The Growing Zelle Fraud Problem and Who Should Pay for ItAlso: Cybersecurity Vendor M&A Trends; Biden's Order on EU-US Data Transfers
The latest edition of the ISMG Security Report examines whether banks should be held liable for the rapidly increasing Zelle fraud problem, explores the latest M&A activity among identity and access management vendors, and discusses the implications of the new legal framework for personal data transfers between the U.S. and Europe.
In this report, you'll hear (click on player beneath image to listen):
- Former CISO David Pollino discuss U.S. Sen. Elizabeth Warren's investigation into Zelle scams and to what extent banks should be held accountable for losses;
- ISMG's Michael Novinson summarize the week's M&A news, including how private equity firm Thoma Bravo announced its intention to acquire ForgeRock for $2.3 billion - the third company Thoma Bravo has purchased in the identity and access management space this year;
- Privacy expert Lisa Sotto outline the newly proposed legal framework for personal data transfers between the U.S. and the European Union under an executive order recently issued by President Joe Biden.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the Sept. 29 and Oct. 7 editions, which respectively discuss what went wrong in the massive Optus data breach and how adversaries are bypassing weak MFA.
Anna Delaney: Why Zelle fraud is rampant, and analyzing the newly proposed EU U.S. data flow agreement. These stories and more on this week's ISMG Security Report. Hi, I'm Anna Delaney. Last week, U.S. senator Elizabeth Warren's office said its investigation into Zelle, the peer-to-peer payments app showed that fraud and theft are not only rampant, but getting worse. Furthermore, it claims that banks are not refunding the majority of people who've been defrauded and maybe breaking the law. I asked former CISO, PNC Bank, David Pollino, for his thoughts on the matter.
David Pollino: Yeah, as a former banker myself, I definitely see both sides of the equation. You have some of these more traditional payment mechanisms like PayPal, Venmo, Cash App that are built on other products, they're built on ACH, they're built on the card infrastructure into a certain extent, also checking products as well. Those products have well-established operating rules that have factored in fraud as part of the arrangements. And because normally, you're only seeing one side of the transaction, you're either seeing the sender, the maker, the receiver, or you're on the other side, there's some ways to be able to enforce good behavior by chargebacks or unauthorized transfers. Those types of things are trying to return to make you're on the check side. So what we're seeing here is this new product that did not factor fraud into its overall revenue model, it was all about cost avoidance. And as a result, they tried to make the rules about product in such a way that they wouldn't see fraud. It's a send-only mechanism. It's not a receive mechanism, you can request it, but it has to be pushed out by the account owner or whoever's in control of the device. That's the authenticator for that particular account. And there hasn't been a good mechanism for charging back. So the one rule that governs this approach is Regulation E and it has three aspects to it, but the primary one that they focus in on for Zelle transactions was authorized. In many of these cases, the customer is fooled, for whatever is happening with that particular scam - which they have a long list of them here, of ones that are seen was out, the customer at some point is saying, "Here's my money", or their MFA has been hijacked to make it look like it's their money, but that's the kind of key differentiator that the banks are saying, "You said that it was authorized. So you can't come back later and say that it's not authorized." So that's why very few customers are being reimbursed. For me, the big differentiator between this and why it's misunderstood compared to something like a credit card transaction, if you're a credit card merchant, there are certain things you need to go through to establish yourself as as a merchant, and then as you're operating, those credit cards hold back some funds for chargebacks. If you have a high chargeback rate, you're either going to be subject to higher fees or you'll be kicked out of the network altogether. We don't have that same infrastructure mechanism around Zell. It's made to be like cash. And I know some scams have hit the Pollino household and also people in the neighborhood and they'll understand that Zell is like cash. It's not like a credit card. It's not like these other transactions where you can say, "The services weren't provided, the goods were never delivered, claw this thing back." No, the money is gone. And so I think there's a combination of innovations in the product to help protect consumers, but also education for the consumer so they understand and know what Zell is. And not just think about it with the lens of some of the other common payment mechanisms that we have in the industry.
Delaney: Two interesting M&A stories for you this week. I caught up with our business editor Michael Novinson for the latest. Excellent to see you, Michael. Growth capital firm Thoma Bravo this week announced its intention to acquire ForgeRock for $2.3 billion, the third company it has purchased in the identity access management category this year. Does this move come as a surprise to you, Michael?
Michael Novinson: For me personally, it did come as a surprise. And the reason why is that, as you indicated, Thoma Bravo, just two months earlier, had bought Ping Identity for $2.8 billion. So what was surprising here is that Ping and ForgeRock: two very similar things. They're both identity and access management providers, they are leaders in customer identity. They do a lot around workforce identity. And they're both focused on the large enterprises, the biggest and most sophisticated companies with highly customized needs. It's highly unusual to see a private equity firm buy two companies with such overlapping capabilities. And as compared to the acquisition earlier this year went back in April, Thoma Bravo had agreed to buy SailPoint for $6.9 billion. There was some complementarity that Ping is in IAM, SailPoint's in identity governance. And there's some overlap, but they don't do the exact same thing. So here this is a little more surprising because the two organizations do nearly identical things. But it does suggest to me that there may be some type of a rollout or a combination plan here in the works.
Delaney: So, how do you think this move will shape the identity space, moving forward?
Novinson: All indications are that we're going to get a third big identity platform provider, from a market share standpoint. Microsoft continues to be the leader with roughly 24% market share in IAM. This is according to IDC figures from last year. Okta is taking the silver, they have 9% market share. Individually, SailPoint, Ping Identity and ForgeRock were eighth, ninth and tenth in market share, but you bring them all together, that takes their market share up to north of 6%, which would make them the third-largest IAM provider in the world, behind only Microsoft and Okta, so it does give them some depth around customer and workforce identity as well as some breadth, doing both the IBM piece as well as the identity governance piece. So it does seem like Thoma Bravo is trying to build out an identity platform of its own to compete against not only Microsoft and Okta, but also the likes of Delinea, which was the roll up of Thycotic and Centrify in the privileged access management space as well as the One Identity and OneLogin combination, which is probably the broadest platform of all since they do IAM, PAM and IGA. So we're seeing the build out of these identity platforms. And Thoma certainly wants to have a runner in the race as well.
Delaney: Now another interesting security acquisition this week, something we discussed, which was potentially on the table a few weeks back. Vista Equity Partners have acquired KnowBe4. Talk us through how the deal got done.
Novinson: Absolutely. So 23 days ago, there were some regulatory filings that Vista Equity had made a non-binding offer at about 4.2 billion or $24 a share to purchase KnowBe4. KnowBe4 is a security awareness training company. They went public approximately 18 months ago at this point. So what was interesting here is that this take private action of public companies leaving the public market Thoma Bravo was then the one who is doing this are not only with SailPoint, Ping Identity and ForgeRock, as we talked about, but also going back, they've done it with Proofpoint. Years ago, they did it with Imperva, with Sophos, with Barracuda. And you haven't seen that many other financial investors getting involved here. So seeing another player like Vista step up to the plate was interesting. And I wasn't sure how this was going to play out. Similarly, Thoma Bravo had said that they're in talks about Darktrace, maybe two months ago that ultimately the two sides can come to an agreement that's off the table right now. So I wasn't sure ultimately, if they could reach a deal. I wasn't sure how KnowBe4 thought about this unsolicited offer. But it wasn't that long ago, they had just gone public. But it does seem like it was a bump up in the price that this degree to bring their offer up from $24 a share to $24.90 a share, about just under a 4% increase in the price that the two sides were able to come to a deal and all of the major firms who own KnowBe4 stocks, the Elephant and KKR. And then Stu Sjouwerman, who's the founder and CEO, they've all agreed to sign on to this deal and vote their shares in favor of the deal. So it seems like now it's only a matter of time before this is going to close and yet another company will leave the public market in the hands of Vista Equity.
Delaney: Michael, what does this partnership say about where the industry is at right now?
Novinson: Certainly says that there's a lot of popularity for these take private deals. We've had, at this point now, SailPoint paying ForgeRock, KnowBe4 as well as Tufin, which is a network management firm. They got bought by Turn/River Capital back in August for 570 million. At the start of the year, you got about roughly 30 companies who were publicly traded who got a majority of the revenue from security. So we've had five of those leave the public market and only one company go public that being ZeroFox, they went public through a special purpose acquisition company or a SPAC so yeah, definitely seen some culling of the private markets that'll probably continue. The other interesting piece here is what this display in cybersecurity is going to look like. So that seems like they're doing a bit of an asset refresh, 50% of their stake in Infoblox in 2020, they're cashing out of Ping Identity as that becomes part of Thoma Bravo. And they sold SecureLink to Imperva this year. But at the same time, they are refreshing. They've made a big investment in Critical Start, which is an MDR, for more than 200 million, Securonix which is next-gen SIEM, made a billion dollar investment in this year. And other kind of spend, yeah, more than four and a half billion to buy KnowBe4. So it seems like they're trying to refresh their portfolio with some new technology areas and companies that they feel are on the cutting edge, whether it's MDR, whether it's SIEM or whether it's the security awareness training, it seems like they're trying to find some category leaders in emerging fields and make security plans around.
Delaney: Well, interesting times. Michael, it's always great to catch up on what's happening in the business of security. Thank you very much for sharing these M&A updates.
Novinson: Of course. Thank you for the time, Anna.
Delaney: And finally, U.S. President Joe Biden signed an executive order last week setting up a new legal framework for personal data transfers between the EU and the U.S. Lisa Sotto, chair of the global privacy and cybersecurity practice at Hunton Andrews Kurth LLP, discuss the latest proposal with our SVP of editorial Tom Field, and what we are likely to see develop over the next few months.
Lisa Sotto: This new agreement now known as the Trans-Atlantic Data Privacy Framework is a very significant development, in my view, in the world of EU and U.K. data transfers to the U.S. So, just to provide a bit of background. About six months ago, the presidents of both the U.S. and the European Commission made a joint statement in which they announced an agreement in principle to replace the now invalidated Privacy Shield. And as you will recall, it had been struck down as one of the very few valid data transfer mechanisms by the Court of Justice of the European Union, and the decision is known as the Schrems II decision. Of course, Max Schrems was operative here. And it focused on the lack of protections for EU residents in connection with U.S. surveillance programs, and the court also criticized the insufficient redress mechanisms to challenge any unlawful government surveillance. So last Friday, President Biden issued an executive order that outlined safeguards that the U.S. government will put in place to address the alleged shortcomings in intelligence gathering, the safeguards used, and also put in place a robust process for redress. And it even stands up a new and independent core to call the data protection review court, which is very significant. So in response, in what was clearly a coordinated approach, the European Commission released a Q&A document and they announced that they intend to now prepare a draft adequacy decision and also launch an adoption procedure and the European Commission will seek an opinion from the European Data Protection Board and also get approval from a committee of EU member state representatives. And the European Parliament also can review adequacy decisions. So, as you said, all of this can take about six months to play out. But the good news is that we are well on our way to having a reinstated transfer mechanism for transfers from the EU and the U.K. to the U.S. And this is very welcome news.