The Cybersecurity Lawsuit That Boards Are Talking About
For the last month, an under-the-radar lawsuit has privately been a hot topic of conversation in Fortune 500 boardrooms and corporate security departments.
In October, the Securities and Exchange Commission sued a software company hacked by Russian agents in 2020, accusing it of defrauding investors by not disclosing allegedly known cybersecurity risks and vulnerabilities.
The lawsuit named not just the company, SolarWinds, but also its chief information security officer, Timothy Brown. A year earlier, a former chief security officer at Uber, Joe Sullivan, was found guilty of failing to disclose a data breach to federal regulators. Executives heading up cybersecurity have a sense that their personal risk is increasing.
“I’ve been doing this for 25 years, and I’ve always been protecting others,” said George Gerchow, the chief security officer and senior vice president of information technology at Sumo Logic, a software company. “Now, all of a sudden, I’m in a weird position where I’m having to protect myself.”
Perhaps more alarming to boardrooms is that SolarWinds did disclose some cybersecurity risks — in the same way that just about all public companies do.
“You can track it across a hundred different companies, that they’re all basically using the exact same language,” said Josephine Wolff, an associate professor of cybersecurity policy at Tufts University.
Now it seems the S.E.C. no longer considers those boilerplate disclosures to be sufficient if the company knows of more specific risks. The lawsuit is the first in which the S.E.C. has charged a company with intentional fraud related to cybersecurity disclosures, according to the law firm White & Case.
In his first interview since the S.E.C. complaint, the C.E.O. of SolarWinds, Sudhakar Ramakrishna, told DealBook that the company hadn’t known about the issue that exposed it to the cyberattack in 2020, and that the lawsuit was “an attempt, we believe, by the S.E.C. to advance policy.”
The lawsuit could “actually make CISOs more fearful, not more emboldened to raise their voice,” he said.
Most experts agree that, regardless of the lawsuit’s outcome, it could affect how companies handle cybersecurity risks. But they’re divided over whether it will encourage better or worse practices.
The lawsuit is not the only sign the S.E.C. is paying attention to cybersecurity. In July, the agency adopted new cybersecurity disclosure requirements set to take effect in December. They require companies to report material attacks within four days and to make yearly disclosures about their cybersecurity risk management, strategy and governance. In a June speech, the S.E.C.’s enforcement director, Gurbir Grewal, said it had “zero tolerance for gamesmanship” around cybersecurity disclosures.
Some experts worry that the lawsuit could have a chilling effect. “There were some serious warning signs that he and his team had surfaced,” Wolff said of the SolarWinds CISO. “And now that’s being used against him specifically to say, ‘You knew about this, you didn’t disclose it in the S.E.C. filings.’ Which I think really does create an incentive to never document or never find any vulnerabilities anywhere.” That could make it difficult for the I.T. department to ask for money for cybersecurity, she said.
Ramakrishna, the SolarWinds C.E.O., said that being expected to disclose every potential security vulnerability could make it easier for attackers to abuse them. “For one, it’ll be too many for the average investor to understand,” he said. “For another, I think we’ll be playing into the hands of the threat.”
Others argue that the threat of S.E.C. action could empower executives in charge of cybersecurity. Jake Williams, a security expert who consults with companies when they’ve experienced a data breach, said he regularly saw CISOs being asked to “paint a rosy or maybe rosier-than-aligned-with-reality picture.” But he added: “That practice, I think, died the day the SolarWinds lawsuit was filed by the agency. No CISO can now risk basically painting an unrealistically positive picture of cybersecurity.”
Harley Geiger is a lawyer who specializes in cybersecurity at the law firm Venable and is part of the team representing a coalition of tech companies including Cisco, Broadcom, Microsoft and Google. He said there were ways for CISOs to react to increased personal risk other than avoiding documentation of concerns and recommendations, including by erring on the side of escalating risks and vulnerabilities.
“They may want to be covered by a company’s insurance policy. They may want indemnification in their employment contracts,” Geiger said. “I think it would be the wrong message for or the wrong takeaway for CISOs to choose to ignore or not escalate material cybersecurity information.”
If generic disclosures aren’t enough, what is? Being too specific about vulnerabilities could give attackers valuable information, while being too broad isn’t valuable to investors. “The question,” Wolff said, “is can the S.E.C. define a clear middle ground.” — Sarah Kessler
IN CASE YOU MISSED IT
An inflation surprise ignites a market rally. The Consumer Price Index report released on Tuesday showed that inflation cooled last month more than analysts had expected, helped by a fall in energy prices. Investors cheered the news as a bevy of Wall Street economists concluded that the Federal Reserve was most likely done with raising interest rates.
Another Republican drops out of the presidential race. Tim Scott, the South Carolina senator, suspended his campaign this week. He and the rest of the Republican field have trailed Donald Trump by double-digit margins for months. Nikki Haley, the former South Carolina governor, had a better week. She appeared to be close to winning over big conservative donors, including Ken Griffin of Citadel.
Trump’s social media platform is struggling. Trump Media & Technology Group, the firm that runs Truth Social, has racked up big losses and may not survive without new funding, a regulatory filing this week disclosed. Truth Social has been pinning its future on a long-delayed merger with a shell company meant to take it public, giving it access to roughly $300 million in funding.
An A.I. pioneer on her life and science
When Fei-Fei Li, co-director of the Stanford Institute for Human-Centered Artificial Intelligence, showed the first draft of her book project to one of her colleagues, he told her to throw it away.
“He said that there’s a lot of scientists who can write about the ideas of technology,” Li told DealBook. But the colleague added that “my unique personal journey, as an immigrant, as a woman, as someone whose coming-of-age as a scientist is so intertwined with the coming-of-age of modern A.I., would give even those who are not traditionally in the world of tech a voice to identify with.”
Li persevered, and the book, “The Worlds I See: Curiosity, Exploration, and Discovery at the Dawn of AI,” was published this month, telling the story of the growth of A.I. and her own story as an immigrant from China who became one of the world’s leading experts in the field.
This interview has been edited and condensed for clarity.
What should a business leader take away from your book?
There’s so much debate and confusion and, frankly, anxiety around A.I. Part of the anxiety comes from not knowing what it is. Part of it comes from not knowing what it’s going to do. I hope this book sort of dispels both.
Tools are made by humans, designed by humans, used by humans. We have responsibilities as well as agency.
You write about the complex consequences of commercial investment in A.I. Can you tell me more about that?
At the beginning of my career, it was just pure scientific inquiry, curiosity. Nobody was paying attention. As A.I. became more powerful, as more resources from the industry poured into it, as its social impact was surfacing — it is a natural course of a profound technological change that it brings complexity.
Our ecosystem of innovation in America is hopefully driven by a combination of private sector, public sector and government. Right now, we have an imbalance. I’m hoping the public sector can still be a trusted source of evaluating and assessing and understanding and explaining this technology, but also be at the forefront of scientific discovery for the public good.
What risks are you most focused on?
I personally focus on societal risks, from disinformation to bias and privacy, infringement to job disruption, to weaponization.
I do think there is responsibility, especially for the media, as well as the government, to engage in this discourse responsibly. I’m concerned when the media is biasing their megaphones to very few voices that are much more hyperbolic, focusing on existential crises, rather than the real social risks that will deeply impact everyday people, especially people from underserved communities.
Is the government doing enough?
President Biden’s executive order was a good first step because it’s broad and relatively balanced. But that truly is a first step. What is really important is to have the humility, especially for policymakers and business leaders, to recognize that this is new. So learn about what this is before making policy.
DealBook readers respond: Sam Bankman-Fried
As crypto crime watchers know, Sam Bankman-Fried was found guilty on Nov. 2 for his role in the collapse of FTX, the bankrupt cryptocurrency exchange. The big question remaining: How long of a prison term will the 31-year-old get?
The maximum term is more than 100 years. Last Saturday, we asked DealBook readers what would be a fair sentence. Many respondents shared their view that the judge should not go easy on Bankman-Fried at the sentencing hearing, scheduled for March.
Here’s a selection of what readers had to say about Bankman-Fried, the American justice system and the wider cryptocurrency market:
-
“Perhaps because I am a former prosecutor, I believe white-collar criminals should be sentenced on a par with violent ones, or perhaps more severely because the societal impacts are generally broader and the mitigating factors (socioeconomic status, etc.) are less compelling.” — Ted Baker
-
“What about the crypto investors who got fleeced; how does locking him up help them? Retributive justice and rehabilitation don’t speak in any way to making the investors as whole as possible.” — Thomas Haible
-
“I think a factor is that crypto is primarily a fixation of gamblers. Call them traders. Call them investors. But they’re not. They’re bettors.” — Barry Morse
Thanks for reading! We’ll see you Monday.
We’d like your feedback. Please email thoughts and suggestions to [email protected].
Andrew Ross Sorkin contributed reporting.