ISMG Editors: Will SVB Crash Kill Cybersecurity Innovation?Also: Blackbaud Fined; DOJ Reproaches Federal Contractor for Lax Security Anna Delaney (annamadeline) • March 17, 2023
In the latest weekly update, four editors at Information Security Media Group discuss how the Silicon Valley Bank crash will affect innovation in the cybersecurity space, why the SEC fined cloud provider Blackbaud $3 million for providing "erroneous" breach details, and why the federal government fined a web hosting firm in a kids' insurance site hack.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday & Europe; Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity; and Michael Novinson, managing editor, ISMG Business - discuss:
- How last week's sudden downfall of Silicon Valley Bank - the second-largest bank failure in U.S. history - may affect access to capital and innovation in the cybersecurity industry;
- How Blackbaud, a company that provides fundraising and customer relationship management software tools, has agreed to pay $3 million to settle a Securities and Exchange Commission probe in relation to a 2020 ransomware attack;
- How Jelly Bean Communications Design, a web hosting company based in Florida that managed a website for children on the Children's Health Insurance Program, will pay nearly $300,000 to settle allegations stemming from a 2020 hacking incident that revealed the personal identifying information of hundreds of thousands of minors.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the March 3 edition, which discusses how the U.S. Supreme Court may limit the identity theft law, and the March 10 edition, which discusses the new U.S. national cybersecurity strategy.
Anna Delaney: Hello, and thanks for joining us for the ISMG Editors' Panel. I'm Anna Delaney, and here on a weekly basis, we discuss and debate the top information and cybersecurity news stories and trends that you need to know about. We are a merry gang today with Mathew Schwartz, executive editor of DataBreachToday and Europe; Marianne Kolbasuk McGee, executive editor of HealthcareInfoSecurity; and Michael Novinson, managing editor for ISMG business. Glad you could all join me.
Mathew Schwartz: Thanks for having us.
Delaney: Michael, let's start with you this week. For some time now, financial pundits and commentators have been predicting turbulent economic times. And we certainly had a taste of that, at the end of last week going into the weekend, with the collapse of Silicon Valley Bank. And of course, reading the headlines today as well, we see the impact on the global markets. So whilst this might not be repeat of 2008, it certainly has echoes of the panic of that time. So for now, take us back to last week. Recap events. What do we need to know? And, you know, how does this impact the cybersecurity industry?
Michael Novinson: Absolutely. And thank you for having me. So as you alluded to, this is the second biggest bank failure of all time in the United States behind only Washington Mutual, which was indeed back in 2008. So Silicon Valley Bank, for our global audience, it's the 16th largest bank in America, little over $200 billion in assets. And so what had happened was that with the economic boom in 2020-2021, they got a ton of money flowing in. They're really focused on serving the startup community, particularly technology startups, as well as the venture capitalists that back them. So when there was a lot of funding flowing into these companies during the 2020-2021 days, the amount of deposits that SVB had, skyrocketed. What they ended up doing because it's a low interest rate environment is they put the money into long-term bonds. Lot of the money got locked in. So the first was with the rising interest rates, the concentration of their investment in the long term bonds, left them at a curious situation. And then with all of these startups not being in a position to raise money because the economy wasn't as good they would have needed to take a hit to their valuation, all of these startups started taking more money out of the bank. So this left SVB with a bit of a precarious situation around deposits. So last Wednesday, a week ago, they went in and they attempted to raise a little over $2 billion by issuing stock. They put out a release on this. People panicked. SVB maybe didn't do a good job of communicating the reason that they needed the additional money. So what you saw last Thursday was just a massive run on the side. DCs were directing their portfolio to companies to pull all their money out. The stock plummeted. A week ago Friday, the shut it down essentially. They didn't have enough money to continue operating. So you had this really nerve-wracking situation for startups in cybersecurity and elsewhere for about 90 hours or so. So, the way it works in the U.S. is in last year one of the big four banks Chase or Citibank or Bank of America, or Wells Fargo, if you're anybody else, the good thing is you didn't have as much regulation. But the bad thing was that your customers' deposits were only insured up to $250,000. Anything beyond that was uninsured. The reason this is relevant here was in order for startups to work with SVB is the terms of their contract. SVB required them to consolidate all of the banking there. So these startups had all of their money with SVB. But we're in a situation where it wasn't clear if they would defer when they would be able to get anything beyond that first turn $50,000 back. So people were panicking, there was really a question and two, because the 15th of the month is often the day that employees in America get paid. So there was a question, will companies be able to make their payroll, will they have to sell off assets, or lay people off for finding alternate source of funding. So it was a really nerve-wracking period until about Sunday evening, when the U.S. government came forward, it did two very important things. The first is that they agreed to make depositors whole not only it's Silicon Valley Bank, but also it's Signature Bank, which is a bank out of New York that failed on Sunday. They do a lot around cryptocurrencies, but they do actually have some cybersecurity services, customers as well. So they told depositors that don't come Monday morning, you can take all of your money out, you have access all of your money. So that was a sigh of relief. And then the second thing which they did is they provided a federal backstop, meaning that for any other particularly a regional bank, who was worried about having a run at this, the government said that you can have access to our liquidity. So anybody who comes to you and says, I want to take my money out that the bank would always be able to meet that need, which was essentially a way of preemptively trying to stop a bank run folks taking their money from these regional banks, where the word deposits might be uninsured, to the larger national ones, where the deposits will be fully insured. So in the United States, it's really did have the intended effect. First Republic, I had their stock sank, because they did take advantage of the liquidity from the Federal Reserve, but then their stock recovered on Tuesday. Globally, it's a bit of a different story, as you were alluding to Anna. We do see Credit Suisse today that are based out of Switzerland. So they're in a different regulatory structure. They've had backing from the Saudis. And I know that Saudis have indicated they're not looking to continue to back them. So that's a bit of an uncertain situation, which is affecting the global markets on Wednesday. I think the thing to watch, in terms of cybersecurity startups, the short-term crisis is over, everybody has access to their money, that's not an issue. The longer-term question really remains around access to capital. And in particular, for early stage startups who are losing a lot of money, perhaps don't even have a product in market yet. What was unique about Silicon Valley Bank is that they were very willing to extend credit lines are essentially pools of money that companies could tap into companies who really didn't necessarily have had a proven business model or revenue stream yet. And so the question now becomes for these essentially early stage startups who use these kind of rainy day funds as a contingency fund and use the money from the venture capitalists to fund day-to-day operations, but then in case of emergency brake class, they would then take the money from the private line that they got from SVB. So depending on who ultimately buys SVB is been run by the federal government right now. But federal government is going to be in the banking business. So at some point, it's going to get sold and in all or in part. So then the question really becomes what's their attitude towards extending credit lines to seed a Series A startups? And if whoever the eventual owner is, is less willing to do that. How do these companies make sure that they have enough capital in case of emergency to the VCs just make larger rounds, to try to either alternate institutions that step forward? So that's really from the standpoint of the cyber industry, the thing I'm watching for and going forward.
Delaney: That was an excellent summary of events, Michael, and what's the chatter in the cybersecurity community? Do you think they think this will stifle innovation in the space?
Novinson: I think there certainly is a fear that SVB was just very unique, I mean, just in terms of the ease of working with them, and then the willingness to make deals that conventional banks when because conventional banks, it's they just have different views on risk. When the economy is moving, they have a greater risk appetite, when the county's contracting, then they are under orders to take a more conservative approach, which means essentially just ditching the startups. So the difference with SVB is that there are always startups that are so central to their business, that they're willing to work with them on both sunny days and rainy days and try to make deals with them. So yeah, I think there is concern I know about the new CEO who was put in by the FDIC is signaling to them, the VCs, like it's up to you like, what you do the next week is going to determine whether we survive or not. Do you tell your portfolio companies to put money back with us if they withdrew it or do you just cut and run? Because if deposits are fractional, if they used to be then it's not an appealing asset to buy. So, yeah, I think certainly people are relieved that they have access to their money. But I think there are questions in terms of what does this mean for companies that are just kind of getting off the ground in the early part of that incubation phase.
Delaney: Sure. Well, we knew events like these changes by the minute, but for now, that's excellent reporting on the topic. Thank you, Michael. So Matt, you are looking at an SEC ransomware lawsuit this week. So Blackbaud, a company that provides software and cloud hosting solutions for K-12 schools has agreed to pay a $3 million fine to settle charges in relation to a 2020 ransomware attack. So as the reps of ransomware reporting, what do we need to know about this?
Schwartz: Well, this is a fascinating case, as you say, it came to light in 2020, in July 2020, when Blackbaud, which as you say it works with K-12 schools, it also handles a lot of firms that get donations from different organizations. It's got a really deep customer base, and stores a lot of really sensitive information on people who make donations, for example. So it is widely used, lots of sensitive data, what could go wrong? Well, enter some ransomware wielding attackers, which hit the organization, as we said in the middle of 2022, or at least that's when the breach came to light, seems to have happened maybe starting in May. Blackbaud had a little problem when it came to publicizing the details of the breach. Specifically, the U.S. Securities and Exchange Commission, the SEC, accused the company of making misleading disclosures about the ransomware attack that impacted, it says, more than 13,000 customers. I'll just pause here to note and say, each of those customers is an organization that was hiring Blackbaud; each of those customers was storing data on hundreds, thousands or more individuals. So this was a breach that had a massive impact when it comes to the amount of personal information that got exposed. So the SEC has accused Blackbaud of not being straight with investors, which as we know, the SEC, doesn't like. It tends to go after organizations witness this $3 million agreement. As is typical with such agreements. The organization that it's focused on - Blackbaud - hasn't confirmed or denied any of the allegations. But the SEC says that more than 1 million files being stored by Blackbaud works post and when the company issued its data breach notification. At first, it said that no donors, bank account details or social security numbers appear to have been stolen. Unfortunately for the company, a different part of the organization, the one that didn't prepare the filing for the SEC had found that in fact, donors bank account information was exposed social security numbers were also exposed. This put the company afoul of the SEC's rules, which require that organizations don't omit material facts. The regulator also says the company failed to maintain disclosure controls and procedures, as evidenced by the fact that one part of the organization didn't seem to know what the other part of the organization knew. So what happens? At least 250 U.S. based organizations appear to have been affected. As my colleague Marianne has reported. This led to a number of health data breaches, affecting at least 6 million individuals in the United States. We know there were also victims in Canada, Europe, New Zealand and probably beyond. Irate customers have filed a consolidated now class-action lawsuit alleging in part, the company's "security program was woefully inadequate" - their words. The company has also been reprimanded by the privacy watchdog here in Britain, the Information Commissioner's Office, back in September 2021. It wasn't fines, but the ICO made some recommendations, which is British speak for "do this" or "if we have to come look at you again and we find badness, we're going to find you really badly." So the writing's on the wall for it to get its act together. One of the things I want to know just because it's so bizarre is when Blackbaud came clean about this ransomware incident, one of the things it said was, you know, how when a company says, protecting our customers data is our top priority, and that's only ever a phrase uttered by organizations that have suffered a data breach. Well, it got even stranger. The company said that because protecting our customers' data is our top priority, we paid the cybercriminals' demand with confirmation that the copy of the data that they had stolen and removed from our systems had been destroyed. So as someone who covers data breaches, the first thing you learn, never trust criminals. The second thing you learn is nobody can ever be trusted. And in fact, security experts say there's no proof that a group has ever honored a promise to delete stolen data. So bizarre breach, affects a lot of people, you have this triumphal sounding language and the data breach notification saying, "Aren't we great? We really care about you. So we've given even more money to the criminal ecosystem, because they've promised us certain things." And this was in fact, one of the things cited in the lawsuit against them about just how much they'd screwed up, allowing this breach to have happened. And their response to it. Again, allegations, I don't know if it'll end up in court, or if they're settled, or if it'll have an impact on this class-action lawsuit that's been filed, but it's a big bad breach, for sure.
Delaney: Massive stories! They have a lot of it down to a lack of internal processes and procedures. Marianne, do you want to add anything to this? You've obviously reported extensively on it.
Marianne McGee: Well, yeah, as Matt said, there were dozens of healthcare organizations that were impacted by the Blackbaud incident, at least a few dozen come to mind that reported breaches to the Department of Health and Human Services, as involving Blackbaud. But even those reports are sort of hard to gather, because as far as I know, Blackbaud never really issued one report that listed all the organizations, rather than, you know, it was a situation of oh, there's a big breach that's posted on the Department of Health and Human Services, breach reporting website, and then you go, you know, digging around to see if you can find the breach notice, and that's when Blackbaud gets mentioned. So I think people would be surprised how many healthcare organizations are actually impacted. These are healthcare organizations that have fundraising, you know, activities within their organization, your donations, that were maybe named, you know, invade in people's names, and you know, that sort of thing.
Schwartz: Sensitive communications, if you are a healthcare organization soliciting these donations from people, this is not the sort of information you want to see go missing.
McGee: No, absolutely.
Delaney: Great teamwork there. Marianne, you have a story now, which sort of echoes themes from that story that harks back to an incident from 2020. There's some underhand behavior and a rather hefty fine. So the Feds just issued a fine to a Florida-based web hosting firm, stemming from 2020 hacking incident that revealed the PII of hundreds of thousands of minors. Talk us through the case.
McGee: Well, the Department of Justice this week announced this nearly $300,000 False Claims Act settlement with a small Florida-based web design and hosting company called Jelly Bean Communications Design and its owner, and the company only had like one employee. So the owner and the employee, you know, it's all kind of one and the same. But the settlement involves a data breach, as you said, that affected about a half a million individuals who entered their information on a website healthykids.org which was for kids' dental and health insurance, run by a Florida state Medicaid program for which Jelly Bean was contracted in 2013 to create host and maintain and that contract, of course required the website to be secure. But from 2013 to 2020, the Justice Department says a Jelly Bean did not patch software vulnerabilities or apply other security practices for securing the healthykids.org - the healthykids.org website. And then in December of 2020, it was discovered that during those seven years, hackers were able to access and alter personal information that was entered into the website by parents and individuals applying for dental and health insurance for their children. The Justice Department says that of the 500,000 applicants who had their information compromised that included names, addresses, date of birth, social security numbers and also sensitive family financial information such as alimony and child support payments. Now, the false claim settlement with Jelly Bean is part of the Justice Department's Civil Cyber-Fraud initiative, which was launched in October of 2021. That program is essentially a government crackdown on federal contractors and grant recipients that misrepresent their cybersecurity practices and protocols or knowingly deliver it lacks cybersecurity products or services that put U.S. information or systems at risk. Other violations under the program include failure to monitor and report cybersecurity incidents or breaches. Now, the legal experts that I spoke to about this case, tell me that the Jelly Bean settlement is just another wakeup call really from vendors of all sizes and types that handle sensitive information, especially in the healthcare sector. For example, if these vendors are under federal contracts, or build government programs, such as Medicare and Medicaid, supposedly for HIPAA compliance services, but then failed to deliver on their security promises, those companies or individuals could be exposed to federal criminal liability under the False Claims Act if there is a breach or hacking incident, such as in the Jelly Bean case. And, you know, we've seen a lot of big breaches in the healthcare sector in recent years involving vendors. So this action by the Department of Justice is yet another reminder to vendors, that they not only face potential liability under HIPAA and the Federal Trade Commission's, you know, on Unfair Business Practices Act, as well as state privacy laws, but also now potentially, under the Federal False Claims Act if they provide shoddy cybersecurity, resulting in serious data compromises, and, you know, as Matt was just speaking about, maybe even the SEC, if it's a public company, so, you know, that's all the other worries on top of the inevitable civil class-action lawsuits that also get filed against these companies when individual sensitive information is breached.
Delaney: So it's just proof that the U.S. government really is targeting federal contractors with poor security?
McGee: Yeah, there's again this initiative by the government, where the Justice Department was launched in October of 2021. And, you know, this is one of a few cases that I'm aware of that involved healthcare. But I think, you know, there's like so many of these fraud cases, you know, the government kind of picks and chooses which ones to make examples of, but I think this one was particularly egregious because it involves kids' information and their parents' sensitive information pertaining to the kids.
Delaney: As you say, a wakeup call to all organizations. Thank you, Marianne. Well, finally, as we had the Oscars here last week, or their last week, and various other entertainment award ceremonies in the weeks prior, which stories have you worked on recently, that have the makings of an Oscar winning screenplay? There's always drama every week on the Editors' Panel. So Michael, go ahead.
Novinson: I will be boring and take the Silicon Valley Bank collapse, a couple of things, which I think are fun to focus on, would be the mass exodus of money on Thursday, you had stories of venture capitalists and owners of portfolio companies who are in the back and bathrooms are on top of ski lifts, just trying to test what they use the mobile banking app to pull their money out. And then the final point I would add is there is some pushback on Twitter, venture capitalists to head yeah, Orzhov is companies to pull their money ASAP. And Thursday morning, and then that very afternoon thought, Oh, well, I think they'll recover and the CEOs and their former CEOs, and that's correct. So I'm going to go buy their stock, and see if I can get some money on the bounce back. So definitely some very colorful stories from the Thursday to Sunday period of last week.
Delaney: Yeah, you don't really want to make light of the situation. But, you know, in a few years' time, perhaps and Moneyball esque film I can see on the horizon, Matt?
Schwartz: It might be really too similar. But the FTX meltdown offers a wealth of dramatic opportunities. And just some, I don't want to demean, but some bizarre seeming characters involved at the nexus of all of this money going missing, wonderful flourishes as well, that we sometimes get from affidavits and indictments, things like WhatsApp groups, I don't remember the exact name but you know, don't call it the fraud group in terms of how they're attempting to deal all of this sort of fallout that's happening. Again, that's not the actual name, not a lawyer. But I think there's just so much interesting human drama there. And also bizarreness. It seems looking from the outside, not just, you know, the on tap master chefs and you get your nails done anytime you want, because otherwise, how can you maintain, you know, peak efficiency down in the Bahamas was it, right? Bahamian entity? So lots to work with there from a dramatic standpoint.
Delaney: Oh, absolutely. I'm sure the screenplay is well underway, Marianne?
McGee: My idea is basically a compilation of the various ransomware attacks that we've seen on hospitals. You know, there might be fodder there for a thriller. You know, patients' lives at stake. Maybe there's something bigger happening in the community. Always a lot of drama with those sorts of incidents.
Delaney: Drama, indeed is the word. Well, thank you so much, Marianne, Matt, Michael. As always, it's been fun, a pleasure, and extremely educational. So thank you. Until next time.