[Posted on behalf of Steve King Director, Cybersecurity Advisory Services at Information Security Media Group (ISMG) ISMG]
Lessons from past financial crises might prepare us for the long and short-term effects of COVID-19 on the economy and the Cybersecurity ecosystem. Or, not.
The Dot-Com Bubble (2000-2002):
Investors so eager to invest at any valuation in any internet company they ignored traditional financial metrics. "Growth over profits" pushed overspending by tech companies leading to significant cash burn rates across the whole sector.
No alt text provided for this image
At our startup, we had to beat off Investment Bankers – B of A securities literally camped out in front of our offices and begged us to let them take us public. We turned down offers from a dozen IBs.
The NASDAQ fell by 78% from the peak to the trough and it lasted 943 days (March 2000 to October 2002. By the end of 2000 most Internet stocks had declined in value by 75% from their highs, wiping out $1.755 trillion.
Our digital branding and technology company went from $5mn to $48mn to $17mn during that same period. The September 11th attacks in 2001 did not help.
48% of dot-com companies survived through 2004, but at drastically lower valuations, while investors returned to valuation fundamentals of profitability and growth.
The impact on Cybersecurity was a heightened broader demand as technology systems matured, achieved greater integration and became a primary threat vector. And we also began to witness an increased awareness of Nation state threats and Cybersecurity’s role in public safety.
The Great Recession (2007-2009)
Characterized by an explosion of excessive borrowing, exorbitant rise in asset prices, and booming investor demand for shady and excessive-risk securities like collateralized debt obligations (CDOs) underpinned primarily by U.S .mortgage-backed securities illuminating vulnerabilities across the whole financial system.
No alt text provided for this image
In the current financial crisis, CLOs (Collateralized Loan Obligations consisting of a broad range of corporate loans), which, despite industry protestations to the contrary, share many of same structural characteristics as CDOs, may cause similar problems. Moody’s just placed 20% of its rated collateralized loan obligations (CLOs) valued at around $22 billion on review.
This move is similar to the canary in the coal mine gasping for air.
M&A activity sharply declined from $9.1B in 2006 to $1.3B in 2009 and Venture Capital essentially disappeared altogether with a drop in volume to the low-point of the whole decade. The S&P 500 fell by 57% and the peak to trough lasted 517 days (October 2007 to March 2009).
No alt text provided for this image
Sub-prime loan losses in 2007 ignited the crisis and exposed other risky loans and over-inflated asset prices while household net worth fell $11.5 trillion (17%) and the national unemployment rate peaked at 10%.
In response to the crisis, the Federal Reserve initiated a series of large-scale asset purchase (LSAP) programs intended to put downward pressure on long-term interest rates and improve financial conditions and the Fed initiated massive reforms to the financial sector and its supervision while implementing broad regulation intended to staunch the flow of blood.
In Cybersecurity, we first recognized that China was systematically stealing gov’t & commercial IP, and had begun infiltrating our Colleges and Universities with spies and cyber-thieves. It was also the beginning of a massive shift for enterprises who had one or two lines of defense to a newly architected defense-in-depth security posture and the demand for fraud and payments security systems soared.
COVID-19 Outbreak (2019 – Present)
The current global pandemic caused by the rapid spread of the COVID-19 virus has created unparalleled massive disruption to households and businesses. Strict enforcement containment measures have caused a dramatic slowdown and in some cases stopping global economic growth altogether.
No alt text provided for this image
The result has been a complete disruption of supply and demand and a systemic shock to the entire global economy.
There has been an immediate suppression of M&A activity and a suspension of almost all investment activity on the venture capital front. Valuation has dropped precipitously by 40%, and follow-on investment capital has dried up completely.
Going forward, VC investors will continue to support and defend only their most promising portfolio companies, and have warned all funded entities against non-essential spend.
The S&P 500 is down by 19%, NASDAQ has fallen by 13% and the Dow Jones industrial is off by 22% witnessing the fastest 30% decline in equity value in history.
The Impact on Cybersecurity
The impact on Cybersecurity is unprecedented as 90%+ of the workforce are suddenly working remotely resulting in a dramatically expanded attack surface exposing multiple gaps and vulnerabilities across the enterprise.
Amid the chaos of an inadequately planned response to a crisis of this magnitude, nation-state actors and cyber-criminals have amplified their attack activity targeting first responders, hospitals, healthcare, banking, payment systems, hapless untrained employees working from home for the first time and the resultant increase in unprotected points of presence.
How and when this ends, nobody knows.
One thing is certain however and it is that we live in a new era and one for which we are unprepared.
No alt text provided for this image
As you can see from the chart, the Dot-Com fall-out took roughly 250 days for the Dow to drop 30%, Nixon took almost 300, the 2007 financial crisis took over 200, and only the great depression and Black Monday came close to the speed of the current market depression – less than 100 days. By the time it was over, Black Monday lasted 100 days, Dot-Com and the great depression over 2 years each, Nixon took over a year and a half and the market impact of the 2007 financial crisis lasted a full year.
We’re only 2 ½ months into this one.
40% of workers earning $50,000 or less took the brunt of the early job losses, and now, 2 months later data shows that workers earning $100K or more may become the next tranche of jobless. CFO's are planning for another stage of job cuts starting in June and are pushing for the acceleration of automation and security projects.
All organizations, regardless of type are adjusting to a "touchless" business environment which is creating a challenge for risk, audit and compliance while ensuring a safe transition. We have seen enforcement of all of the major legislative regulations waived from GDPR, HIPAA to CCPA and the NYDFS Cyber Shield.
No alt text provided for this image
While the flattening of joblessness is uneven across demographic groups, low-income workers have been hit harder than middle- or high-income earners, yet now their unemployment levels appear to have flattened out. High-income workers, by contrast, appear to still be losing jobs.
Again. We’re only 2 ½ months into this one.
The financial long tail on COVID-19 is fat and full of unexpected impacts – already we have 3 major retailers filing for bankruptcy protection, a 25% decrease in revenue for a soft drink manufacturer owing entirely to empty stadiums and a zeroing out of earning shares transferred to Central America from US immigrant labor unable to collect a paycheck. We have already seen massive disruption is supply-chains, sky-rocketing food prices, destruction of entire segments – ride-sharing, commercial real-estate, temporary office space, small service businesses dependent on a physical urban workforce, to name just a few.
And we have witnessed a transformation of conventional processes for everything from the delivery of medicine to sports, recreation and social interaction.
How the economy responds will be a measure of our tribal resilience and entrepreneurial instincts.
How the Cybersecurity community responds will determine our future national security and economic operational stability in ways that were unimaginable a few months ago. The response will showcase the magnitude of the threat so often ignored by most in the past and underscore the requirement to finally begin addressing Cybersecurity with the gravity it deserves in the future.
Cybersecurity may become as central to social and business interaction as the tools and infrastructure we take for granted today – the telephone, the Internet, the electric grid, water and transportation – at one time in our brief history, we didn’t have an air traffic control system either.
No alt text provided for this image
The future of Cybersecurity in this new era will rely on a transformation to a collective defense, [borrowing that phrase from General Keith Alexander] which will demand cooperation from all participants toward the creation of a cooperative privatized central control system through which cyber-activity can be managed. A sort-of air traffic control system for cyber-defense.
Over the next 18 months, we will discover whether we can move toward that goal or return to the pre-COVID-19 status quo, and breaches as usual. A teachable moment indeed.
Comments