Friday 11 June 2021

Games Fund Managers and Investment Advisors Play and How to Avoid Getting Played

Sometimes the Best Way to Avoid Being Played
Is Not to Play

Among other things, Alicia McElhaney at II keeps a close eye on academic research on the “investment space”.

She’s had quite a run with outlining the games fund managers play.

Here are just two examples.

  • 27 May - VC Firms ‘Inflate’ Portfolio Valuations Ahead of Fundraising, Study Shows 
  • 9 February - Private Equity Firms ‘Try to Manipulate Their Performance’ When Raising Money

Anyone who is sentient on the buyside has experienced this. 

But it is nice to see academics confirm what we've learned.

So how does one minimize getting “played”?

The first thing to understand is that similar to other sellers of goods fund managers are looking to make a sale and a profit. Sales pitches run from “puffery” to outright misrepresentation.

The second is that these PE and VC and similar products are sold to “sophisticated” investors--the so-called “big boys”. 

Regulators make the laughable presumption that the “big boys” don’t need the usual protections given retail investors.

That means disclosures and sales materials are allowed to be less robust and less detailed. One example relates to presentation of past returns, modelling, etc.

Professional standards of care are also lesser because the imaginary big boys are imagined to be able to take care of themselves. 

Careful investors will draw the following conclusions from those “facts”.

Healthy skepticism is warranted.

Verify first, then give provisional trust, but keep verifying.

If it seems to be too good to be true, you're probably right. 

Begin by carefully reading the prospectus/offering memorandum.

I have had representatives of major firms misrepresent products to me.

During one pitch, I commented that apparently their prospectus was wrong and cited “chapter and verse” from the prospectus to contradict the statement an earnest sales rep had just made.

Whenever I’m given a 1,000 page offering memorandum for all the seller’s products with a central definitions section separate from the product description so that the reader has to jump from here to there to make sense of a product, my antennae get more sensitive.  

Complexity is not the friend of the investor.

Be sure you understand the product.

That means you need to do your own research if this is your first "rodeo" with a product.

But also ask the sales rep to explain the product.  

Be wary of excessive use of jargon which is sometimes designed to deflect questions.  Who wants to admit that they don't really understand "vol" or the "greeks" on derivatives?

As well be wary of vague phrases,  waving of hands, and then the implication that a miracle occurs and you get rich.

The risk section and product/transaction description in the prospectus/offering memorandum can provide a good source of questions. And a check on the what is said in the "pitch".

Presentation of results that do not comply with CFA Institute GIPS (Global Investment Performance Standards) should not be relied on.

Non GIPS results can generally be managed to show whatever the seller wants.

GIPS also requires certain disclosures and prohibits certain practices.

Make sure benchmarks and historic performance make sense.

No one beats the market consistently.

Benchmark selection can affect relative performance.

See my earlier post on Infinity Q Diversified Alpha Fund.

If you do not understand how financial models may be “gamed”, you really should NOT invest in Level 2 and Level 3 assets.

This isn’t just about growth and discount rates, but also how “multiples” that are used to “determine” terminal value can disguise unrealistic assumption about those two previous factors.

If return is tied to or dependent on derivatives, you would be well advised to make certain you understand the downside risks.  

Ask the utilities in Texas who found derivatives a rather costly tuition.  

Or you could ask the good folks at JBS Spain about the derivatives they purchased.

Upward revisions of valuation should be examined carefully.

If one is being pitched, a very simple question is when the last revaluation took place and what the direction and impact was.

Amounts, timing, and the basis for the upgrade.

New funding provided by the fund manager at a higher valuation should not be considered as definitive proof the value has actually risen.

Sales of investments from one of the fund manager’s investment vehicles to another should be questioned, especially when the sale results in increasing the IRR of the selling fund. 

Or sloughing off a dog into a fund that can bear a subsequent loss of value.

Yes this occurs.

Watch out for debt financing tricks that drive IRRs and presumed value. Oh and just incidentally affect the fund manager’s compensation.

On the “outgoing” cash flow from LPs: funding LP drawdowns with debt to delay capital calls.

On the “incoming” cash flows to LPs: refinancing equity with debt to generate a “return of capital” without any realisation of the investment, e.g., trade sale or IPO.

Be sure you understand the skill set of the fund manager and how deals are accessed.

When the fund manager's primary skill seems to be the use of leverage, you may want to consider fund managers with skills in developing the underlying business. 

If the fund manager is buying assets from other funds or via auctions, ask whether he or she is getting a good price?  

If the fund manager is buying an investment from another fund, why does he or she think they can turn another fund manager's "cast off" into gold?  And is it credible?

Be sensitive to offers of preferential treatment.

Once we had a major fund management firm tell us that they were poised to revalue (upwards) investments in their existing fund. 

We could invest in that fund now and take advantage of the lower current (entry) price before mark-up.  Thus, earning a "guaranteed" return.

Needless to say, we not only declined the invitation for this investment opportunity but put them on our “blacklist” on the basis that if they were going to “screw” their existing LPs, we would be better off not becoming one.

Sometime later that fund had what might be charitably described as “disappointing” returns.


The New Era of Due Diligence Likely to be Pretty Much Like the Old

 

Latest Technology, But Still the Same Spots

Over at Institutional Investor on 27 May Nathan Yates wrote how "The Old Era of Due Diligence Is Over. Here’s What the Post-Pandemic Future Might Hold"

A very good article.

Lots of sensible points about why in-person due diligence is better than that conducted over Zoom.

What caught my eye was the comment of one “expert” he interviewed.

Clear, frequent, and honest communication among stakeholders is especially important during remote due diligence and will stay in place post-pandemic.

Three reactions.

As an introduction, I presume that there was some context that is now missing around that quote because it doesn’t make much sense.

It seems to me that “clear, frequent, and honest communication” would be especially important no matter how the due diligence was conducted.

One could also read the phrase “will stay in place” to suggest that it did not widely exist pre-pandemic. 

That’s probably not an unwarranted assumption.  That is, that it did not exist pre-pandemic.

The unwarranted "bits" are that (a)  it currently exists and (b) will so in the future. 

There are many fund managers and investment advisors who come up short in the "clear" and "honest" categories no matter how they pitch prospective and existing clients.

Can we really expect those leopards to change their spots just because they're now using new technology?

Does Zoom have an honesty enhancing effect?

Caveat emptor and some prophylactic measures are probably better steps than hope for change.   

More on that topic to come in a subsequent post on games fund managers play.

Thursday 10 June 2021

Tether - How to Correct Deficiencies in Reporting on Reserves and Simultaneously Set Boundaries

So You'll Have to Read the Post Below


The central premise and promise of Tether is that it will maintain the value of its “stablecoin” at US$ 1 for each tether in circulation.

As outlined in previous posts, there are gaps in the information Tether provides that a careful investor would require to evaluate this promise.

  1. The strategy that Tether applies to maintain this “stability” so that an investor could check whether that strategy is appropriate. As noted in this post, Tether has not explicitly done this and from the composition of the reserves I find it hard to believe their strategy is fully appropriate.

  2. Sufficient periodic disclosure so that an investor could confirm that Tether is adhering to the promised strategy. As noted in this second post, Tether’s current disclosure of its “reserves” is insufficient to enable this. What were the NYS AG thinking when they set the disclosure requirements for reserves in the settlement agreement?

On the other hand, one could make the argument that someone who buys Tether is not a careful investor but rather a speculator or punter. So any information is likely to be ignored.

Or that the best strategy for careful investors is to avoid any investment in Tether. 

If you want a stablecoin backed by the US dollar wait until the UST issues one.

But let’s presume that this information would be useful to some investors. 

Equally it would also set boundaries within which Tether would have to operate. Perhaps, very advisable given past questionable stewardship of the reserves.

Now as we all know and will be told by cryptocurrency aficionados that one of their main reasons for investing in sh*tcoins is that one certainly can’t trust the government.

That same skepticism should be directed to non-governmental entities, especially a party with Tether’s track record.

How do we implement those information requirements? And not just for Tether?

Here’s a suggested minimum standard model: Fidelity’s Money Market Fund SPRXX.

The prospectus and monthly fact sheet set forth the fund’s objectives and strategy.

An investor would therefore have the information necessary to make a determination whether that strategy is appropriate.

Each month Fidelity discloses each of the holdings in the fund.

It also issues a semi-annual and annual audited financial report with that same information. You can access those here.

Similar reports on holdings from Tether would allow an investor to check whether the promised strategy is being adhered to.

As a holder of a stablecoin, wouldn’t you like to have a commitment as to what are the permitted asset classes, issuers, obligor credit ratings, tenors, concentrations, use of derivatives, etc. that your money can be “parked” in?

So you know if your money is on deposit with Oz at Crypto Capital in Panama or with HSBC London? Or invested in less liquid instruments?

Wouldn’t you also like to check periodically to make sure that the commitment was being adhered to?

Apparently the answer to both questions is no.

The February settlement agreement with the NYS AG had little impact on Tether.

As of 31 March the value of outstanding Tether was some US$ 42 billion.

In early June some US$ 62 billion.

There is as they say no vaccine for stupidity.

Wednesday 9 June 2021

The “Big Boys” Market – Ransomware Insurance

 

The Underwriter's New Suit

In the 3 June FT, Ian Smith had an article Cyber Premiums Jump in Face of Acute Threats.

Two quotes from the article and my reactions.

Surge in attacks prompts vigilant insurers to question clients closely about culture, attitude to security and training.

And 

Nor are insurers simply jacking up prices. They are also becoming more vigilant about controls at the companies to which they sell cover.

A big “shout out” for the use of “vigilant”.

The clear implication is that many, perhaps most, have been asleep at the switch.

If you’ve been following my “Big Boy” series of posts, you know I like to puncture the unwarranted myth of the imaginary “sophisticated” investor.

In that vein let’s reflect on Ian’s article using my own personal experience.

When I went to take out an insurance policy on Chez Arqala, my insurance company asked a raft of questions.

  • About smoke detectors, their locations, and presence of fire extinguishers and other such equipment.

  • I was also asked if we have a home security system, whether in addition to intrusion detection it also had a fire detection capability. Was it set to ring up the authorities? Who were the providers of the home security system?

  • Did it have a back-up battery in case of power disruption?

  • How far we were from the nearest fire station?

  • Whether we stored any flammable or dangerous materials in the house.

  • Other than the little people who live with Madame Arqala and me we were clean on that score.

No questions about culture, though. 

I guess he could tell just by looking at me. Or perhaps at Madame Arqala.

The decision to “write” the policy and the premium depended on our answers to those questions as well as our post code.

It boggles the mind that insurance companies writing cover multiples of that provided our house wouldn’t be asking similar questions for cyber cover.

And come to think of it, quite a lot more.

Apparently, they were not doing this.

Now to be fair, the general “take” on insurance underwriting standards is that only life insurance consistently makes a profit.

With other “lines” irrational exuberance and shoddy standards lead to highly cyclical swings in profits.

So much for the “big boys” of insurance. 

At least they are not an outlier among the "big boys"


Tuesday 8 June 2021

Tether Reserves - Verify Then Trust

As Argued Below, Verification Should Come Before Trust

First post in this series here.

If you’re old enough or have access to the internet, you may recall a US politician who announced a major international agreement by quoting a Russian proverb “Trust, but Verify”.

If you think about it carefully, you might come to the contrary conclusion that one should verify first then trust.

Or as in the hadith relayed by al-Tirmidhi (2517) “ اعْقِلْهَا وَتَوَكَّلْ or “Tie your camel first and then trust in God”. 

The point of that hadith being that one has to take responsibility for one's affairs.

Wise words in all facets of life, including investments.

Even more so when the prior behaviour of the counterparty was less than would instill confidence.

As paragraphs 14-54 of the February 2021 settlement agreement between Tether et al and the NY State Attorney General revealed Tether had been less than candid in disclosing the fact the status of its reserves and that they were not always backed 1 to 1 with US dollars on deposit. 

In fact at times “reserves” were “held” in the form of loans to an affiliated company Bitfinex, whose own funds were frozen.

That’s not very comforting.

Nor is the fact that as per paragraph 57 of the settlement agreement, Tether was compelled to provide quarterly disclosure on its “reserves” for two years.

Shouldn’t a responsible fiduciary (and that’s the role that Tether assumed in issuing stablecoins) have been more (a) careful and (b) candid about the reserves?

That was as they say the “past”.

So how are Tether doing now?

Risk Disclosure

On Tether’s website here under the tab labeled “Risk Disclosure” you will find a set of risks outlined.

Missing is the fact that Tether’s reserves are subject to market risk. Why this isn’t mentioned is surprising. Well maybe not so surprising given their past behaviour.

Reserves Disclosure

Here is the link to Tether’s “disclosure” of its reserves as of 31 March 2021.

Some observations.

Some 75.85% of the “reserves” are grouped under the heading “cash & cash equivalents & other short term deposits & commercial paper”.

Now if we wanted to evaluate the reserves in terms of backing for tethers, we would want to know the amounts of each of these three components.

Why?

Because each of these three categories is likely to have differing liquidity.

Liquidity being the ability to sell a financial instrument quickly at face value or with a minimum deviation from face value. 

Why is liquidity important?  

Because if holders of tether want to exit and can't find buyers, if the reserves are insufficient, they won't get US$1 for each tether.  

Imagine a scenario in which a Techo-King or perhaps just a Techo-Prince tweets that CatCoin is the new investment meme of the day.

Also if the "market" thinks the reserves are inadequate, then the price of a tether should go below US$ 1. 

This could arise from liquidity or credit concerns about the "reserves".

Cash and cash equivalents are highly liquid, not subject to penalty or delay on withdrawal and typically maturities of three months from date of acquisition. Note that word – acquisition not date of the report.

This category would be likely to be realized at face value or very close.

You will note that roughly one-half of total reserves is in commercial paper (75.85% x 65.39%).

This amount is not included in “cash and cash equivalents” That means it does not have the characteristics described above.

As a consequence it is likely to be redeemed at less than face value prior to maturity.

The CP also bears the credit risk of the obligor/issuer on the CP.

And we have its amount.  It's almost 50% of reserves.

Some 18.36% is in “fiduciary” deposits. (Same calculation as above)

Since short-term deposits are listed as a separate category from cash and cash equivalents we can assume that some of the "fiduciary deposits" are not “cash and cash equivalents”. So less liquid.   

And likely to be redeemed for less than face value prior to maturity. That may reflect the penalty for early withdrawal on the deposit.  

But we don't know the amount that might be "cash equivalents".

You may derive “comfort” from seeing that these are “fiduciary” not “regular” deposits.

But all that means is that when placing the deposits, Tether acknowledged that it was acting on behalf of the owners of the deposits, presumably the owners of outstanding tether. 

However, these do not appear to be “trust” deposits, though we don’t know based on Tether’s incomplete disclosure.

Thus, the deposits are subject to the credit risk of the institution holding the deposits.  That is, they would be claims against the depository institution's estate in bankruptcy.

If they were trust assets, they would not.

And we don’t have any details on the depository institutions to get a sense of their credit risk. 

Are they IFIs in Puerto Rico, Oz Bank and Trust, Panama, or HSBC?

Some 4.96% in Treasury Bills and Reverse Repo Notes (same calculation as above).

We don’t know if all these qualify as cash equivalents, but since they are a relatively small amount, let’s ignore them.

Let’s also assume that all “fiduciary deposits” qualify as cash equivalents, though this is unlikely to be the case.

On that basis the CP (49.6%) and the other categories (secured loans, bonds commodities, and other) equal almost 74% of total reserves.

The stability of Tether therefore rests on what are very likely to be less liquid assets. And some of which, e.g., CP and secured loans may not be susceptible to early redemption.

Discounted sales of these instruments might be possible depending on the identity of the obligors/issuers. 

But a wise investor wouldn’t count on it.

Attestation Report

Moore Cayman an accounting firm issued an “attestation report” on Tether management’s “assertions” about the reserves (the CRR).

Two things to note about this report.

First, Tether has not issued a financial statement for Tether “stablecoins”. 

Rather what we have are their “assertions”.

Note that many fund managers do issue financial statements on their funds.

If you’re following my advice to “verify”, you may well wonder why Tether didn’t issue a financial statement or its equivalent.

Cost control? Or some other motive?

Second, an ISAE 3000 Revised Assurance Engagement is not an audit.

Here is an AICPA paper which asserts that the typical “assurance” engagement under ISAE 3000 (Revised) is less rigorous than that required under AICPA Standards. Though you’d expect “exceptional” folks to hold that they are “exceptional”.

It is less than an audit.

Given the problems with audits, that ought to send a chill up the spine of the sentient.

We don’t even have the imperfect work of an audit to hang our “investment hat” on.

Luckily for Tether, the sentient segment appears to be highly underrepresented in their “investor” base.

It is very important for investors to understand the nature of MC’s work and report, particularly in terms of the valuation of the “reserves” that “back up” outstanding Tether “coins”.

So what do we have from MC?

It is almost certainly less than a “review” of financial statements in both scope and rigour.

Why?

Because Tether hasn’t issued a financial statement. Rather it has made what MC describes as “assertions”. 

If you're like me, you might find the use of the term "assertions" to inspire less than confidence in their contents.

I didn’t see enough detail to find “comfort” in MC's report because I don’t know what standards and principles the “assertions” were based on and what work MC did as part of its engagement.

In describing its conclusion on the financial information in the CRR. MC states that it is “based on our investigation of the balances stated herein”.

That’s rather short on detail.

  • Did MC rely on Tether’s accounting records for the values?

  • Or on account statements from third parties holding the assets?

  • Did it send balance confirmations to which those third parties responded?

  • On the US$ 5.3 billion in secured loans, did it review documentation on the nature and value of collateral? Did it check Tether’s procedures for determining credit impairment and needed loan loss provisions?

I suspect that it did not go much beyond the first step – accounting records and internal controls. I also hope that I am wrong.

All that being said, in their report MC did express an “emphasis of matter”.

This is typical accountant-speak for relatively important matters that do not change the accountant’s opinion or in this case “attestation”, but are significant enough that the accountant feels the need to bring them t to the attention of interested parties.

In my view the following is the key point from that section. Italics are mine.

Management’s accounting policy is to value assets and liabilities at historic cost plus any accrued interest and less any expected credit losses, or otherwise the redemption value where applicable. The realisable value of these assets and liabilities could be materially different if any key custodian or counterparty incurs credit losses or substantial illiquidity.

First the use of historic cost. One sells assets at market price if they are not held to maturity. 

Changes in interest rates can affect the value of financial instruments which is why the "cash equivalent" definition has 3 month maturity limit.

Second credit and liquidity risk. Note the comment about “realisable value” being potentially "materially different" that than shown on the report.

MC is waving a redflag here.

In the next post I’ll offer some unsolicited advice on what should be done. 

الفاضي يعمل قاضي.  )

Tether: How Stable Are This Stablecoin’s “Reserves” ?

If You're Buying "Stable"coins, You Should Be
Reasonably Certain the Reserves are "Stable"

The 3 June FT Lex Column had a call-out box on Tether “Stablecoins/bitcoin: unTethered to reality”.

Citing information published by Tether, Lex noted that only 2.94% of the value of outstanding Tethers is backed by pure cash.

The remainder is “backed” by a variety of instruments:

  • commercial paper (49.6%),

  • short term deposits (18.36%),

  • Treasury Bills and reverse repo notes (4.96%)

  • secured loans (12.55%),

  • corporate bonds, funds, and precious metals (9.96%), and

  • other investments (1.64%), which include “digital tokens”

No real disclosure on the other items, except that “secured” loans weren’t to affiliates.

The lack of disclosure is troubling as will be discussed in the next post.

Lex dryly noted that not all of Tether’s reserves were held in risk free assets.

Indeed!

That directly impacts stability.

If the reserves are subject to volatility, then so is the value of the “stablecoin”.

So much for the “stable” in “stablecoin”.

But there’s a bit more here to think about.

This is quite a diverse set of assets.

  1. What is Tether’s overall investment objective and strategy? It sure doesn’t look like “preservation of capital”.

  2. How does this collection of assets achieve the objective and strategy?

  3. What are the required criteria for investments, e.g., asset class, industry, individual investor or counterparty characteristics (credit grade, etc), tenor, etc?

  4. Is Tether’s management capable of designing, executing, monitoring, and adjusting the strategy and portfolio as needed? They are by all accounts either certified tech geniuses or perhaps self-certified tech geniuses. But are they really financial geniuses as well?

  5. If not, is Tether using third parties? If so, how are these selected?

  6. Who are they? Goldman Sachs or Oz at Crypto Capital in Panama? What additional risk do these third parties pose in addition to obligor and counterparty risks?

  7. Given the “diversity” of assets in the reserves, it might also be worthwhile to ask if any of these were used to purchase Tether. That is, has a customer or have customers bought Tether with any of the “reserve” assets rather than with cash.

  8. If you’ve read paragraph 38 of the settlement agreement with the NYS AG, you’ll notice that in October 2018 Bitfinex “repaid” US$ 400 million in loans from Tether via the “redemption of 400 million tethers”. That is, via a non cash transation. It doesn’t seem likely that these were clients’ Tethers, assuming no sketchy dealing by Bitfinex. So were they Bitfinex’s own Tethers? And, if so, how did it obtain them?

It the next post we’ll look a bit more into other issues surrounding the valuation of the reserves.

Sunday 6 June 2021

Taking Responsibility A Key Step to Minimizing Ransomware Successes

If You Don't Answer Your Phone, 
Calls are not "Overdue", They're Ignored

Saturday's FT "Big Read" The cyber threat to America's beef discussed expert reaction to the ransomware attack on JBS.

I'm going to use quotes from that article to outline two acceptances of responsibility that are necessary, but not necessarily sufficient, to fix the problem.

Step 1: Corporate acceptance of responsibility (a) for its past failures and (b) to fix the problem.

The first quote.

Beyond the political posturing, analysts and cyber security experts say companies, government and other entities must treat the hack as an overdue wake-up call to not only develop adequate defences but also to develop a unified approach to dealing with the soaring number of attacks.

Sorry this is neither “overdue” nor a “wake up call”.

Let’s call it precisely what it is.

It is a failure to heed numerous warnings given over more than several years.

Until corporate managements admit that fact and take responsibility to act responsibly, there will be no solution to the problem.

The CISA (Cybersecurity and Infrastructure Security Agency) was founded in November 2018 (roughly three years ago). They published an alert on a ransomware attack on a pipeline in February 2020 (let’s call that one year ago).

The National Protection and Programs Directorate (NPPD) was set up under the DHS’s umbrella in 2008 with the mission of protecting the USA’s critical physical and cyber infrastructure. (That would be thirteen years ago).

If you look at the CISA website here, you will find a list of resources, including alerts, tips, training and webinars.

Notice that the first “alert” dates from 2009. (That would be twelve years ago).

And then there is the FBI’s ic3 unit which has antecedents back to 2000. And has issued warnings on ransomware for many years. Here’s one example from 2019.

Or maybe this memo from the DOJ in 2015.

Overdue?

The only thing “overdue” is the response to the warnings.

CISA also offers a free checkup service (no “death panels” as far as I know) for governmental entities and private companies that operate critical infrastructure:

  1. Weekly vulnerability penetration scans

  2. Web application scanning

  3. Phishing campaign assessment

  4. Remote penetration testing

It would be interesting to know how many private sector firms operating critical infrastructure have availed themselves of this service. And if not, why not?

Beyond efforts by the USG to ring the tocsin of alarm, the media has reported on the risks of hacking and ransomware for some time.

NYT Feb 2020, NYT 2017.

Or Fox News 2018. (Port of San Diego) Fox News 2018. (City of Atlanta incident -note this was described as a wake-up call).

I’m not a computer or cyber security expert, but even I knew of the risks to national security from hacking before Solar Winds and JBS. Or reliance on foreign manufactured components in computers, telecommunication systems, etc.

That’s not to brag, any moderately sentient person who reads the news should be able to figure this out, even one like me who focuses primarily on matters financial.

Captains of industry might well be expected to have even greater sources of information as well as staff who might fill in any gaps in their attention spans.

Additionally there are the firms who make a living in this field who have weighed in on the risks. Here’s a link to one. They mention the first ransomware attack as taking place in 1989. (That would be thirty-two years ago).

Another quote from the FT article.

The alleged perpetrators of the JBS attack have long been known to cyber security experts. Since February alone, the Russia-linked REvil group has been connected to almost 100 targeted ransomware attacks, according to cyber security specialists ZeroFOX.

Step 2: Government acceptance of responsibility to impose rigorous standards on entities critical to national security and enforce penalties on them for failure.

The second quote.

"Once again the notion that ransomware is a national security threat is ringing true. We need a fundamentally different approach to security,” says Sanjay Aurora, Asia-Pacific managing director for UK AI company Darktrace.

Indeed a new approach is needed.

That fundamentally different approach to security would involve abandoning naive beliefs about market efficiency. The market hasn’t solved this problem and isn’t going to.

The simple reason?

Corporations don’t want to spend the money directly or indirectly (the time).

Governments need to impose comprehensive and rigorous security requirements with substantial monetary penalties for failures to implement them.

Legislation that was passed and regulations issued regarding Business Continuity or Disaster Plans can provide a precedent.

The cybersecurity laws should allow in extremis the replacement of management and the cancellation of licenses/permits to conduct critical infrastructure business.

Note the dual approach to achieve the goal by threatening the single most important priority of each of the two key parties

  • management’s retention of its sinecures and

  • the value of shareholders’ investments.

That doesn’t mean if a company critical to national security were successfully hacked that it would necessarily be fined, its management removed, or the business turned over to another party.

What it should mean is that if a company hadn’t taken reasonable precautions, say to protect the operating system of its pipeline, then the hammer would come down in line with the severity of its failures. ​

Friday 4 June 2021

There May Sometimes Be Second Acts in American Lives, aber in Deutschland gibt es mehr als 2

Act 1

 

Act 2


In Deutschland der Hof (meister)





The Absolute Wrong Way to Stop Ransomware and Hacking


 

Just when I thought the idiocy on this topic had reached its pinnacle, I was proven wrong yet again.

See today’s FT “White House implores businesses to strengthen ransomware defence”

The word “implores” particularly set me off.

Then I thought a bit more and remembered—or at least I think I do—how this sort of decisive approach has been successful in the past.

Here are just two examples:

  1. Following an appeal from the SEC a few years back, the incidence of financial fraud and market manipulation in the USA has dropped dramatically. As has insider trading.
  2. After both my wife and I implored the little ones who live with us to eat healthy for their own good, we’re no longer asked for cookies or ice cream. Both grandmothers have reskilled and are now bringing vegetables when they visit.

While there has been no reaction yet, I’m confident that my letter to the President Biden and Senator McConnell is about to usher in an era of bipartisanship not seen since “peace guided the planets and love steered the stars”.

Naysayers out there might comment that business with few exceptions has been asleep at the switch so long now, that it’s almost certain that they don’t have a clue where the switch is. Or what it does. Or how to operate it.

Or that imploring the habitually somnolent and negligent to “take action”--particularly when the action involves spending money—has not proven to be particularly efficacious.

They’re wrong as demonstrated above.

Though I will admit that it seems strange to call the addressees on the memo business “leaders”.

One final note.

If you’ve been inspired by this blogpost and want to establish peace in the Middle East, on the Korean Peninsula, or in the Gulf, please feel free to direct your own memo imploring the parties to take action.

I won’t mind.

I had intended to do all those things myself.

But currently I am focused on learning Romulan to write the memo that will "fix” any dangers to our way of life from UFOs. I think we’re not far enough into the season that it would be the Borg.

Kumbaya!

Bonus Gratuitous Snark

Some further thoughts that occurred to me after I first posted the above.

Additional rather sad conclusions that have to be drawn from this episode.

First, the memo contains 5 recommendations for action that might charitably be described as the blindingly obvious.  Things equivalent to lock your doors, don't run with scissors.

Hardly, the sort of advice that captains of industry should need to receive for two reasons.

  • The advice given isn't rocket or computer science.  Just common sense steps. 
  • The warning should not be necessary, they should know this already.

If they missed either or both of these points, it's pretty clear that they need to step aside for those with the aptitude and attitude required to do the job.

The memo is a damning assessment of the calibre of our business tycoons. 

Though to be fair that assessment is supported by successful ransomware attacks on companies who did not lock their doors, etc. and the woeful lack of preparation at other firms as noted in my earlier post.

Second, but it's not just the captains of industry who are in for criticism.  

What does it say about the US Government? 

As my mentor used to say "you can tell you're in a third world country, when problems are addressed through rhetoric rather than concrete action".