What Othello can teach us about risk: Security M&A; Cryptovirology; Insurance Deal of the Future…; Cyber & Insurance & Credit; Fundraising Climate
... behold, what innovation it makes here: I am unfortunate in the infirmity, and dare not task my weakness with any more.
- Cassio (Othello,2.3,1171-1173)
Risk Developments this letter:
Insurance Deal of the Future…
Cyber & Insurance & Credit
Ideology is What You Buy
Othello is most famously known as a story about revenge and jealousy, and it is true that Shakespeare was a master of depicting emotion, but more powerful than these twin evils are the structural elements which manifest themselves as evils, when these elements are trusted to the wrong people. Revenge is based in innovation and jealousy in reputation. These elements have positive manifestations too, progress and trust, respectively, but what transforms the amoral structural elements into good or bad is character.
The quote at the top of this week’s letter takes place at a critical juncture in the play. For a full synopsis, see the wikipedia link. For our purposes, all you need to know is that Othello, a famous Moorish General has come to save Venice from the invading Turks, and in the process, fallen in love with a Venetian, Desdemona. In making his preparations for battle, he passes over one of his lieutenants, Iago, for promotion and chooses Cassio instead. Iago sets a plot in motion to deceive Othello into believing that Cassio and Desdemona are having an affair. His first moves is to get Cassio into a fight that loses Othello’s trust. To do so, he takes advantage of Cassio’s weak tolerance for alcohol. The “innovation” Cassio speaks of is the trick of peer pressure that Iago uses. In modern language, we would say, “Just one more drink. Everybody else is doing it.”
Before innovation was a buzzword, it was taboo. To create change, to renew, to disrupt the order of things, was a bad thing in a hierarchical world where it was thought that God created a natural order that must be maintained. Cassio is not complimenting Iago’s ploy, but bemoaning the not-so-novel tactic that reinterprets expectations and etiquette in a way that causes Cassio to fail what is expected of him and act in a manner unbecoming of a military leader.
Reputation therefore plays a key role in Othello. Not just Othello’s impressive military reputation as a general (he wins Desdemona with his tales of heroism and hardship), but also Cassio’s reputation for loyalty and faithfulness to his post, his men and his commander. Iago masterfully exploits reputations, both Othello’s, Cassio’s, Desdemona’s and others to set rumors swirling and cause good people to act in bad ways to maintain their reputations.
This is where ideology comes into play. Innovations are always a twist, they are not born ex nihilo. They are a play on ideology, a way of channeling beliefs that exist into a future that does not yet exist. Reputation is key in this channeling, since people seek to maintain their identity or identities and can be compelled to do unnatural things to maintain them. One way to understand people’s ideology is their tolerance for buying certain truths. Iago mastfully works the belief systems of his adversaries, convincing Othello to buy his story of Desdemona’s infidelity, Desdemona to buy his story of Cassio’s victimization and Cassio to buy his story of Desdemona’s power over Othello. Each of these stories has a grain of truth that is embedded in the beholder’s system of ideas.
So too are risk managers observing grains of truth embedded in our own complex web of ideas about how the world functions, what economic truths dictate the behavior of markets and what scientific advances will cause changes in technology. Many projects have failed due to clever stories of innovation that get sold to defend the reputations of honest men (and women).
Lots to catch up on since I last sent out a letter… so let’s get to it!
The buyout boom continues in security, although it’s hard to say the security industry is exactly consolidating as the rate of new startups continues to outpace exits. Since acquisition targets usually have to reach a certain scale to be of interest, this makes the security startup pipeline kind of lumpy. Still, there is plenty of action taking place.
The biggest deal, at the far end of the pipeline, is a potential $8B merger between the formerly Symantec, now Norton LifeLock and Avast, the European antivirus maker. Given that Avast is U.K. based, this announcement carries a bit more weight, as regulatory filings across the pond are made at a slightly more firmed up stage. Symantec has routinely turned to acquisitions to supplement their R&D, keeping their product competitive in a fast evolving space, but with the footprint of Avast’s European customer base, this is also a way to buy growth.
A slightly smaller deal is Microsoft’s acquisition of RiskIQ for over $500M. RiskIQ’s technology scans publicly available information about websites to monitor phishing, fraud and malware. It’s a nice capability for Microsoft, which has both customers to protect and vested interest in proactively identifying threats before their software becomes a vector for attackers. The recent Microsoft Exchange Server hack, attributed to Chinese affiliates, is just one example of where better outside-in scanning could be helpful. Microsoft is not picking up many new customers, or even much unique intellectual property, so much as a completely constructed machine that they can integrate into their already impressive security suite. Whether for national security or bundling purposes, it’s an acquisition Microsoft can easily afford to make, and probably can’t afford to miss.
Lastly, two XDR (extended detection and response) acquisitions round out our M&A discussion. Rapid7, long time hacker darling, and owner of Metasploit, is acquiring IntSight, an Israeli cybersecurity firm, with capabilities to ingest dark web intelligence alongside more traditional threat feeds, for about $335M. Adding more context and external data to threat and vulnerability scanning tools should help keep Rapid7 at the front of the pack, and with their roots in penetration testing software, they will continue to champion the outside-in approach to cybersecurity. CyberReason acquired empow, another Isreali startup, for an undisclosed amount, but CyberReason, is flush with cash from their last funding round, a whooping $275M. CyberReason competes in the aforementioned endpoint detection space, a highly competitive market. Adding empow’s capabilities to integrate with other IT vendors should increase lock-in and help sell into complicated corporate networks where previous IT choices can create integration bottlenecks and barriers to entry.
Excellent political commentator Bruno Maçães has a piece about the weaponization of cryptography. It’s a good look at how secrets are a double edged sword and a reminder that its flip side, convenience, can be equally as destructive.
This is true in the case of Morgan Stanley’s recent data breach, a relatively minor incident as most customers were not affected. Still, the tragedy of the commons is a tragedy not because key individuals lack character, but because the many accumulated actions of players that cannot escape their fates.
While on the topic of public goods and fated action, it’s a good time to discuss this article about the demand for ransomware negotiators within the cybercrime ecosystem. As in most industries, the client facing roles grow to take more of the economic pie.
… a typical ransomware attack comprises four stages: malware/code acquisition, spread and the infection of targets, the extraction of data and/or maintaining persistence on impacted systems, and monetization.
The code acquisition piece is simple procurement and a buy/build decision. Infection is the highly value added piece, like finding product-market fit or cracking a tough technical problem. Once that is achieved extraction/persistence is like achieving scale, giving a new meaning to the term “growth hacking.” Finally, monetization is going through an evolution, like when the founder stops doing sales. More middlemen, more sophisticated pricing and a better informed customer are turning this role into enterprise sales.
Payments and Crypto
Plenty of payments and cryptocurrency news of late. Mastercard made big moves by announcing their intent to enable payments with stable coins like the USDC (U.S. digital currency). Not to be outdone, Visa announced that $1B of cryptocurrency transactions have taken place on their systems in the fist six months of the year. In other Visa news, endpoint protection company McAfee announced a partnership with Visa business cardholders.
Payments systems are the arteries of our economic system and like any complex system, a change in one part of the system can cause ripples elsewhere. The advance of cryptocurrencies and cybersecurity will continue to advance together and payments companies, both exposed to risks and best positioned to take advantage of changes have large reputations to defend. Whether they will see their reputations as a liability and innovations as unnatural disorder is up to them.
Cyber & Insurance & Credit
There are a lot of fun combinations of these three words. Cyber insurance. Cyber credit score. Insurance credit rating. etc. This story managed to get all three of these risk topics into one headline. We know that equity analysts are nonplussed about cyber risk, and if you believe most of the value of a company is in locked up in it’s terminal value, as equity analysts often do, this makes sense. Credit, however has yet to determine a consensus point of view. Here’s my glib list of people who care about cyber:
Kelly Shortridge @swagitda_Do public stonk markets actually care about cybersecurity? The laws of both Betteridge and Shortridge say no. My new post examines two new papers providing even more evidence of this reality and I am hopeful people will finally stop pretending otherwise: https://t.co/4QzDqktuQt
Maybe we should be adding lenders to the list on the left. Ratings agencies don’t make the rules, but they do shape norms…
The Insurance Deal of the Future…
Clean tech fundraising is on fire with all the big PE funds hitting the circuit to raise mammoth amounts of capital to ride a confluence of tailwinds. The three tailwinds are public sector, technology innovation and industry disruption.
After a though four years, the Biden administration is signaling major investment in infrastructure that might be some shade of green and alignment on international climate norms. Congressional Democrats are looking to boost the profile of FERC (Federal Energy Regulatory Commission).
There is also, of course, technological disruption. As energy companies become more internet connected, risks rise and, because security is a property of a system, the whole thing has to be thought through from first principles. This means both unexpected CapEx and increased OpEx for legacy providers. Bad news for fossil fuels and a potential opportunity for renewables.
The difference between the first Green Bubble and today’s boom is that government led the first and the private sector is leading today’s. The world’s biggest asset manager, Blackrock raised $250M for emerging markets focused climate investments. Private equity giant KKR is partnering with Crossover Energy Partners. Carlyle is launching a renewables energy unit.
When bubbles repeat themselves, it’s usually worth noting. Insofar as innovation is mimicry, the bootstrapping process of creating a new belief system requires the production of reputation out of thin air. That process is usually tragic, always comedic and eventually inevitable.