Ransomware Prioritize Prevention Then Pursue Prosecution – Part 1

 

Noted Internet Security Expert, B. Franklin
Interesting Fact: 
Colonial Pipeline Earlier Management Ignored His Advice

Alex Younger, former head of the Secret Intelligence Service, penned an opinion piece in Saturday’s FT Ransomware attacks have to be stopped — here’s how.

Some 898 words long. Lots of good advice and interesting points.

However, he had but these 37 words (4%) on what I consider to be one of the key steps to resolving the problem.

It follows that governments can and should do more but not to the point of absolving individuals and firms of their own responsibilities. A surprisingly large amount of this is about getting the cyber security basics right.

The last sentence “names the issue exactly”.

I think this is the major problem.

By way of analogy, let’s assume a town where no one locks their doors, where people leave valuables in plain sight, where it’s common to leave the keys to one’s Maybach in the ignition, and the car in the driveway..

Now we could crackdown on those who buy stolen goods even those in other cities.

We could station a policeman by each house to keep guard.

Or, we could get as many citizens as possible to lock their doors and secure their property.

What this latter step hopefully would do is lessen the opportunity for crime.

And the amount of crime that takes place.

It also lessens the number vulnerable targets that one has to guard.

If we can take the above steps, then resources can be more focused.

Also and perhaps more importantly, with national security issues, one would I hope prefer to prevent an attack over  a successful response to the attack.

Is this the case with ransomware? That doors are unlocked, valuables unsecured?

First, some macro examples from an earlier post.

Two quotes from the FT. Italics mine.

1. Just a quarter of companies in traditional infrastructure businesses, including oil and gas, utilities and healthcare, were properly braced for an attack, estimated Matias Katz, chief executive of the cyber security group Byos.

2. The oil and gas sector has been criticised for lax cyber security regulation.

The above points are estimates not facts.

But it should be not only an “overdue wake up call” but also a “sobering fact” even if these are overestimates by a factor of two.

The companies making these estimates are companies selling security products and so may have a profit dog in the fight.

So let’s turn to recent comments by US Secretary of Energy. She is reported to have said that “hackers” could shut down the US energy grid.

Second, some individual examples.

Colonial Pipeline was penetrated through a VPN which was “not intended to be used” but not turned off. That system had single factor authentication.

In February 2020, CISA (Cybersecurity and Infrastructure Security Agency) published an alert on a ransomware attack on an unnamed US pipeline.

That alert mentions some of the same security failures as with Colonial Pipeline.

Lessons learned?

Wake-up calls unanswered?

Sobering facts insufficiently “sobering” to overcome the state of intoxication?

As well, you will note that many of the other failures mentioned in that alert are “basic cybersecurity”. The PC equivalent of locking doors, securing valuables, etc.

You will see this pattern of “rookie” mistakes in many of their alerts

Another study that ranks cybersecurity by country seems to confirm the above.

The US ranks 46^th out of 75 countries.

Some caveats:

1. This isn’t an apples to apples comparison. Rather it is an overall ranking across a broad gauge of metrics not just for ransomware. It includes attack attempts, infection rates on personal devices, etc.

2. But despite that drawback it does highlight the Willy Sutton Principle: One would expect the USA to be of more interest to hackers than many of the other countries on the list. And so more targeted. And so more in need of defense.

In Part 2, we’ll look at some other issues, not all of which relate directly to Mr. Younger's opinion piece.

Collateral: Great Expectations vs Sobering Facts

Expectations Often Are Not Fulfilled

 

Ellen Carr has an article in the 10 June FT “Linus from Peanuts has risk lessons for high-yield investors”

Two quotes from that article to set the stage for some additional observations.

When we get the chance to buy bonds with collateral backing them up, we feel, well, more secure.

Secured bondholders anticipate that, if their research fails them and the issuer ends up in bankruptcy court, they are likely to be paid in full before unsecured lenders get a dime.

There is truth in these statements.

But note that in both of the quotes Ms. Carr speaks about “feelings” and “anticipations”.

Sadly these “wishes” don’t always turn into “horses” that bond holders can ride.

Some inconvenient and perhaps even “sobering” facts.

(H/T for the latter phrase to Joseph Blount, President and CEO of Colonial Pipeline).

The nature of the collateral drives its value in a liquidation.

1. Property, plant, and equipment generally are sold for a fairly low percentage of historic cost in collateral realisation, particularly if they are highly specific to an industry. Or are costly to move.

2. As you’d expect items nearer to cash have higher sales values, assuming they are liquid in nature and trade in liquid markets.

3. Holders of collateral in the form of 100% of the shares of capital stock in a subsidiary are effectively junior in legal priority to all other creditors in that subsidiary. Last in the line in the cash waterfall from the subsidiary’s estate.

4. Such shares are generally less liquid than listed shares.

The nature of the corporate distress drives collateral values in liquidation.

1. If one company in an industry is failing but the industry itself has reasonable prospects, the sales price of collateral is likely to be more than if the entire industry is tanking.

2. This will also depend on whether there is existing excess capacity in the industry.

The form of the corporate distress resolution can affect access to collateral.

1. In a US Chapter 11, one may find one’s position changed under the reorganization plan.

2. Realisation of collateral can be legally stopped.

3. The reorg plan may change tenors, rates, and in some cases even the collateral itself.

4. In that regard DIP financing can create a new and higher priority class of secured creditors.

Laws and transaction structures can affect collateral.

1. Be sure that you legally have and can enforce your collateral rights.

2. Be sure the legal structure is sound. Complex structures involving multiple national laws may be fragile. You enforce your collateral rights in the jurisdiction where the collateral "resides".

3. Read the Offering Memo. The deficiencies outlined in points #1 and #2 above are often clearly spelled out in the Offering Memoranda. (See earlier posts on Golden Belt Sukuk and Peking University Founders Group),

4. Be sure you will get a fair shake in courts if you have to enforce your rights. For example, you don’t really want to be a foreign lender in Saudi Arabia. (See Al Gosaibi, TIBC, AlAwal Bank, AlSanea. Or Redec for those with long memories or access to the internet.)

5. Be sure there are no quirks in local law or advantages for well connected individuals. (See Dana Gas posts).

With that as background, let’s take a look at the transactions she mentioned in her article.

What's the Scrap Value of a Cruise Ship?

Royal Caribbean Line: US$ 3.320 billion senior secured notes maturing in 2023 (US$ 1 billion) and 2025 (US$ 2.320 billion)

You’ll find the Indenture here.

Collateral – pages 7-8

“Collateral” is defined as:

1. shares of capital stock in subsidiaries that own the pledged “vessels”

2. 28 pledged vessels

3. the Collateral Account and any “Trust Moneys” within

4. the material trademarks owned by the Issuer and Celebrity Cruises Inc. on the Issue Date, including the Royal Caribbean and Celebrity brand trademarks and (y) all intellectual property rights of the Issuer in and to marketing databases, customer data and customer lists, except to the extent prohibited by contractual obligation existing on the Issue Date or applicable law, rule or regulation.,

You may have read that the book value of the pledged collateral is some US$ 12 billion.

Sounds great!.

That’s roughly four times coverage of the Secured Notes.

But let’s look a bit closer.

First, this collateral is industry specific.

Ask yourself what is the value of cruise related collateral if RCL is failing because it cannot generate sufficient cash to repay its debt.

Then ask how the fact that the cruise industry in general is “facing rough seas” may depress collateral values even more.

A falling tide lowers all boats.

And their related values. And that of their customer lists, trademarks, etc.

Second, note that the US$ 12 billion is based on historic cost.

It’s an old rule of the market that one sells assets at the current market price which may be significantly different than historic cost or book value.

If you are a motivated seller, bidders are more likely to bid low than high. If indeed, they bid at all.

But as they say on late night TV, “but wait there’s more”.

Third, Collateral Cap – pages 8 and 99

That’s not a sartorial accessory for the collateral,

But a way to deal with indentures in existing bonds which limit the amount of “new indebtedness” that RCL can incur.

So what is a collateral cap?

Let’ turn to the Indenture for the legal meaning of this term.

First, the amount of the collateral that is available to the secured creditors solely is limited.

“Collateral Cap” means, on the Issue Date, $1,662.0 million, as it may be increased pursuant to Section 4.13.

Second, on page 99 there is an explanation as to what happens to amounts above the “cap”.

In no event shall Collateral Proceeds in excess of the Collateral Cap or any other limitation on the extent of Collateral Proceeds contemplated by the Security Documents be applied in accordance with this Section 6.10, and such excess amounts shall be returned to the Issuer, any Guarantor or any other obligor of the Notes, as their interests may appear, or as a court of competent jurisdiction may direct.

So in the best case the collateral will not repay more than roughly 50% of the outstanding debt.

Any proceeds from the collateral sales over US$ 1.662 billion would go to RCL’s “estate” to be shared by all creditors.

Thus, the secured note holders are not going to be repaid in full before the unsecured creditors get a dime in the event that the collateral needs to be realised.

There’s more.

As is typical the Indenture permits certain liens against the collateral that have legal priority to the secured note holders’ position.

Once one takes possession of collateral like a vessel, one incurs maintenance and costs associated with berthing, including any required crew salaries and expenses, plus insurance until the sale. These out of pocket costs would then represent a deduction from the proceeds of any realisation.

Admittedly An Extreme Case
But Who Is Going to Want to Buy Stores Now?

Macy’s US$ 1.3 billion 8.375% senior secured notes maturing 2025

The notes are secured by first liens/deeds of trust on real estate.

If Macy’s hits the wall to use a technical financial term, does that perhaps indicate that retail is in real trouble?

I’d argue that it does.

Macy’s is indeed a different “fish” than say Sears or K Mart.

If a name like this is in trouble, then the sector is in trouble.

Who then is the expected buyer of these real estate assets or as we might more realistically call them “empty stores”?

Dollar General? Maybe if the price is a dollar?

What is their value in alternative uses? 

Amazon fulfillment centers? Homeless shelters? Schools?

If you’re interested, Fitch assigned this issue a BB+ rating.

That is below investment grade, a good indication that full repayment is not assured.

Colonial Pipeline CEO’s 8 June Testimony -- Annotated

 

No Need for an Extensive Hunt
Just Read Below

On June 8^th Joseph E. Blount, Jr., President and CEO of Colonial Pipeline testified before the US Senate Committee on Homeland Security and Governmental Affairs.

I have annotated quotes from his prepared statement before the Committee to provide further context and set the stage for a following post on the Committee’s reaction.

Quote 1

Colonial Pipeline is cognizant of the important role we play as critical infrastructure. We recognize our significance to the economic and national security of the United States and know that disruptions in our operations can have serious consequences.

That certainly sounds promising, Colonial acknowledges its “significance to the economic and national security of the United States”.

Based on that we can expect a description of the robust measures that Colonial took to prevent hacking and ransomware attacks.

Quote 2

I recognize that the attackers were able to access our systems. While that never should have happened, it is a sobering fact that we cannot change. 

Indeed it should never have happened.

It is as well a “sobering fact”.

While great philosophers have debated whether a “sobering fact” is more urgent than a “wake-up call”, I think it’s safe to say that they largely agree that for a fact to be “sobering” one must not have been a “sober” state prior thereto.

Quote 3

We take our role in the United States infrastructure system very seriously.

With a previously reported 30%+ net profit margin, very seriously no doubt.

That aside, I guess we’re about to hear about Colonial’s robust preventive measures and the millions spent on cybersecurity.

I’d note that I take my role as a parent very seriously with respect to the safety of my children while traveling in our car.

That means of course that the Prince of Wails is secured in a baby seat and the two other little ones are buckled in before we embark.

Madame Arqala generally rides “shotgun” in these cases. 

And makes ample use of the “phantom” brake and periodic verbal warnings to moderate any perceived excesses in my speed.

Note that those steps are undertaken before not after a crash.

So you’re probably as excited as I am to hear from Joe.

Quote 4

Colonial Pipeline is an accountable organization, and that starts with taking proactive steps to prevent an attack like this from happening again.

It seems that CP’s “accountability” is focused on the future. 

They're looking "forward not backward."

Unspoken is the extent of accountability for pro-actively securing the stable gate before the horses bolt.

That can’t be quite right after all Joe of his statements so far about Colonial’s attitude to protecting critical infrastructure.

There’s got to be more to come.

Quote 5

Although the investigation is ongoing, we believe the attacker exploited a legacy virtual private network (VPN) profile that was not intended to be in use.

Ah, the answer.

When you hear the word “legacy”, you immediately know that its not current management’s failure. 

It’s like the fraternity or college that has to accept an applicant because he’s a “legacy”. Neither can be blamed if the “legacy” doesn’t work out.

Or “legacy” can also mean something unwanted that you inherited, like your Aunt Stella’s collection of glass figurines. Just stick them in a box and forget about them.

With a name like “Colonial” you might well expect that John Murray, Fourth Earl of Dunmore, George Washington, or Alexander Hamilton probably set up the VPN.

Before you rush to blame any of them, let me remind you that internet security was not as advanced then as it is now. 

Also we learn that the system “was not intended” for use.

But it certainly seems that it was  “left on”.

So Colonial’s management is filled with good intentions among other things.

I guess in some quarters that counts for more than “effective actions”.

But that doesn’t mean that Colonial isn’t taking action now.

Quote 6

We have worked with our third-party experts to resolve and remediate this issue; we have shut down the legacy VPN profile, and we have implemented additional layers of protection across our enterprise. We also recently engaged Dragos’ Rob Lee, one of the world’s leading industrial and critical infrastructure and OT security specialists to work alongside Mandiant and assist with the strengthening of our other cyber defenses. We have also retained John Strand from Black Hills Information Security, another leader in the cybersecurity space, who will provide additional support to strengthen our cybersecurity program.

Clearly quite a bit work is being done now—that is to remind you after the hack.

Can we infer from the long list of remedial items that there were widespread and serious security weaknesses pre-hack?

It sure sounds like it.

With this as backdrop, you probably expect that Joe is about to get a quite grilling from the Senators on the Committee.

Let me remind you that “expectations” just like “intentions” don’t always deliver the wished for results.

Once the transcript of the hearing is published we’ll take a closer look.

Games Fund Managers and Investment Advisors Play and How to Avoid Getting Played

Sometimes the Best Way to Avoid Being Played
Is Not to Play

Among other things, Alicia McElhaney at II keeps a close eye on academic research on the “investment space”.

She’s had quite a run with outlining the games fund managers play.

Here are just two examples.

• 27 May - VC Firms ‘Inflate’ Portfolio Valuations Ahead of Fundraising, Study Shows 
• 9 February - Private Equity Firms ‘Try to Manipulate Their Performance’ When Raising Money

Anyone who is sentient on the buyside has experienced this. 

But it is nice to see academics confirm what we've learned.

So how does one minimize getting “played”?

The first thing to understand is that similar to other sellers of goods fund managers are looking to make a sale and a profit. Sales pitches run from “puffery” to outright misrepresentation.

The second is that these PE and VC and similar products are sold to “sophisticated” investors--the so-called “big boys”. 

Regulators make the laughable presumption that the “big boys” don’t need the usual protections given retail investors.

That means disclosures and sales materials are allowed to be less robust and less detailed. One example relates to presentation of past returns, modelling, etc.

Professional standards of care are also lesser because the imaginary big boys are imagined to be able to take care of themselves. 

Careful investors will draw the following conclusions from those “facts”.

Healthy skepticism is warranted.

Verify first, then give provisional trust, but keep verifying.

If it seems to be too good to be true, you're probably right. 

Begin by carefully reading the prospectus/offering memorandum.

I have had representatives of major firms misrepresent products to me.

During one pitch, I commented that apparently their prospectus was wrong and cited “chapter and verse” from the prospectus to contradict the statement an earnest sales rep had just made.

Whenever I’m given a 1,000 page offering memorandum for all the seller’s products with a central definitions section separate from the product description so that the reader has to jump from here to there to make sense of a product, my antennae get more sensitive.  

Complexity is not the friend of the investor.

Be sure you understand the product.

That means you need to do your own research if this is your first "rodeo" with a product.

But also ask the sales rep to explain the product.  

Be wary of excessive use of jargon which is sometimes designed to deflect questions.  Who wants to admit that they don't really understand "vol" or the "greeks" on derivatives?

As well be wary of vague phrases,  waving of hands, and then the implication that a miracle occurs and you get rich.

The risk section and product/transaction description in the prospectus/offering memorandum can provide a good source of questions. And a check on the what is said in the "pitch".

Presentation of results that do not comply with CFA Institute GIPS (Global Investment Performance Standards) should not be relied on.

Non GIPS results can generally be managed to show whatever the seller wants.

GIPS also requires certain disclosures and prohibits certain practices.

Make sure benchmarks and historic performance make sense.

No one beats the market consistently.

Benchmark selection can affect relative performance.

See my earlier post on Infinity Q Diversified Alpha Fund.

If you do not understand how financial models may be “gamed”, you really should NOT invest in Level 2 and Level 3 assets.

This isn’t just about growth and discount rates, but also how “multiples” that are used to “determine” terminal value can disguise unrealistic assumption about those two previous factors.

If return is tied to or dependent on derivatives, you would be well advised to make certain you understand the downside risks.  

Ask the utilities in Texas who found derivatives a rather costly tuition.  

Or you could ask the good folks at JBS Spain about the derivatives they purchased.

Upward revisions of valuation should be examined carefully.

If one is being pitched, a very simple question is when the last revaluation took place and what the direction and impact was.

Amounts, timing, and the basis for the upgrade.

New funding provided by the fund manager at a higher valuation should not be considered as definitive proof the value has actually risen.

Sales of investments from one of the fund manager’s investment vehicles to another should be questioned, especially when the sale results in increasing the IRR of the selling fund. 

Or sloughing off a dog into a fund that can bear a subsequent loss of value.

Yes this occurs.

Watch out for debt financing tricks that drive IRRs and presumed value. Oh and just incidentally affect the fund manager’s compensation.

On the “outgoing” cash flow from LPs: funding LP drawdowns with debt to delay capital calls.

On the “incoming” cash flows to LPs: refinancing equity with debt to generate a “return of capital” without any realisation of the investment, e.g., trade sale or IPO.

Be sure you understand the skill set of the fund manager and how deals are accessed.

When the fund manager's primary skill seems to be the use of leverage, you may want to consider fund managers with skills in developing the underlying business. 

If the fund manager is buying assets from other funds or via auctions, ask whether he or she is getting a good price?  

If the fund manager is buying an investment from another fund, why does he or she think they can turn another fund manager's "cast off" into gold?  And is it credible?

Be sensitive to offers of preferential treatment.

Once we had a major fund management firm tell us that they were poised to revalue (upwards) investments in their existing fund. 

We could invest in that fund now and take advantage of the lower current (entry) price before mark-up.  Thus, earning a "guaranteed" return.

Needless to say, we not only declined the invitation for this investment opportunity but put them on our “blacklist” on the basis that if they were going to “screw” their existing LPs, we would be better off not becoming one.

Sometime later that fund had what might be charitably described as “disappointing” returns.

The New Era of Due Diligence Likely to be Pretty Much Like the Old

 

Latest Technology, But Still the Same Spots

Over at Institutional Investor on 27 May Nathan Yates wrote how "The Old Era of Due Diligence Is Over. Here’s What the Post-Pandemic Future Might Hold"

A very good article.

Lots of sensible points about why in-person due diligence is better than that conducted over Zoom.

What caught my eye was the comment of one “expert” he interviewed.

Clear, frequent, and honest communication among stakeholders is especially important during remote due diligence and will stay in place post-pandemic.

Three reactions.

As an introduction, I presume that there was some context that is now missing around that quote because it doesn’t make much sense.

It seems to me that “clear, frequent, and honest communication” would be especially important no matter how the due diligence was conducted.

One could also read the phrase “will stay in place” to suggest that it did not widely exist pre-pandemic. 

That’s probably not an unwarranted assumption.  That is, that it did not exist pre-pandemic.

The unwarranted "bits" are that (a)  it currently exists and (b) will so in the future. 

There are many fund managers and investment advisors who come up short in the "clear" and "honest" categories no matter how they pitch prospective and existing clients.

Can we really expect those leopards to change their spots just because they're now using new technology?

Does Zoom have an honesty enhancing effect?

Caveat emptor and some prophylactic measures are probably better steps than hope for change.   

More on that topic to come in a subsequent post on games fund managers play.

Tether - How to Correct Deficiencies in Reporting on Reserves and Simultaneously Set Boundaries

So You'll Have to Read the Post Below

The central premise and promise of Tether is that it will maintain the value of its “stablecoin” at US$ 1 for each tether in circulation.

As outlined in previous posts, there are gaps in the information Tether provides that a careful investor would require to evaluate this promise.

1. The strategy that Tether applies to maintain this “stability” so that an investor could check whether that strategy is appropriate. As noted in this post, Tether has not explicitly done this and from the composition of the reserves I find it hard to believe their strategy is fully appropriate.

2. Sufficient periodic disclosure so that an investor could confirm that Tether is adhering to the promised strategy. As noted in this second post, Tether’s current disclosure of its “reserves” is insufficient to enable this. What were the NYS AG thinking when they set the disclosure requirements for reserves in the settlement agreement?

On the other hand, one could make the argument that someone who buys Tether is not a careful investor but rather a speculator or punter. So any information is likely to be ignored.

Or that the best strategy for careful investors is to avoid any investment in Tether. 

If you want a stablecoin backed by the US dollar wait until the UST issues one.

But let’s presume that this information would be useful to some investors. 

Equally it would also set boundaries within which Tether would have to operate. Perhaps, very advisable given past questionable stewardship of the reserves.

Now as we all know and will be told by cryptocurrency aficionados that one of their main reasons for investing in sh*tcoins is that one certainly can’t trust the government.

That same skepticism should be directed to non-governmental entities, especially a party with Tether’s track record.

How do we implement those information requirements? And not just for Tether?

Here’s a suggested minimum standard model: Fidelity’s Money Market Fund SPRXX.

The prospectus and monthly fact sheet set forth the fund’s objectives and strategy.

An investor would therefore have the information necessary to make a determination whether that strategy is appropriate.

Each month Fidelity discloses each of the holdings in the fund.

It also issues a semi-annual and annual audited financial report with that same information. You can access those here.

Similar reports on holdings from Tether would allow an investor to check whether the promised strategy is being adhered to.

As a holder of a stablecoin, wouldn’t you like to have a commitment as to what are the permitted asset classes, issuers, obligor credit ratings, tenors, concentrations, use of derivatives, etc. that your money can be “parked” in?

So you know if your money is on deposit with Oz at Crypto Capital in Panama or with HSBC London? Or invested in less liquid instruments?

Wouldn’t you also like to check periodically to make sure that the commitment was being adhered to?

Apparently the answer to both questions is no.

The February settlement agreement with the NYS AG had little impact on Tether.

As of 31 March the value of outstanding Tether was some US$ 42 billion.

In early June some US$ 62 billion.

There is as they say no vaccine for stupidity.

The “Big Boys” Market – Ransomware Insurance

 

The Underwriter's New Suit

In the 3 June FT, Ian Smith had an article Cyber Premiums Jump in Face of Acute Threats.

Two quotes from the article and my reactions.

Surge in attacks prompts vigilant insurers to question clients closely about culture, attitude to security and training.

And 

Nor are insurers simply jacking up prices. They are also becoming more vigilant about controls at the companies to which they sell cover.

A big “shout out” for the use of “vigilant”.

The clear implication is that many, perhaps most, have been asleep at the switch.

If you’ve been following my “Big Boy” series of posts, you know I like to puncture the unwarranted myth of the imaginary “sophisticated” investor.

In that vein let’s reflect on Ian’s article using my own personal experience.

When I went to take out an insurance policy on Chez Arqala, my insurance company asked a raft of questions.

• About smoke detectors, their locations, and presence of fire extinguishers and other such equipment.

• I was also asked if we have a home security system, whether in addition to intrusion detection it also had a fire detection capability. Was it set to ring up the authorities? Who were the providers of the home security system?

• Did it have a back-up battery in case of power disruption?

• How far we were from the nearest fire station?

• Whether we stored any flammable or dangerous materials in the house.

• Other than the little people who live with Madame Arqala and me we were clean on that score.

No questions about culture, though. 

I guess he could tell just by looking at me. Or perhaps at Madame Arqala.

The decision to “write” the policy and the premium depended on our answers to those questions as well as our post code.

It boggles the mind that insurance companies writing cover multiples of that provided our house wouldn’t be asking similar questions for cyber cover.

And come to think of it, quite a lot more.

Apparently, they were not doing this.

Now to be fair, the general “take” on insurance underwriting standards is that only life insurance consistently makes a profit.

With other “lines” irrational exuberance and shoddy standards lead to highly cyclical swings in profits.

So much for the “big boys” of insurance. 

At least they are not an outlier among the "big boys"