Governance & Risk Management , Privacy
Why Is Meta Choosing to Settle Over Cambridge Analytica?Also: Troubled Times for the InfoSec Market? Why Change Is Needed in the SOC
The latest edition of the ISMG Security Report analyzes why Meta has agreed to pay $725 million to settle a class action lawsuit accusing the social media giant of allowing third parties to access users' personal data, how the median stock price dropped 40% among the 32 publicly traded security firms, and why an infrastructure change is needed in security operations centers.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Mathew Schwartz discuss how Meta has reached a $725 million agreement to resolve a class action lawsuit filed over Facebook's user data-sharing practices involving Cambridge Analytica's big data research;
- ISMG's Michael Novinson explain why 2022 was a rude awakening for the cybersecurity industry;
- Analyst Nat Smith of Gartner state why a "paradigm shift" is required in the SOC and how to achieve it.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the Dec. 22 and Dec. 29 editions, which respectively discuss why it is always a bad idea for organizations to pay hackers for data deletion and what cybersecurity experts predict for 2023.
Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.
Anna Delaney: Meta seeks settlement over Cambridge Analytica and why 2022 was a rude awakening for the cybersecurity industry. These stories and more on this week's ISMG Security Report. Hello. Happy new year. I'm Anna Delaney. Meta has reached a major settlement agreement over allegations that it fails to protect its users' privacy. Joining me to discuss is Mathew Schwartz, executive editor of DataBreachToday and Europe. Matt, it seems tough to keep track of all these different legal cases and privacy agreements that involve Meta, meaning Facebook and Instagram. What's happening here?
Mathew Schwartz: Certainly, Anna, there's a long list of alleged or upheld violations that Facebook, Instagram, Meta have been part of. So this one is a $725 million agreement, which would resolve a class action lawsuit that was filed over Facebook's user data sharing practices. Now just to jog people's memory, this is about the Cambridge Analytica scandal. That was a big data research consultancy, which has been used by numerous politicians, notably the Republicans during the 2016 U.S. presidential election. And here in Britain - the Brexit campaign. So, the agreement has yet to be approved by a judge, but it's an agreement between plaintiffs and Meta, and it would settle multiple lawsuits that were filed after the personal data for 87 million Facebook profiles was transferred to Cambridge Analytica in violation of Facebook's policies. Facebook said - as I just mentioned - that this violated its policies, and yet it didn't know that its policies were being violated, hence the allegations that failed to protect users' information. Now, this is a big action. The class action lawsuit that we're seeing potentially to get resolved via this settlement is the result of 42 separate lawsuits that were consolidated in 2018. There are a bunch of claims, these were boiled down, and the case against Facebook here, which rebranded to Meta last year, continues in San Francisco Federal District Court. But when the settlement agreement gets heard by a judge in the coming months, it could finally resolve all of these lawsuits.
Delaney: Though $725 million does sound like a hefty amount. But when it comes down to it, how much of a dent would this be on Meta?
Schwartz: Well, I don't think it's going to hurt Meta. It's an interesting figure, it's nearly a billion dollars. But if you look at the settlement agreement, they talked about how many members of the class there are, meaning how many people will be part of this lawsuit. And my back of the envelope math is that it might work out to $3 a person, although that doesn't factor in the up to 25% of the settlement agreement going to attorneys. So, on a per-user basis, it's certainly not going to make any of the alleged class members rich. However, it does stand as a very serious monetary penalty for a company that neither admits to nor denies having violated privacy, because that's how these settlement agreements work. You don't agree to anything, you just give a lot of money to make it go away. So it's a lot of money. And we've ended up with this curious - I don't want to say twilight zone, but parallel reality where all of these data breach lawsuits that we see inevitably get settled before they can go to jury trial, because I think, and legal experts say companies don't want to allow a jury to decide how much damage there has been. So they pick a figure they're comfortable with and settle before it gets to that point. But you end up with this weird reference in settlement agreements to previous settlement agreements. So in the settlement agreement, they say this $725 million agreement is a lot compared to other settlement agreements that have been reached, never a jury trial setting the bar, but basically companies trying to make sure that the amount doesn't go up too much, should you give a jury the opportunity to make that happen.
Delaney: Matt, how does this rank with Facebook's previous settlement agreements?
Schwartz: It's a long list, it's tough to keep track of them all. This doesn't top the charts though. In 2019, Meta settled with the FTC in the United States for record setting $5 billion again over this Cambridge Analytica scandal. It also settled here in Britain with the Information Commissioner's Office for the maximum possible fine at that point of 500,000 pounds. It's also paid Italy a $1 million dollar fine equivalent over Cambridge Analytica. Now, when settled with the ICO here in Britain, Facebook executives acknowledged the company should have done more to investigate how Cambridge Analytica was using customers' data. Now, is this a case of just shooting the middleman? Cambridge analytical has also been sanctioned by the FTC for using the information it scraped from social media profiles for voter targeting campaigns. The FTC ordered Cambridge Analytica a cease and desist, and British authorities have banned its CEO from serving as a company director for seven years as a result of his "potentially unethical" practices. So there's been a lot of fallout from Cambridge Analytica. Will this be the end? We don't know. There's a lawsuit that's been filed in the District of Columbia under its Consumer Protection Procedures Act, which prohibits unfair and deceptive trade practices in connection with offer sales of consumer goods. I've reached out to them to say, given this settlement agreement that's been reached and all the other agreements that have been reached, is your lawsuit still in play? I haven't heard back from them yet. It's possible Facebook could still need to eye a settlement with the District of Columbia.
Delaney: Has Meta have finally learned its privacy lesson?
Schwartz: Hopefully so, and it'll definitely have the FTC and others looking over its shoulder to make sure that it does.
Delaney: After two sensational years in the public markets during the height of the COVID-19 pandemic, 2022 was a rude awakening for the cybersecurity industry, says my colleague Michael Novinson, ISMG's business editor who happens to be joining me now to explore some of last year's key market trends. Very good to see Michael. Michael, you've written that there was a median stock price drop of 40% among the 32 publicly traded firms that derive much of their revenue from cybersecurity. Can you talk about the reasons behind the steep drop and any highlights you want to draw to our attention? Michael, does any of this surprise you?
Michael Novinson: Absolutely. And thank you for having me. So investors really shifted their priorities between 2021 and 2022. 2021 was about growth in all costs. So they likes companies with high double-digit, triple-digit growth rates, weren't really concerned if the companies were losing money, and maybe even were having to spend $3 to make $1. They just wanted to see that high top-line growth. 2022 is a very different story. Investors became much more conservative with the economic downturn and ideally wanted to invest in companies that had a broad product portfolio and were making lots of money today. If they weren't making money today, these had a path to making money in the near future. So the trends of the cybersecurity industry is that there's very few companies that make money. Check Point makes a lot of money, close to a billion dollars a year. They've been doing that for many years. Fortinet make some money now, not as much as Check Point, but they're also growing faster. And then that's about it. There's companies like Dell before that make a small amount. But most cybersecurity companies operate at a loss. And the agreement they essentially had with investors is that they would grow their way to profitability, kind of like Amazon was able to as they move from logistics into cloud computing. I think from investors, that deal's off. They've seen outside of security, what's happened with companies like Uber and Airbnb, Instacart, who kept saying like, "once we get big enough, we're going to make money" and they got big, but they never made money. So this has made it tough for cybersecurity companies. And for that reason, we saw a lot of folks who saw the stock price go 200, 300, 400% in 2020, or 2021, then subsequently have the stock price fall by 60,65, 70% in 2022, because investors want something different this time around. Some of it does surprise me, because I think there's some good companies with technology that's well-regarded by customers, technology that analysts say is industry leading, who still saw major bites into their stock price. So to talk about a few companies here - Okta was down nearly 70%. That wasn't hugely surprising. The Auth0 acquisition was expensive, and then they've been open about some integration challenges, though they're, in addition to having a couple of security incidents over the course of the year. So, maybe Okta was less surprising, but to see a company like Zscaler losing more than 65% of its valuation. There's a clear leader in secure web gateway, Glue Code is increasingly becoming irrelevant as it's part of Broadcom now. So there are a clear category leader in that role. Well-run company, high growth rates, good fit in the large enterprise, there's other companies that use purely service touch or SASE, but nobody with that same focus on secure web gateways to Zscalar. So maybe a little surprising to see them drop that much. So, no one did so well in 2021, biggest IPO I've heard of down nearly 73%. There I noticed some challenges around path to profitability, but again, well-regarded technology and a loyal customer base in the mid market. So there are some companies who - I want to be clear on that that even though the stock prices went down pretty heavily - I would still consider a lot of these good companies. These are companies with high-growth rates, loyal customer bases, well-regarded technology so I think there is an opportunity for a bounce back as the light at the end of the tunnel becomes more visible.
Delaney: And what does this all mean for 2023? How do you think these figures will shape market trends in the new year?
Novinson: I think this is going to have an enormous impact on acquisitions. And that's on two fronts. So first would be what are called "take private" deals where private equity firms come and scoop up public companies, take them private. Thoma Bravo has been very aggressive in this. They, in 2022, bought SailPoint, Ping Identity, and are under agreement to buy ForgeRock. And then we saw Vista Equity Partners go under agreement to buy KnowBe4. I think we're going to see a lot more of this in 2023, there's just tremendous value to be had if you look at these valuations. Typically, in order to take a company private, you're going to need to pay 50 to 100% more, so, SentinelOne, for example, they, at the end of 2021 were worth around $17 billion, in 2022, they're worth just 4 billion. So if Thoma Bravo or somebody else offers to pay 8 billion to buy SentinelOne, they're getting them at a fraction of what they would have cost 12 months ago, but at the same time, investors would probably be open to that because they want to cut their losses, and they're not sure when the market is going to rebound. So I think there's a lot of value to be had. We saw Thoma Bravo raise 34 billion at the end of 2022. And there's certainly a good chance that they can spend that on cybersecurity. The other piece of this is around strategic acquisitions, which is essentially with big cybersecurity companies or public ones buying smaller ones, smaller security startups, and that has slowed down and in the biggest deal we saw all of last year was SentinelOne by Attivo Networks all the way back in March. And that was before the slowdown took place. And I think that's going to be needed. We did see Palo Alto Networks buy Cider Security at the end of 2022. They're obviously a big company. But given that these companies are worth 50-70% less than they were a year ago, I think there's very little investor appetite for doing significant M&A. And I think that honestly, some of these companies couldn't afford to. So what does this mean for the whole culture of startups that were potentially considering M&A as a path of exit. It's harder for them to raise money, it's also harder for them to exit the acquisition. So I think it's going to leave a lot of startups at a rock and a hard place, the slowdown in strategic acquisition activity.
Delaney: Well, let's see what the year ahead brings. Michael, thank you so much for this analysis. And finally, false positives continue to be a challenge for SOC analysts. Nat Smith, senior director, analyst at Gartner, the global research and advisory company, is calling for a paradigm shift in the SOC. He says that over the past few years, we've become embroiled with the concept of false positives as a means to distinguish which vendor is better than which. So rather than looking at the individual players or the individual setting, he says analysts need to look at the bigger picture, and that requires a different kind of skill set. I asked him to expand on what needs to change.
Nat Smith: This is looking at the bigger picture kind of an approach. And I think that it's an infrastructure change that needs to happen first in many cases, so the security leaders themselves, rather than looking at, "I need to get a different individual or a different skill set here" needs to change the way about the process works within the SOC. Instead of so much focus on it - and I don't want to say that there is things that absolutely changes that need to make sense, because every organization is a little bit different and has their own play on this. But fundamentally, instead of looking at something that comes in and alert comes in and validating whether or not that alert is accurate, we should be looking at the details, the context, maybe the data, the forensic that's behind that, to determine whether it's accurate. We need to look at the full scale, everything else that we would expect and look to see if we see some of these clues. And that's the starting point. If we see some of these other clues, it starts to validate. This is a real activity, a real sequence that's starting to happen. And by the way, now we're also focusing and know where to start to look for things, as opposed to what we do today where maybe we'll get a file and we'll take it and we'll put it in the sandbox and we'll decide, "did we actually see something that was malicious there?" Or we'll drop a file into something like Wireshark, which starts to pull out all of the protocols and look to see, "oh, yes, we can validate." That's good and nice, but it's not the best and the highest priority that should happen. Whereas if we start to look at the longer sequence of things, we'll start to see some of the lateral movement, we'll start to see how did it actually get in the first place, which may not have been a big event or a big alert, but it's something that we absolutely need to shut down. It also starts to help us figure out very quickly where else do we need to start making some fixes and mitigating or remediating some of those pieces. All of those things we get so focused on the front of, is this alert right or wrong, that we're not looking at probably the bigger opportunity where we can shut things down very quickly, even if we don't understand exactly how a payload was delivered and impacted our systems. We are able to stop, block and keep things in place by looking for those bigger pictures.
Delaney: That's it from the ISMG Security Report. The music is by Ithaca Audio. I'm Anna Delaney. Until next time.