The Cybersecurity Lawsuit Boards Are Talking About

Over the past month, an unnoticed lawsuit has been a hot topic of conversation in Fortune 500 boardrooms and corporate security departments.

In October, the Securities and Exchange Commission sued a software company hacked by Russian agents in 2020, accusing it of defrauding investors by failing to disclose allegedly known cybersecurity risks and vulnerabilities.

The lawsuit named not only the company SolarWinds, but also its chief information security officer, Timothy Brown. A year earlier, Joe Sullivan, Uber’s former security chief, was convicted of failing to disclose a data breach to federal regulators. Cybersecurity leaders feel their personal risk is increasing.

“I’ve been doing this for 25 years and I’ve always protected others,” said George Gerchow, chief security officer and senior vice president of information technology at Sumo Logic, a software company. “Now all of a sudden I find myself in a strange position where I have to protect myself.”

Perhaps more alarming to boards is that SolarWinds has disclosed some cybersecurity risks – in the same way that almost all public companies do.

“You can see it in a hundred different companies, they’re all using the exact same language,” said Josephine Wolff, an associate professor of cybersecurity policy at Tufts University.

It now appears that the SEC no longer considers this standard information sufficient if the company experiences more specific risks. This lawsuit is the first in which the SEC accuses a company of intentional fraud related to cybersecurity disclosures, according to the law firm. White and case.

In his first interview since the SEC complaint, SolarWinds CEO Sudhakar Ramakrishna told DealBook that the company was unaware of the issue that exposed it to the 2020 cyberattack and that the lawsuit was ” an attempt, we believe, by the SEC to advance policy.

The lawsuit could “currently make CISOs more fearful, and no longer encourage them to raise their voices,” he said.

Most experts agree that whatever the outcome of the lawsuit, it could affect how companies manage cybersecurity risks. But they are divided on whether it will encourage better or worse practices.

The lawsuit isn’t the only sign the SEC is paying attention to cybersecurity. In July, the agency adopted new cybersecurity disclosure requirements which should come into force in December. They require companies to report significant attacks within four days and to disclose their cybersecurity risk management, strategy and governance annually. In a June speechSEC Enforcement Director Gurbir Grewal said it has “zero tolerance for fraudulent schemes” regarding cybersecurity disclosures.

Some experts fear the trial could have a chilling effect. “There were serious warning signs that he and his team had surfaced,” Wolff said of SolarWinds’ CISO. “And now it’s being used against him specifically to say, ‘You knew about this, you didn’t disclose it in the SEC filings.’ Which I think really incentivizes never documenting or finding vulnerabilities anywhere. This could make it difficult for IT to ask for money for cybersecurity, she said.

Ramakrishna, CEO of SolarWinds, said that having to disclose all potential security vulnerabilities could make it easier for attackers to abuse them. “On the one hand, it will be too complex for the average investor to understand,” he said. “On the other hand, I think we will play the threat game.”

Others argue that the threat of SEC action could hold cybersecurity executives accountable. Jake Williams, a security expert who consults with companies when they face a data breach, said he regularly sees CISOs being asked to “paint a rosy picture, or even a rosier one than reality.” . But he added: “That practice, I think, disappeared the day the SolarWinds lawsuit was filed by the agency. No CISO can now risk painting an unrealistically positive picture of cybersecurity.

Harley Geiger is a cybersecurity attorney with Venable Law Firm and part of the team representing a coalition of technology companies including Cisco, Broadcom, Microsoft and Google. He said there are ways for CISOs to respond to increased personal risk other than avoiding documenting concerns and recommendations, including erring on the side of increasing risks and vulnerabilities.

“They may want to be covered by a company’s insurance policy. They may want compensation in their employment contract,” Geiger said. “I think it would be the wrong message or conclusion for CISOs to choose to ignore or not escalate important cybersecurity information.”

If generic disclosures aren’t enough, what is? Being too specific about vulnerabilities could give attackers valuable information, while being too broad is not helpful to investors. “The question,” Wolff said, “is whether the SEC can define clear common ground.” —Sarah Kessler

An inflation surprise triggers a market rally. The Consumer Price Index report released Tuesday showed inflation slowed last month more than analysts expected, helped by falling energy prices. Investors cheered the news as a group of Wall Street economists concluded that the Federal Reserve is most likely done with raising interest rates.

Another Republican withdraws from the presidential race. South Carolina Senator Tim Scott suspended his campaign this week. He and the rest of the Republican camp have been behind Donald Trump by double-digit margins for months. Nikki Haley, the former governor of South Carolina, had a better week. She seemed poised to win over major conservative donors, including Citadel’s Ken Griffin.

Trump’s social media platform is in trouble. Trump Media & Technology Group, the company that runs Truth Social, has racked up heavy losses and may not survive without new financing, a regulatory filing revealed this week. Truth Social has staked its future on a long-delayed merger with a shell company intended to take it public, giving it access to about $300 million in funding.

When Fei-Fei Li, co-director of Stanford Institute for Human-Centered Artificial Intelligenceshowed the first draft of his book project to one of his colleagues, who told him to throw it away.

“He said there are a lot of scientists who can write about technological ideas,” Li told DealBook. But the colleague added that “my unique personal journey, as an immigrant, as a woman, as someone whose advent as a scientist is so closely linked to the advent of modern AI, would give even to those who are. There hasn’t traditionally been a voice in the tech world to identify with.

Li persevered, and the book “The Worlds I See: Curiosity, Exploration, and Discovery at the Dawn of AI” was published this month, telling the story of AI’s growth and his own story as a Chinese immigrant who became one of the world’s leading experts in the field.

This interview has been edited and condensed for clarity.

What should a business leader take away from your book?

There is so much debate, confusion and, frankly, anxiety around AI. Part of the anxiety comes from not knowing what it is. Part of it is that we don’t know what it’s going to do. I hope this book will somehow dispel both.

Tools are made by humans, designed by humans, used by humans. We have responsibilities as well as the power to act.

You write about the complex implications of commercial investments in AI. Can you tell me more ?

At the beginning of my career, it was just pure scientific research, curiosity. Nobody paid attention to it. As AI became more powerful, as more industry resources were invested in it, as its social impact surfaced, it is natural that it would bring complexity as part of a change deep technological.

We hope that our innovation ecosystem in America is driven by a combination of private sector, public sector and government. Right now we have an imbalance. I hope that the public sector can still be a trusted source for evaluating, understanding and explaining this technology, but also be at the forefront of scientific discovery for the public good.

Which risks do you focus on most?

Personally, I focus on societal risks, from misinformation to bias and privacy, from breach to job disruption, to weaponization.

I think it is a responsibility, particularly on the part of the media, as well as the government, to engage in this discourse responsibly. I am concerned when the media focuses its megaphones on a very small number of far more hyperbolic voices, focusing on existential crises rather than real social risks that will profoundly affect ordinary people, especially people from underserved communities.

Is the government doing enough?

President Biden’s executive order is a first step in the right direction, as it is broad and relatively balanced. But it is truly a first step. What’s really important is having the humility, especially on the part of policymakers and business leaders, to recognize that this is new. So find out what it is before making a policy.


As crypto crime watchers know, Sam Bankman-Fried was convicted on November 2 for his role in the collapse of FTX, the bankrupt cryptocurrency exchange. The big question remains: how much prison time will the 31-year-old man be sentenced to?

The maximum duration is more than 100 years. Last Saturday, we asked DealBook readers what a fair sentence would be. Many respondents shared their view that the judge should not go lenient with Bankman-Fried at the sentencing hearing, scheduled for March.

Here is a selection of what readers had to say about Bankman-Fried, the US justice system and the broader cryptocurrency market:

  • “Perhaps because I am a former prosecutor, I think white-collar criminals should be sentenced the same as violent criminals, or perhaps more harshly because the societal impacts are generally broader and the factors mitigating factors (socio-economic status, etc.) are less convincing. .” —Ted Baker

Thanks for reading! We’ll see you Monday.

We would like to receive your comments. Please email your thoughts and suggestions to dealbook@nytimes.com.

Andrew Ross Sorkin reports contributed.

Related Posts