DataTribe Insights - Q3 2021:
Please Show Us Your Vaccine Card…
And That You’re Secure

The DataTribe Team

Introduction

With summer breaks and the boost in travel pent up by the pandemic, it’s easy to overlook a lot that has happened on the cybersecurity front in Q3. It was a busy quarter.

Venture funding was quite active in Q3. It remains a good time to raise money as a cyber founder and venture capital has marked historic returns. However, we (along with everyone else) are wondering when headwinds will start to emerge.

As we pull back and look, we are starting to see a new era emerging – one where proving your organization is secure will be required: to sell to your customers, to get insurance, to conduct business. It’s not new. As many technology industries in the past have matured, they have adopted certifications both to ensure products are not harmful and to enable non-experts to purchase with confidence. For example, customers can be assured that a microwave will not set their house on fire, that boarding an airplane is not likely to result in death, and that mainstream medications are not poisonous. Though cybersecurity compliance frameworks have been around for a long time, we are at the early stages of a broad industry maturation that will create a system that makes it easy for customers to know that products and counter-parties are low risk.

In this quarter’s Insights, we look into how compliance regulation is impacting small businesses, seed funds are proliferating, a small Israeli company compelled Apple to update 1.65 billion devices, and one of the largest heists in history occurred this quarter.

Prove You’re Secure (Or At Least Compliant): Compliance Drumbeat Is Getting Louder

Small business cyber attacks continue to grow in frequency. In the 2021 Verizon Data Breach Report, published in May, on small businesses, Verizon reported that the gap is closing between small businesses and enterprises in frequency, methods, motives, and consequences, with 307 breaches in large and 263 breaches in small organizations.

From Verizon’s 2021 DBIR SMB Snapshot

However, small businesses are adjusting more slowly in their responses, and the impact of a hack on their ability to survive is often greater than for an enterprise. “…the total cost of a single data breach [is] averaging $149,000 for SMBs. For those with limited resources, an attack can prove fatal, causing a reported 60% of small businesses to close their doors following a cyberattack.” (Forbes, 2 June 2021)

In spite of that, it remains true that many small businesses don’t know, don’t care, or don’t know what to do about the problem. Over the last quarter, we have seen a number of entrepreneurs solving the “don’t know” piece of the equation. Small businesses tend to lack the personnel or resources for a robust digital security solution, and the entrepreneurs we have spoken with take varying approaches to offer low-cost, simple, and comprehensive solutions, sometimes augmented by specialty security services.

Meanwhile, regulators, industry associations and large organizations managing their supply chains are attempting to address the “don’t know” and “don’t care” parts of the equation. In September 2020, the Defense Federal Acquisition Regulations (procurement law applicable Department of Defense (DoD) contractors) were amended to require Cybersecurity Maturity Model Certification (CMMC) compliance by 2025 for any company receiving or bidding on a DoD contract. CMMC is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). Similarly, the National Association of Insurance Commissioners (NAIC) published a model data security law for state legislators to consider enacting. Several states have, some with effective enforcement mechanisms, including “suspension or revocation of license”.

We expect the innovation trends to continue in the coming quarters. Augmented by expanding regulatory compliance, this prevents a substantial opportunity for entrepreneurs and investors alike.

Q3 Cyber Deal Activity: Cyber Is Less Bouncy

Q2 and Q3 of 2020 marked the lowest seed venture capital deal volumes in all categories since 2011, and Q2 2021 was highest of all time at 847 deals, exceeding similar peaks in 2014, 2015, and 2019. Q3 2021 held that peak with 822 seed deals in all categories reported as of the end of the quarter. The same was true for series A deals of all categories. Q2 2021 peaked at 437 deals reported, and Q3 2021 at 434, exceeding previous deal volume peaks in Q2 of 2017 and 2019 each by more than 10 percent.

However, early-stage cyber deal volumes have not rebounded with the same speed. Previous peaks in cyber seed-stage deal volumes occurred in Q1 2019 with 32 deals, and Q1 2017 with 33 deals. Deal counts understandably dragged in 2020 averaging around 15 seed-stage cyber deals per quarter, and 2021 has averaged 17 seed-stage cyber deals per quarter, with only 16 in Q3, down from 25 in Q2.

A possible explanation for the slower rebound, in spite of news of headline cyber investments and a rush to invest in early stages, is the valuation trend that continues to climb. Cyber also did not dip as much as the rest of the early stage in 2020 so it does not have as big of a recovery to make. As we mentioned in Q2, valuation data tends to be noisy, because it is not consistently made public. However, the trend in both cybersecurity and all verticals continues to increase.

The other trend that continues without deviation is that the capital invested in each round continues to increase, though seed rounds are increasing at a slower rate than later stages.

Even the Giant Trees in California Produce Seeds

Valuations are not frothy if a company is consistently generating revenue and growth numbers to justify a high multiple. We still believe the current market is fundamentally different from the technology market of the late 1990s. However, as record amounts of capital continue in public and private markets, venture capital investors continue to push down market, seeking returns. 2020 was a banner year for new seed funds, with VC’s raising nearly $12B (PitchBook). 2021 is trending toward the second largest year for new seed capital raised by VCs. Just in the last quarter, Andressen Horowitz and Greylock Partners announced $400M and $500M seed funds, respectively. Of note, Greylock “treats seeds as concentrated core investments, not hundreds of loss-leader options” with typical day-one checks from $2 to $20M. Those are large seed checks. This is great news for entrepreneurs, though a market pullback could produce formidable challenges for founders that take money at inflated valuations.

Datasource: PitchBook,
Criteria: venture capital early stage funds, seed round preferred deal type, US only

A Stack of $100 Bills Taller Than The Empire State Building Goes Missing

Wait… who even uses cash anymore? That’s not the point. In August, over $600M was stolen in the Poly Network Hack and a week later, $97M was stolen in the Liquid Network Hack. This record-sized heist barely broke through the tech news cycles for just a couple days!

Some of the Largest Non-Digital Heists in Modern History:

  • $920M – Central Bank of Iraq, Baghdad, Iraq (2003)
  • $500M – Isabella Stewart Gardner Museum, Boston, MA (1990)
  • $282M – Dar Es Salaam Bank, Baghdad, Iraq (2007)
  • $100M – Antwerp, Belgium Diamond Heist (2003)

Just in the last year, hackers have stolen at least $995M in digital assets – and that’s just across three high-profile incidents. Some estimates put annual cryptocurrency or DeFi (decentralized finance) theft in excess of $1 billion (yes, with a ‘B’) annually. Add to this the history of the 2014 Mt. Gox bitcoin exchange fiasco where 850,000 bitcoin (~$500M at the time, worth much more today) went missing, and it seems we truly are in the Jesse James early days of a new financial era. It should be noted that most of the cryptocurrency that was stolen in the Poly Network hack was later returned by the hackers, who claimed they did the attack to expose weaknesses in the network.

But who needs adversaries when your own errors can do the job? At the very end of Q3, an upgrade to the Compound decentralized finance protocol mistakenly distributed $90M ($90 million!) to people in transactions that cannot be rolled back by design. Wow, that really puts quality assurance in perspective.     

Whereas the Antwerp diamond exchange no doubt has robust security, it only has to worry about thieves physically located in Antwerp. In an increasingly digital world, where a hacker 10,000 miles away can walk away hundreds of millions of dollars, the imperative nature of cybersecurity becomes impossible to overlook.

Cybersecurity Trends
Thought of the Quarter

Yup. Blockchain is Just a Tool… But a Powerful One

Blockchain technology, more specifically immutable ledgers, were the hot topic in tech a few years ago. Eventually, the hype subsided, but we are seeing a resurgence and a climbing out of the Gartner Hype Cycle’s “Trough of Disillusionment” into the “Slope of Enlightenment.”

This time, blockchain is rarely mentioned by name. Instead, entrepreneurs reference the “immutable ledger” that is a component of a broader product offering that solves a real problem. No longer is blockchain the product. It is an enabler – significantly different from the boom a few years back.

In cybersecurity, we see immutable ledgers (i.e. blockchains) supplanting passwords – a 50+ year-old concept – as the de facto proof of identity in next-generation identity solutions. At DataTribe, we also regularly see blockchains appear in data security platforms that are creating trusted audit trails for data lineage.

We believe we will continue to see blockchains as components of broader platforms as the technology continues to settle into its place as a useful tool, among others, at developers’ disposal as they architect solutions.

No Summer Break for Biden’s Cyber A Team

In Q2, on May 12th, President Joe Biden issued his Executive Order on “Improving the Nation’s Cybersecurity.” In a June face-to-face summit, Biden told Putin to knock off the cyber misbehavior presenting specific categories of critical infrastructure that are off limits. In Q3, the Biden administration has continued the push – driving its cyber agenda forward. Kicking off Q3, just a couple of weeks after meeting with Putin, the Biden team released details relating to Russian hacking in an effort to further increase pressure.

Biden extended his commitment to cybersecurity on August 25th, when he met with tech, financial services, insurance, education, and energy CEOs at the White House to discuss the growing threat of cyber attacks on U.S. infrastructure and institutions. The meeting concluded with various commitments from industry to bolster the nation’s cybersecurity, a good sign for a hopefully productive public-private partnership.

The newly appointed National Cyber Director, Chris Inglis, focused in Q3 on defining the mission for his new office. It’s a new and strategic position, so it will (and should) take some time to tune the scope of the role. Meanwhile, Anne Neuberger announced plans for a 30-nation summit on a counter-ransomware initiative. Jen Easterly, head of Cybersecurity and Infrastructure Security Agency (CISA), along with Chris Inglis testified to their support of new incident reporting legislation.

Cybersecurity is a geopolitical issue, and the Federal Government appears to be elevating its leadership role in the nation’s cybersecurity. The Biden White House, more so than any previous administration, is making cybersecurity a national and economic security imperative.

50,000 Reasons To Shine Light On Cyber Weapon Sales

Early in Q3, the Israeli spyware vendor, NSO Group, received some unwanted attention when the Washington Post, in partnership with other news outlets, made public a list of 50,000 phone numbers, allegedly all targets of the NSO Group’s Pegasus product. They have been in the news previously, but this wave of attention in August further highlighted the significance of questionable actors using nation-state grade spying tools.

Related, later in Q3, Apple released an emergency update to fix the zero-click zero-day vulnerability that the NSO Group exploited. Nevermind the cost to Apple – or the inconvenience and time wasted to address this vulnerability, or the scale of impacting the owners of the more than 1.65 Billion devices.

The fact a small private business such as NSO Group can capitalize on such a global security risk highlights the monumental leverage of a cyber attack. This should give everyone pause.