Mid-size companies are increasingly the target of ransomware bad actors. OV Partner Joel Kline notes that PE and VC firms should understand that their portfolio companies are not immune from ransomware simply because they are smaller companies.
“Ransomware companies are increasingly targeting mid-size firms backed by PE or VC”, Kline said. “Mid-size firms lack the global reach, political clout, and law enforcement connections that large firms leverage during ransomware attacks or threats.”
According to a recent March 1, 2022, article in The Wall St. Journal by Richard Vanderford, the payouts for these mid-size companies average about $1 million. “That’s an unhealthy medicine to swallow”, Kline noted. “That’s $250k that could have been allocated to better IT protection and $750k that should be used for other growth purposes. Even if you have insurance, it’s a spike in your insurance and a suspension of operations when time and money are critical.”
The Wall St. Journal article states, “After a spate of strikes against so-called “big game” targets such as the 2021 attack on Colonial Pipeline Co., ransomware groups started striking smaller targets, according to a report published in February by the Federal Bureau of Investigation, other U.S. agencies and counterparts in Australia and the U.K.”
Kline said that Ransomware has upended the popular idea that making the data more expensive to breach is the answer. Known as Poulsen’s Law, it is a common cybersecurity principle that states that information is secure when it costs more to get than it’s worth. This is a great principle to fight intrusion and data breaches. However, it’s really hard to apply this to your whole system with the expectation that everything stops working. With ransomware, you’re talking about employees who cannot do anything productive due to lack of access to the tools and information they need to do their job. That’s much different than compromised data.
The Wall St. Journal article also states, “Some investors now are pushing for better cybersecurity practices across their portfolios…’This housekeeping from a cybersecurity perspective needs to be done—before you’re on the radar, before you announce a large round of capital—because at that point in time, you will become a target,’ said Ruth Foxe Blader, a partner at the venture-capital firm Anthemis Group. ‘We see this emerging risk as something that all companies are going to have to become much more aggressive about.’”
The Wall St. Journal article also quotes Richard Peters, a cybersecurity expert at consulting firm UHY LLP, who described a mid-sized client who was attacked. “Because of the M&A and because of the publicity around that, it became a better target.” Peters went into more detail regarding bad actors and mid-size firms, “They’re watching. They know what’s going on in the news as well as any businessman out there. While hacks involving large, deep-pocketed targets draw the most public attention, ransomware groups are targeting midsize companies that have, or are about to have, a deep-pocketed owner like a private-equity firm. A newly acquired company typically has access to more ready cash, tends to have less robust cybersecurity, and may offer a backdoor into the acquirer’s systems.”
OV Partner Kline noted that in the article that Jeremy Swan from CohnReznick identifies deal targets as “low hanging fruit”. Deals are promoted and publicized, and this paints a target on companies in the deal. “When you promote a deal, you are validating that a mid-size company has value and has money, which make them attractive targets for cyber-attacks.
Kline said three strategies are critical. Cybersecurity insurance, although this is a financial hedge, not an operational choice. Another strategy is to develop relationships with cybersecurity or IT firms on behalf of your portfolio. This is nothing new. You have partners to help your portfolio companies with marketing, legal, operations, strategy, etc. Now you simply need to add a cybersecurity firm. The final strategy is to conduct an audit to understand the risks and vulnerabilities for each portfolio company. Knowing what’s at risk can help you develop cybersecurity strategies to minimize those risks.