of security related lawsuits, here’s a story about Google shareholders suing the company for not disclosing known security vulnerabilities. Big tech seems to be getting attacked on multiple fronts, hackers, shareholders and regulators are all piling on in what could be the end for one of the most impressive business runs in history.
Here’s a deep dive on how a tech breakup by regulators might play out, and while the first salvo by new FTC Director, Lina Khan, was swatted down, it won’t be the last. The big tech breakup poses a bit of a problem for U.S. foriegn policy, as Europe and China are doubling down on their national champions. In a technology arms race for AI, quantum computing and cybersecurity, it is precarious for government to bet on yet to be founded startups, while economic rivals have no such qualms about domestic monopolies.
The other big tech news, is of course, the departure of Jeff Bezos at Amazon. Perhaps taking a lesson from Shakespeare or Kurosawa, Bezos has chosen to make his strongest lieutenant, Andy Jassy, the sole leader, which will keep power squabbles to a minimum and chart a path similar to Bezos. Still Jassy faces the enormous challenges of a big tech CEO and will have to compete vigorously against the other cloud giants, all while maintaining a culture of innovation and increasingly feeling the pressure of providing much of the internet’s infrastructure.
IT infrastructure and energy infrastructure have many similarities (high capital costs, good gross margins, oligopolistic dynamics) and a few differences (regulatory oversight, direct to customer relationships), but they are both rising in importance politically, technologically and in business.
When Koch industries upped its stake in the IT conglomerate Infor, they were making a bet on the increasing relevance between the two types of infrastructure. Now Infor is spinning off Infor’s enterprise asset management business to another industrials cum information
infrastructure company, Hexagon.
The energy space is facing a conundrum as money pours into renewables from governments and ESG focused investors, and one way to hedge against that is to bet on IT. Another way is to simply sell some oil assets, as Saudi Aramco is doing with their downstream pipelines, while still holding the critical upstream production assets.
This is all occurring against the backdrop of record renewables energy consumption in the U.S. and a proposed manufacturing tax credit for renewables manufacturing. It has long been a worry that renewables would only be cost effective given Chinese government subsidies making solar and other renewable components cheap and plentiful. American policy makers copying the Chinese playbook is a bit of a head scratcher, but given the large U.S. subsidies of fossil fuels, it may just be leveling the energy playing field. Still, if the U.S. wants to take the lead in renewable energy, it will require innovation, not just subsidies.
The Saudis are keenly aware of this, and in addition to monetizing some of their oil assets, they are investing heavily in alternative energy, with hydrogen power, being a big bet. This makes sense, especially given the synergies between fossil fuels and blue hydrogen. What makes oil so valuable is its fungibility. As a dense energy source with global utility, it can be stored and shipped and consumed with relative ease compared to coal, natural gas or nuclear. It is said that most difficult problem in energy is storage, often meaning batteries, but oil or potentially hydrogen may offer a better natural battery.
Private equity is also aware of these changes, so KKR is teaming up with Crossover Energy Partners to invest in “securing power purchase, tolling, and build-transfer agreements from customers such as utilities, municipalities, and industrial firms.” When a new technological standard is being developed, it’s best to bet on the winner, but if you don’t know ex ante whether it will be betamax or VHS, you can make plenty of money by controlling other points in the value chain.
Exxon’s has been dragging its feet for years on a clean energy strategy, so much so that ex-Blackstone activist investors were able to stage a coup. Despite taking an incredibly small stake, Engine No. 1 has so far succeeded in pushing for changes at the very top, but whether Exxon will have the appetite for renewables that Aramco does, or the foresight to get out of the way that KKR does, is yet to be seen. It’s the classic disruption/succession dilemma.
As an industry with a huge incentive to stem the damage caused by global warming, insurance has moved about as deliberately as big oil. It’s surprising that AIG has just this year issued its first ESG report, but with catastrophe losses up 17% this year after years of increases, the industry is taking notice. Part of the reticence to change is cultural, but part of it is also access to plentiful capital.
In other insurance news, the Aon-WTW merger is back on the ropes as U.S. regulators expand monopoly concerns beyond just big tech. Facing tougher regulation, higher losses and a continued low interest rate environment, insurance may have to get more creative. Part of that ties to the ESG story by attempting to control losses. There are, of course, other ways to align insurers and the insured.
The most interesting overlap between energy and insurance may be energy and technical lines. On the one hand, the customers’ ability to pay is determined by fossil fuel consumption, but on the other, fossil fuel consumption drives frequency and impact of losses. Berkshire Hathaway Specialty Insurance, which also underwrites cyber insurance, is moving into the U.K. energy market. BHSI is no stranger to complicated bets and dynamical systems. Incidentally, Berkshire Hathaway also owns one of the seven electricity distribution companies in the U.K.
This setup, with complex causal relationships and back and forth risk transfer is reminiscent of the recent Palantir story about their role in the SPAC market. As provider of private investment in public equity (PIPE) they backstop a company going public via the volatile SPAC vehicle, which may or may not deliver all the capital needed when SPAC investors choose to back a deal. Palantir, in return for capital upfront, locks in customer contracts, essentially paying themselves with part of their investment.
One way to commit to risk reduction is to pay somebody else a premium to take your risk, essentially buying oversight and a reason to take the risk seriously. It’s a trading corporate control for financial interest. Another way to buy insurance is to sell some equity to somebody else who can do something for you that will increase the value of that equity. If there is technical or organizational risk around large software implementation (and there sure is!) this is another kind of commitment device, just like insurance is supposed to be. For more on this topic, check out Byrne Hobart’s subscriber only post that he made available to everyone.
While we’re on the topic of insurance and software, let’s talk about the absolutely cratering cyber insurance market. That smoking hole in the ground is the 67% loss ratio for cyber insurance in 2020. Although it looks grim, there is one saving grace and one piece of good news related to the possible decimation of the cyber insurance market. The first good news (not so good for the insured) is that premiums are up 40%. Insurance is cyclical and buyers always flood in after the fact, so it’s not surprising, but the long term sustainability of the industry may be at risk, so it’s worth noting that premium growth isn’t keeping up with the loss ratio. Still, there’s yet more piece of good news in general, and that is that if losses are correlated with headlines and premiums are responding in kind, we may actually know more about cyber incidents than is commonly believed.
The conventional wisdom is that cybersecurity is an iceberg and there are far more incidents that go unreported or unnoticed, which may be true for the latter, but losses seem to become public if a company is insured. Where the data is lacking, however is in the granularity, and that is an issue even insurers are having difficulty with:
It is yet to be seen whether the Cybersecurity Safety Review Board is more effective, but what we can say is that incidents are less of an iceberg and more of a black box. So far, urging by lawmakers has been pretty ineffective. With few other places to turn, some insurers are taking the view that “if you can’t beat them, join them.” No insurers aren’t hacking back, but some are accepting payment in crypto.
Lastly, lets’ talk about more about IT as an industry compliment. The first industries to reap the benefits of IT were finance and media, wholly abstractions that lent themselves well to software. Besides industrials and energy, IT is also a growing complement to the public sector. This is part of the reason that a number of large government contracts have been awarded for IT, as we approach the U.S. Government fiscal year end in September.
First there was the L3Harris $3.3B contract for communications equipment to be sold to overseas partners. This may seem like a lot, and while the U.S. military has plenty of leverage in forcing allies to use compatible communications equipment, the contract is firm fixed price. Still a boon for L3Harris, especially since it had no competing bids, but high costs and limited upside belie the real opportunity for IT in the public sector.
Leidos’ $2.5B win at NASA to provide IT support is a much better demonstration of the value and power of IT in the public sector. It is a cost-plus contract with flexibility and potential upside, but selling services does entail hiring people and hiring IT with clearances can be expensive, so the gross margins may not be all that good.
Cisco’s $1.2B deal with the Defense Information Systems Agency is an even better demonstration. Although half the size of Leidos’ deal and almost a third as big as the L3Harris deal, the margins on software are far better and the flexibility on the contract to extend from one to three years provides plenty of upside. When compared to the $2B Raytheon deal for nuclear missile engineering and manufacturing, that stretches out until 2027, it seems that forging the weapons of war is a pretty poor business relative to writing code and maintaining networks.
When any old regime gives way to a new one, there are sure to be winners and losers, and the key to being on the winning side is not just being young (although that helps), but not being prideful.
Big thanks to Amit Yoran, Garin Pace, Byrne Hobart, and others for sharing your ideas!