Being a Supplier for a large Studio: More difficult than ever
In times when studios have become targets of orchestrated hacks and deliberate breaches, their risk management and governance has stepped up their game. Now they are expecting suppliers to pull alongside.
A client was recently asked to provide a certification they did not have. While I cannot go into much detail about this specific case, what they were asked to provide is similar to an ISO-9001 certification. Many smaller companies that managed to be a supplier for a large television or film studio are specialized in a certain product or service and are not experts at risk management, though. In the coming years, the requirements will likely only increase.
The client, as part of their agreement with their much bigger client, were asked to put systems in place that would increase the security of the materials they were handed for the completion of the project. They complied and absorbed the cost of the new system as they were, of course, keen to keep the deal. Risk intelligence company RiskVision estimates that about 80% of breaches originate with a supplier or vendor. Thus, it is quite understandable that large film or television studios insist in their vendors to take all aspects of security as seriously as they do. Often the main objective of the breach is to hold the materials ransom or demand money, usually in the form of Bitcoin, to be paid to not release the materials.
In all recent cases of breach or hacking the attack almost every time originated with a supplier like the leaking of “Orange Is the New Black” back in April 2017 as The New York Times reported back then. Hackers had targeted suppliers of the large studios they knew would be much easier to gain access to in comparison to the studios. In the case of “Orange Is the New Black” the hack targeted a popular post-production facility that is working with many major television studios. It is a great example of the pressure that is put on anyone that works with high-profile projects. Even small companies need to implement systems that are usually only used by large corporations who can more easily afford to put complex systems in place. Ultimately, the risk management implemented by large studios, like Disney, for example, will have to be matched to a large extent by its suppliers. Today the supplier and vendor code of conduct enforced by big media corporations already puts a lot of pressure on anyone doing business with them and smaller, more niche players feel the heightened expectations.
On another project a couple of years ago a client was faced with the problem that employees running two of their television productions started to behave strangely and reports from the set came in that the producers had shown up drunk or drugged at times. Production funds went missing and equipment was reported as ‘lost’. The exposure these employees created was high as both productions’ cost ran over and lots of the spend was unaccounted for. The client ended up spending a lot of time and money on forensic accounting and electronic auditing. Luckily, their IT department had set up a redundancy in their email server that made a copy of all in and outgoing email in an untouchable partition of the server. When the employees were finally confronted with their misconduct they, as you would suspect, denied all allegations. In the lengthy audit that followed, it became evident that they had deleted several email chains in which they joked about their misconduct and their conspiracy to misuse the funds intended for production for personal purposes like a vacation or, in one case, the personal vehicle. Of course, the damage was done but thanks to a pre-emptive IT setup as well as a brilliant accounting firm all misconduct was discovered, documented, and proof was established. In the end, the client wasn’t able to recoup the misused funds but it was possible to clearly show who was accountable for what, when, where, and why. For me personally, it was just a reminder that complete security can never be achieved but good systems can raise the threshold of a perpetrator getting away with it.
In the music industry, the situation seems very similar as the The New York Times reported in May that Lady Gaga’s stem files, the original song files used for editing, had been leaked accidentally after a social engineering hack. By sending out a very targeted email to label executives, hackers were able to obtain copies of these vital files.
To fight these attacks and to secure their assets, large television and film studios are likely to increase their minimum standards for suppliers and vendors in the coming years as the threat of breach through one of these suppliers and vendors is only going to increase. This will affect anyone doing business with a studio to increase their efforts in the areas of hiring, training, IT, governance, risk management, and finance. From a financial perspective this means properly budgeting for these extra expenses and to include them in the long-term financial planning as well as the short-term pricing of services.
About Tobias Jaeger
Tobias started his first own firm during his studies at Maastricht University in the Netherlands and has lived, worked, visited, and studied in over 43 countries on 4 continents. His global ambitions and travels are matched by fellow members of the Sandbox Network and the TEDx organization. Tobias loves to connect people from around the World to make great things happen. Previously he has done so at Business Associates Europe, SAP AG, StrategosPoker, Aramark, and entrepreneur academy. Today he is leading AXIOM Venture Capital, a boutique investment bank focussed on the media & entertainment industry.