Expect Phishing Scams
Like the click-bait-ish title I gave to this blog, recent news events are almost always used as part of phishing attacks. As other banks have experience difficulties, expect phishing scams to include mentions of recent bank failures. This makes for a good topic to phish for online banking credentials. Look out for lines like: “This is the FDIC, and you must claim your $225k deposit insurance within 24 hours,” or “This is your bank, and we are closing. Log into your account here to wire out your money while before deposits are exhausted...” For most individuals, this is the link they’ll most likely see between this event and cybersecurity.
Pressure on Already Cash-Starved Security Startups
Before last week, cybersecurity startups were already cash squeezed. Allvue reports that venture capital levels dropped from $74.5B in Q3 of 2022 from a high of $178.2B in Q4 of 2021. As investment dropped, startups withdrew more cash from reserves to continue operations. Reports estimated that half the startups in the Bay Area had their accounts with the one bank. Richard Stiennon over at ITSecurity Harvest estimates that there are approximately 116 cybersecurity startups in the San Francisco Bay Area.
The bank collapse and the general venture capital situation has put cybersecurity startups in a three-fold pinch: shortening their ‘runway’ as they spend cash that is not being replaced, interruptions in access to funds as they take action to recover or move funds to more accessible banking options, and having less financial flexibility unlike that enjoyed previously when both the investor and startup had their businesses in-house at the institution. I expect this to accelerate the rate of start-up acquisitions (probably in unfavourable terms), or outright closures. It’s a good time to have a conversation with your smaller cybersecurity suppliers to see how they are managing and if they are actively downsizing. Have a continuity plan should any of them be acquired or close.
Disruption Usually Means More Vulnerability
Let’s start by acknowledging that banks (the large ones) arguably have some of the best cybersecurity in the world. Midsize and smaller banks are still on the right side of the bell curve of security, but there are differences when compared to their larger peers. Banks are tempting targets because they have one of the most tempting assets: money in large amounts that is electronically transferable. Business and technical disruption always creates more vulnerability, and therefore more risk. Whether through being acquired, having to cut costs, or the increased business pressures the recent closures have brought, smaller banks are very likely at higher risk and will have to try and step-up risk management efforts in the near term.
A Not-Surprising Cybersecurity NexusIn the thousands of companies I’ve advised, I haven’t yet found a company that had great cybersecurity and really poor operational management. In a New York Times article a few days ago titled Before Collapse of Silicon Valley Bank, the Fed Spotted Big Problems, Jeanna Smialek wrote:
“The picture that is emerging is one of a bank whose leaders failed to plan for a realistic future and neglected looming financial and operational problems, even as they were raised by Fed supervisors. For instance, according to a person familiar with the matter, executives at the firm were told of cybersecurity problems both by internal employees and by the Fed — but ignored the concerns.”
The takeaway is that troubled banks are targets for attackers. Combine this with the above-mentioned point that disruption usually means more vulnerability, it adds more weight to banks already under the new pressures the banking disruption has caused them.
Another Supply Chain Lesson
Suddenly within the last few years supply chain security has become a top-level issue for CISOs. Supply chain is really about resilience. Supply chain security is composed of two domains: digital supply chain security like what we saw with the Heartbleed vulnerability, and non-digital.
We saw some non-digital issues surprise us during the start of the COVID pandemic. Staff not being to get access to buildings where they had to perform hands-on security tasks, and increased risk when employees went remote. The supply chain lesson with the bank closures was widely reported as a surprise to both the banks and the startups that used them. It bears repeating that disruption usually means more vulnerability.
From Risk to Resilience
IT and business decisions made in haste or when under pressure can be disruptive. These recent bank closures highlight that almost all business events now have a cybersecurity nexus: business risk and cyber risk are indelibly linked. Classic risk management alone is not enough, and a risk management approach focused on resilience is what is required.
To learn more about cyber risk management, check out these resources: