For the past month, an under-the-radar lawsuit has been a hot topic of conversation in Fortune 500 boardrooms and corporate security departments.
In October, the Securities and Exchange Commission sued a software company hacked by Russian agents in 2020, accusing it of defrauding investors by failing to disclose supposedly known cybersecurity risks and vulnerabilities.
The lawsuit names not only the company, SolarWinds, but also its chief information security officer, Timothy Brown. A year earlier, a former Uber security director, Joe Sullivan, was found guilty of failing to disclose a data breach to federal regulators. Executives leading cybersecurity feel their personal risk is increasing.
“I’ve been doing this for 25 years and I’ve always been protecting others,” said George Gerchow, chief security officer and senior vice president of information technology at Sumo Logic, a software company. “Now, suddenly, I find myself in a strange position where I have to protect myself.”
Perhaps most alarming for boardrooms, SolarWinds revealed some cybersecurity risks, the same way nearly all public companies do.
“You can trace it back to hundreds of different companies, which basically all use exactly the same language,” said Josephine Wolff, an associate professor of cybersecurity policy at Tufts University.
It now appears that the SEC no longer considers such boilerplate disclosures sufficient if the company knows of more specific risks. The lawsuit is the first in which the SEC accuses a company of intentional fraud related to cybersecurity disclosures, according to the law firm. White and case.
In his first interview since the SEC complaint, SolarWinds CEO Sudhakar Ramakrishna told DealBook that the company was unaware of the issue that exposed it to the cyberattack in 2020 and that the lawsuit was “an attempt, we believe, to the SEC to promote the policy.”
The lawsuit could “actually make CISOs more afraid, not more courageous, to speak out,” he said.
Most experts agree that regardless of the outcome of the lawsuit, it could affect how companies manage cybersecurity risks. But they are divided on whether it will encourage better or worse practices.
The lawsuit is not the only sign that the SEC is paying attention to cybersecurity. In July, the agency adopted new cybersecurity disclosure requirements It will come into force in December. They require companies to report material attacks within four days and make annual disclosures about their cybersecurity risk management, strategy and governance. in a June speechSEC Enforcement Director Gurbir Grewal said he had “zero tolerance for gaming” around cybersecurity disclosures.
Some experts worry the lawsuit could have a chilling effect. “There were some serious warning signs that he and his team had raised,” Wolff said of the SolarWinds CISO. “And now that’s being used against them specifically to say, ‘You knew about this, you didn’t disclose it in the SEC filings.’ Which I think really creates an incentive to never document or never find vulnerabilities anywhere.” That could make it difficult for the IT department to ask for money for cybersecurity, he said.
Ramakrishna, CEO of SolarWinds, said waiting for all potential security vulnerabilities to be revealed could make it easier for attackers to abuse them. “On the one hand, there will be too many for the average investor to understand,” he said. “On the other hand, I think we will play into the hands of the threat.”
Others argue that the threat of SEC action could empower executives in charge of cybersecurity. Jake Williams, a security expert who consults with companies when they have experienced a data breach, said he regularly saw CISOs asked to “paint a rosy picture or perhaps more rosy than aligned with reality.” But he added: “I think that practice died the day the agency filed the lawsuit against SolarWinds. “No CISO can now risk painting an unrealistically positive picture of cybersecurity.”
Harley Geiger is a cybersecurity attorney at the Venable law firm and is part of the team that represents a coalition of technology companies including Cisco, Broadcom, Microsoft and Google. He said CISOs had ways to react to increased personal risk beyond avoiding documenting concerns and recommendations, even erring on the side of increasing risks and vulnerabilities.
“They may want to be covered by a company’s insurance policy. They may want severance in their employment contracts,” Geiger said. “I think it would be the wrong message or the wrong conclusion for CISOs to choose to ignore or not escalate important cybersecurity information.”
If generic disclosures aren’t enough, what is? Being too specific about vulnerabilities could give attackers valuable information, while being too broad is not valuable to investors. “The question,” Wolff said, “is whether the SEC can define a clear middle ground.” —Sarah Kessler
IN CASE YOU HAVE MISSED IT
An inflation surprise triggers a market rally. The Consumer Price Index report released on Tuesday showed inflation cooled last month more than analysts expected, helped by a drop in energy prices. Investors cheered the news as a group of Wall Street economists concluded that the Federal Reserve would most likely no longer raise interest rates.
Another Republican drops out of the presidential race. Tim Scott, the senator from South Carolina, suspended his campaign this week. He and the rest of the Republican field have trailed Donald Trump by double-digit margins for months. Nikki Haley, former governor of South Carolina, had a better week. She appeared close to winning over big conservative donors, including Citadel’s Ken Griffin.
Trump’s social media platform is struggling. Trump Media & Technology Group, the company that runs Truth Social, has racked up heavy losses and may not survive without new funding, a regulatory filing revealed this week. Truth Social has been pinning its future on a long-delayed merger with a shell company intended to take it public, giving it access to roughly $300 million in financing.
A pioneer of AI in her life and science
When Fei-Fei Li, co-director of the Stanford Institute for Human-Centered Artificial IntelligenceWhen she showed the first draft of her book project to one of her colleagues, he told her to throw it away.
“He said there are many scientists who can write about the ideas of technology,” Li told DealBook. But the colleague added that “my unique personal journey, as an immigrant, as a woman, as someone whose coming of age as a scientist is so intertwined with the coming of age of modern AI, would give even those who are traditionally, in the world of technology there is no voice to identify with.”
Li persevered, and this month the book “The Worlds I See: Curiosity, Exploration, and Discovery at the Dawn of AI” was published, telling the story of the growth of AI and his own story as an immigrant from China who became one. of the world’s leading experts in this field.
This interview has been edited and condensed for clarity.
What should a business leader take away from your book?
There is a lot of debate and confusion and, frankly, anxiety around AI. Part of the anxiety comes from not knowing what it is. Part of this comes from not knowing what you’re going to do. I hope this book dispels both.
Tools are made by humans, designed by humans, used by humans. We have responsibilities as well as agency.
He writes about the complex consequences of commercial investment in AI. Can you tell me more about that?
At the beginning of my career, it was pure scientific research, curiosity. Nobody was paying attention. As AI became more powerful, as more industry resources were invested in it, as its social impact came to the surface, it is a natural course of profound technological change that brings complexity.
Our innovation ecosystem in the United States will hopefully be driven by a combination of the private sector, public sector, and government. Right now we have an imbalance. I hope that the public sector can continue to be a trusted source to evaluate, evaluate, understand and explain this technology, but also be at the forefront of scientific discovery for the public good.
What risks are you most focused on?
Personally, I focus on social risks, from misinformation to bias to privacy, from infringement to work disruption to gun use.
I think there is a responsibility, especially for the media, as well as the government, to engage in this discourse responsibly. I am concerned that the media is skewing its megaphones towards very few voices that are much more hyperbolic, focusing on existential crises, rather than the real social risks that will deeply affect ordinary people, especially people from underserved communities.
Is the government doing enough?
President Biden’s executive order was a good first step because it is broad and relatively balanced. But that’s really a first step. What’s really important is to have the humility, especially on the part of policymakers and business leaders, to recognize that this is new. So learn what this is before making policies.
DealBook Readers Respond: Sam Bankman-Fried
As crypto crime watchers know, Sam Bankman-Fried was found guilty on November 2 for his role in the collapse of FTX, the bankrupt cryptocurrency exchange. The big question that remains is: how much prison time will the 31-year-old receive?
The maximum term is greater than 100 years. Last Saturday we asked DealBook readers what a fair sentence would be. Many respondents shared their opinion that the judge should not go easy on Bankman-Fried at the sentencing hearing, scheduled for March.
Here is a selection of what readers said about Bankman-Fried, the American justice system and the cryptocurrency market in general:
“Perhaps because I am a former prosecutor, I believe that white-collar criminals should be sentenced on par with violent ones, or perhaps more severely because the social impacts are generally broader and the mitigating factors (socioeconomic status, etc.) are less convincing. .” -Ted Baker
Thank you for reading! See you on Monday.
We would like to receive your comments. Email your ideas and suggestions to firstname.lastname@example.org.
Andrew Ross Sorkin contributed reports.