Announcer: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, CEO of Cyber Risk Opportunities and Jake Bernstein, cybersecurity counsel at the law firm of Newman Du Wors. Visit them at cyberriskopportunities.com and newmanlaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Jake, today, we're going to talk about the major cyber risk of private equity firms.

Jake Bernstein: Okay. And what is that cyber risk?

Kip Boyle: So it's when one or more of their portfolio companies is so damaged by a cyber attack that they lose most or even all of their investment in that company.

Jake Bernstein: That sounds bad.
So in order to talk about this, are you going to review an actual case?

Kip Boyle: Absolutely. Unfortunately, there is a real case and it's pretty recent. And I think we should take it apart and see what we can learn.

Jake Bernstein: All right. Well, let's get this show started. And where do you want to begin?

Kip Boyle: So let's begin by reviewing what a private equity firm is. This is important because although maybe members of our audience are very familiar with private equity, I assume that there are a number of people who only are superficially familiar with it. And this is where I'm going to disclaim, and I love borrowing from your jargon, that I am a cyber risk expert, but I'm not an expert in private equity. I think I know enough to do the show, but so I'm going to be careful. So listeners, if we get anything really wrong, be sure to let us know, send us a LinkedIn direct message or drop us an email. Let us know if we got anything really, really wrong here. But I want to keep it simple. So the reality can be very, very complicated. There's all kinds of different permutations of private equity strategies, and the way that you can form the business, and so forth. But so let's just keep it simple.

And so let me just tell you a few things about what a private equity firm is. First of all, it's an investment management company and it provides a source of money for companies that have the potential to get bigger and more valuable within a five to seven year period. Now, where does the PE firm get its money? Typically, it gets it from a number of wealthy individuals and institutional investors, so they get money from those folks. They pool that money and then they use it as a fund in order to go and actually take ownership stakes positions in firms that they believe have the potential to grow quickly and to increase in value very fast. So I think of it conceptually as kind of like a mutual fund, except private equity invests in a few private companies rather than a large number of a public ones.

Is that making sense to you so far, Jake?

Jake Bernstein: I think so. It sounds a little bit like venture capitalism. That's, I guess, what it is. But we wouldn't necessarily think of them in the exact same terms as we would a venture capital company.

Kip Boyle: Yeah. I think that's a great point. So venture capital is very conceptually similar. You've got people who have money and they're looking for companies that can grow and become more valuable. But I think while there's some overlap, right? So you can have a private equity firm that specializes in funding startups, or companies that are maybe just a few years old. What I notice is that a lot of private equity firms are focused more on what I would call the middle market. So these are companies that are more or less proven in their product market fit. They're generating revenue. They're not really considered startups anymore, so they're not risky in that sense.

Venture capitalists are looking to make huge, huge profits by coming in super early on something that's going to get really big. And I think of Uber as one example, all these unicorns, these so-called unicorns is an example of a venture capital, which I think could be thought of as a form of private equity. But a PE firm is going to get ownership in the company. And typically, they're going to get a majority ownership. And they do that because they've just put a lot of money in and they want control. That's very common. That's my simple, quick thumbnail sketch of what a PE firm is.

Would you add anything?

Jake Bernstein: Not right now. I think that is pretty much what we are... That's how we should conceptualize it.

Kip Boyle: Okay, great. And I only did that so that we can talk about the actual case here of cyber risk gone wild.

Jake Bernstein: Yep, let's do that.

Kip Boyle: All right. So let's talk about a Denver company called Colorado Timberline. And if you go Google search, Colorado Timberline cyber attack, you are going to find a lot of good stuff because that's what I did. And let me just say right up front, they're out of business. They're bankrupt. And it happened because of a cyber attack. So Colorado Timberline was a mid-sized promotional items' printing company. So if you've ever gone to a trade show and you see all the swag that the vendors put out, t-shirts, coffee mugs, pens, key chains, and then the banners that they hang printed on vinyl or foam core, right? So Colorado Timberline did all that stuff. They even would do etching on glass. I mean, everything that you would expect in terms of promotional items. I mean, if you had a logo, they would put it on pretty much whatever you wanted. That's pretty much what it was.

And it was also a somewhat capital intensive company because they had printers and they had lots of them and lots of different types of them. They had these... And I've seen photos online... They've had these wide carriage printers with rolls of coded papers feeding into them. I mean, we're talking like five foot wide printer carriages. And then the whole chassis of this printer was just enormous. I mean, it had to be located in a warehouse. It was just gigantic. This is not some little work group laser printer that you can just kind of move around whenever you wanted to. Laser etching equipment. Tons of inventory. So, all these key chains, and mugs, and, whatever they were going to personalize, they had to buy a lot of that and then they had to personalize it and then they had to ship it. So they even had forklifts. So they had a lot of tangible stuff. And their office and their warehouse was co-located about five miles Northeast of downtown Denver. And if you look on Google Map, you'll see that they're just north of Interstate 70.

And the founder and president was a guy named Dan Greene. And the first mention of Dan and his company that I found online was in September, 2006. So not a startup in the sense that they came out of nowhere and then started to shoot like a star into the sky. So they'd been around for a while and had established themselves. And they must have been attractive enough in terms of their business potential to get private equity investment. And one thing I know about private equity investors is they're very shrewd. They do their homework and they're only going to put their money into a company that has a lot of potential.

And so even though Colorado Timberline was privately held and did not publish how many employees they had, how much revenue they generated. There were some estimates that I found online. So LinkedIn estimated that they had between 200 and 500 employees. I found smaller numbers elsewhere on other websites. I found various revenue estimates, like there's a site called owler.com and they said they estimated $23 million a year. I don't know. But I'm telling you all this because I think it's important for the audience to realize that this was a real company that real people worked really hard to actually build, right? This is like the foundation of the American economic system.

Jake Bernstein: It is. It was a significant medium business for sure.

Kip Boyle: Definitely. With the potential to become much larger-

Jake Bernstein: Much larger, yeah.

Kip Boyle: ... generate profits, right? I mean, most jobs in the United States are jobs at small medium businesses. Colorado Timberline I think was a very prototypical poster child type company. And again, it's really important for people to realize this I think because these are the companies that are getting hurt. And there are a lot of them too.

Jake Bernstein: I think it's easy for people to look at a cyber attack victim who gets wiped out and say... It's a typical human reaction of, "Oh, well, that's not me. They're somehow different. They made this mistake here. I don't do that."

Kip Boyle: Yeah, they had it coming to them.

Jake Bernstein: Yeah, exactly. And I think that's a natural thing to do and it has some value to do that analysis always. But I think at the same time, I would imagine that this company felt that way as well, like it's not going to happen to us.

So you've got roughly 200 to 500 employees, 20 million or so in revenue. When did the PE firm get involved?

Kip Boyle: So in June of 2017, Colorado Timberline becomes backed by private equity. So if they started on or around 2006, so it's 11 years, right, if I'm counting on my fingers here and doing the math? So they've been operating for like 11 years, then all of a sudden, for whatever reason, private equity comes in and acquires them. And actually, they're acquired by two companies Frontenac, which is based in Chicago and Charter Oak Equity, which is based in Connecticut. I don't know much about these firms. I've browsed their websites and so I've got a little bit of a sense for what their investment strategy is. I don't know why they both invested in Colorado Timberline. That would be an interesting thing to find out. But in any event, June of 2017.

Jake Bernstein: And I think that, that action right there shows that this company had real potential because private equity firms, as a rule, don't go around investing in random companies. That's just not how private equity works.

Kip Boyle: No, definitely not. They're not diversifying their investments among thousands of companies as a mutual fund would. They've maybe got a basket of 12, something like that... 10.

Jake Bernstein: Yeah. And they're oftentimes putting a lot of energy and effort into analyzing each of those companies specifically.

Kip Boyle: Yeah, absolutely. Yeah, we could probably think of it as a full body cavity search when they're thinking about doing an acquisition or an investment.

Jake Bernstein: Oh, yeah.

Kip Boyle: Yeah. So two ostensibly very smart, studious private equity firms, in June of 2017, put money into Colorado Timberline.

Jake Bernstein: Okay.

Kip Boyle: All right. So now, here's where it gets hairy. So what wiped all this out? Well, just over one year after the acquisition, so August of 2018, on Colorado Timberline's Facebook page, they make an announcement that they've suffered a major cyber attack. They don't say what it is, but my guess in reading it and reading in between the lines, probably a form of ransomware, but they're not releasing a lot of information about this. But what they are talking about is the impact to their customers. And they're saying, "My goodness, we're so sorry. Orders are delayed. And we're really struggling here." So that's the first time that they talk about it publicly, is about a year later.

And then just one month later, so on September the 12th, 2018, on their Facebook page, they say, "We're done. We're throwing in the towel. We've had this devastating ransomware attack and we're out of business effective immediately. So sorry." And their website goes offline the very next day. And there are news articles that start to become published about their bankruptcy and how customers are being left in the lurch. And if you do a Google search right now, you should have no trouble seeing them. And then January 10th, 2019, all of Colorado Timberline's tangible assets go up for auction. So I'd said a moment ago that I'd seen photographs of their super wide carriage printers and their lasers or etching equipment and their forklifts, then that's because they were all photographed and they were all auctioned online. So every tangible asset is gone now.

Jake Bernstein: Wow. So, I mean, that's a swift end to what was, I mean, really a growing company. I mean, just been backed by two private equity firms, sufficiently sized. And I mean, kind of in the blink of an eye it's gone.

Kip Boyle: Yeah, really, very swift. Made their customers head spin. I've seen... And you can see if you want... lots of people talking online about, "We paid money for promotional items, are we ever going to see them?" I remember somebody saying, "Our stuff was on the dock ready to be picked up to be delivered to us, can we come by and collect it ourselves?" They definitely left a smoking crater in the ground in terms of their customers. And you think about people out of business, or people out of a job. Even if there was less than 200 people on the payroll, you're talking about a lot of people that have to go find new jobs now. And I know that employment is at historic low, so I hope they all have landed on their feet and are doing fine, but who wants that? Who wants that?

And I think this is the thing that I struggle with the most here is because I think it's one thing for a company to go out of business because it was a bad business, maybe it was an unethical business, perhaps it didn't sell its products and services for a reasonable price. There's all kinds of reasons why I think in a capitalist system a business could and should go out of business. But for this reason. I mean, this is an act of war in my mind. And I can't help but to think that this is wrong.

Jake Bernstein: It is definitely wrong. And it's definitely, being... This company, Colorado Timberline, was definitely a victim of some form of attack. And it would be great if we knew more because obviously the more we knew, the better we could analyze this incident. But I think that what you can get from this is the necessity to conduct cyber security related due diligence. Just no matter what the occasion, particularly if you're a private equity firm, you probably need to be doing cyber security risk assessments on all your potential investment targets.

Kip Boyle: Yeah. So pre-investment, and post-investment too. I mean, this is after the money went in. And I don't know what due diligence they did going into it, but whatever it was, it was insufficient because this company got taken over. And I don't feel all that awkward that I don't know too much about the specific piece of malicious code and how it all went down, because my guess is that we could go pull the records off of another case where we do know a lot, another company being attacked by ransomware, and it would probably be very, very similar, right? So my guess is they lost control of all their computers, which means they can't take orders. They can't fulfill orders. They can't ship finished product. They can't collect money owed to them. This is a small company in Colorado, but the effect is not that different from the effect say of NotPetya on Merck Pharmaceuticals. They lost control over all their computers.

Maersk, the shipping company, same thing happened to them. FedEx in Europe has a subsidiary called TNT. They lost control over all of their computers. They couldn't accept new shipments. They didn't even know where the shipments that they had in their possession, they didn't even know where they all were. They didn't know how to deliver them. They just kept stuffing them into warehouses up to the ceilings, and then some. So I don't think this is any different for a small company than it is for the very large ones. And unfortunately, for the private equity firms, maybe they'll get back pennies on the dollar. I don't even know if they're going to get anything back. I mean, you auction off all this tangible equipment, but there's closing costs. And I don't know that-

Jake Bernstein: Well, and the court would have... One thing I am familiar with is the bankruptcy procedure here. And the bankruptcy is going to dispose of pretty much all the assets.

Kip Boyle: But a company like that is going to have some tangible assets, but I just can't imagine that as expensive as that equipment is, at auction it's probably not going to generate a lot of money. I don't think it's going to come anywhere near close to recovering the investment.

Jake Bernstein: No. No. Not only would it not... I mean, they'd be lucky if it even paid for the outstanding debts. I mean, a company like Colorado Timberline, even if it's doing... $23 million might be a lot in revenue, but what's the cash flow, right? And I think what we have to ask ourselves here is what's the difference between a company like this and a company like Maersk or FedEx? And the answer is, quite honestly, cash on hand and resources to come back.

Kip Boyle: Right.

Jake Bernstein: And I would bet that this type of company was operating on a relatively razor thin kind of cash flow basis there. And again, I'm a cyber security attorney. I'm not a finance guy or a highly... Not quite sure if I'm using the right terms, but my point really is that a ransomware attack that you're not prepared for, doesn't have to do all that much actual damage to take you out permanently.

Kip Boyle: Yeah, that's true. So that reminds me that during an earnings call in June of 2019, the CEO of Federal Express... I still call them Federal Express... So FedEx made a comment on the earnings call that essentially said if TNT was not a subsidiary of FedEx at the time of the NotPetya cyber attack, they would've been bankrupt. That the only reason that that company survived is because FedEx, as a parent Corp, infused all the money that was necessary to keep them from going out of business. And I don't understand why this is not more widely reported. This is a material... This is a major thing for us to realize is that cyber attacks can put multi-billion dollar companies out of business. I mean, that is amazing.

Jake Bernstein: Well, and I think that one of the... There's definitely a kind of a breach fatigue that has in the news cycle. And I think the problem with focusing on data breach is, data breaches are interesting, because they don't necessarily have anything like the same immediate effect that a ransomware attack would. Let's just say that Colorado Timberline had been the victim of a data breach instead of a ransomware attack. And what happened is that, all of their customers' names were leaked to the internet. Now, if we assume that that's even a problem in the first place, it doesn't affect... It's embarrassing perhaps, but it doesn't affect their operations. But the problem with a ransomware attack is that it directly impacts the ability of any company to do day-to-day business. And I think back to also part of NotPetya, a very large international law firm, DLA Piper, its entire operations were shut down for five days. And if you think about the amount of money that cost them, it's staggering. They have a thousand attorneys, none of whom could bill for five days.

Kip Boyle: Well, lost revenue, but then all the carrying costs of just being a business are continuing to accrue. And when you're a professional services firm, you're selling the time of your people, and it's very direct

Jake Bernstein: At the same time though, if you think about it, a company or a professional services firm like DLA Piper is actually in a position to survive that type of attack much easier than a company who's extremely dependent on a constant flow of cash and goods out the door.

Kip Boyle: Right.

Jake Bernstein: Colorado Timberline, I think, is the quintessential example of a company that has a very hard time surviving even a few days of business cessation as a result of a cyber attack. And-

Kip Boyle: And I got imagine they didn't even have insurance to cover this, right? Because if they had, perhaps they'd still be in business.

Jake Bernstein: Well, I think what's clear is that not only did they likely not have insurance, they were also, I think it's fair to say, rather unprepared. Now, we don't know that for sure. It's possible that this was a situation where the company was being reasonable and this was just a unusually destructive cyber attack. But at the same time, everything we know about ransomware attacks are that they are opportunistic. They are relatively random and they are eminently recoverable from, if you are prepared.

Kip Boyle: Right. Yep. I mean, it's like a hurricane. You see the hurricane coming and you can get prepared, but you really should have done your preparations before the storm ever got named. I think of ransomware attacks as less like a hurricane though and more like a sudden, extremely severe earthquake. Something that can't be predicted, but is catastrophic when it hits. Now you can survive that, but only if you've done the preparation work.

Jake Bernstein: Right. Yeah.
Actually, I'm going to adjust your metaphor there because I think in earth, the problem... I actually don't think of it as an earthquake because earthquakes are incredibly rare and unusual, right? I think a tornado is maybe a better example for ransomware because like everybody knows that there's going to be X number of tornadoes every year, and that number is usually in the hundreds, right? If you live in an area where tornadoes exist, you know there are going to be tornadoes every single year.

Kip Boyle: And many of them.

Jake Bernstein: And what you don't know at any given time is where it's going to strike, how much damage it's going to do, how big it is, but that there's going to be tornadoes. I think ransomware is much more like a tornado in so far as we know it's going to happen. We know there's going to be X number of ransomware attacks every year. We just don't know who and how big.

Kip Boyle: Yeah. No, I think that's a much better, much more apt analogy, tornadoes. Yeah, strikes without warning. There's a lot of them, they're devastating. You can prepare for them. Yeah, that's great.

Jake Bernstein: Yeah. And I think that ransomware, that's kind of what it does, right? It's like a tornado going through your data systems.

Kip Boyle: Yeah. Yeah, it really is. And flinging everything around so you can't find your stuff.

Jake Bernstein: Yeah. So I think that this is a really unfortunate but also very important cautionary tale. I think that I agree with you that the financial harm to companies like TNT and Maersk and all these other large companies goes under-reported because, at the end of the day, there's a huge number of businesses that will have bad quarters here and there. Right?

Kip Boyle: Yeah.

Jake Bernstein: And the thing is that what we need to do though is not be complacent because, well, none of those companies went out of business.

Kip Boyle: Right.

Jake Bernstein: Well, they didn't, but they're also some of the largest companies in the world. And I think that the FedEx earnings call that you mentioned is incredibly instructive. If TNT, that subsidiary, which is I think, as you said, FedEx's European arm, they had not been part of one of the two largest delivery companies the planet has ever seen, they'd be gone.

Kip Boyle: They would be gone, and that's shocking.

Jake Bernstein: That is shocking because TNT on its own is not a small little company. It was still delivering to much of Europe.

Kip Boyle: Right. I mean, its major competitor was DHL. DHL is basically the German post office, it's big. It's big.

Jake Bernstein: Right crosstalk.

Kip Boyle: Yeah.
And you can actually see how DHL did... Actually, NotPetya became a wonderful opportunity for them because with TNT's inability to do anything that it's supposed to do, it lost a lot of customers. They defected to DHL in an instant because if your business depends on moving packages, then you can't sit around and wait. What's really instructive is that TNT and DHL are publicly traded companies and they have to disclose information. So you can look at the DHL financial disclosures following NotPetya. You can see their revenue, their profit, the shipping volumes are all going up. They are making out like bandits. And only because they kept their doors open when their big competitor did not.

Jake Bernstein: And this just kind of brings in our piece to mind here of this whole puzzle is if you think about the ability of a company to recover from a ransomware attack, it's actually pretty interesting. Like compare DLA Piper to the TNT, TNT was basically a commodity service. There are competitors who can quickly shift over to move your package from point A to point B. A professional services firm, unless they're going to be out of commission for months, the cost of moving your business is probably higher than just waiting for them to get back online. So this is another reason why certain types of companies are going to be more susceptible to rapid ransomware devastation compared to others. For DLA Piper, yes, it cost them a lot of money. I'm sure it cost a few clients here and there. But at the end of the day, you're talking five days, most clients are going to just be like, all right, well, that's unfortunate, but we're not going to move our entire case because it would literally cost us 10 times more to do that.

Kip Boyle: Right. Yeah. Right, the switching costs are just enormous.

Jake Bernstein: Switching costs, right?
But you take something like Colorado Timberline which is a... It's a commodity type service, right? It's a marketing materials... It makes goods. There's lots of other companies that do that.

Kip Boyle: Right. Yeah. I could take my specs for the etched beer steins and just retransmit them to a competitor of Colorado Timberline and I have to pay twice, which really bothers me, but I can still get what I need.

Jake Bernstein: Exactly. And so I think the message here from a private equity standpoint would be, "Hey, look, not only do you need to be doing cybersecurity risk assessments on all of the business that you invest in and not only pre-investment, but also post-investment and on an ongoing basis. But also, tailor that amount of cybersecurity assessment and mitigation effort to the type of company that you're dealing with. I mean, I think there are some companies that just need to have a higher level of cybersecurity management than others simply because they won't be able to survive if they crosstalk coming up.

Kip Boyle: Right.

Jake Bernstein: And I think that's just another piece of the kind of overall puzzle that you're always dealing with.

Kip Boyle: Yeah.
Okay. Well, I think we beat this one to death.

Jake Bernstein: I think we have.

Kip Boyle: So, that wraps up this episode of the Cyber Risk Management Podcast. Today, we talked about the major cyber risk of private equity firms. We'll see you next time.

Jake Bernstein: See you next time.

Announcer: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport and should incorporate management, your legal department, HR and IT for full effectiveness. Management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk business strategy program. Find out more by visiting us at cyberriskopportunities.com and newmanlaw.com.

Thanks for tuning in. See you next time.