SolarWinds Investors Allege Board Knew About Cyber Risks

SolarWinds investors have sued the software company's directors, alleging they knew about and failed to monitor cybersecurity risks to the company ahead of a breach that created a vulnerability in thousands of its customers' systems. Reuters reports: The lawsuit filed in Delaware on Thursday appears to be the first based on records shareholders demanded from the company after Reuters reported last December that malicious code inserted into one of the company's software updates left U.S. government agencies and companies exposed. The lawsuit names a mix of current and former directors as defendants. Led by a Missouri pension fund, the investors allege that the board failed to implement procedures to monitor cybersecurity risks, such as requiring the company's management to report on those risks regularly. They are seeking damages on behalf of the company and to reform the company's policies on cybersecurity oversight.

Basic competance.

[echo123]

Basic competence. That's all the investors asked for, while the SolarWinds management failed to deliver. Seems like an open and shut case to me.

Re:

[XXongo]

Basic competence. That's all the investors asked for, while the SolarWinds management failed to deliver. Seems like an open and shut case to me.

Yes, shut.

Not being good at your job turns out not to be actionable.

Re:

[drinkypoo]

Not being good at your job turns out not to be actionable.

Not being good at your job while you claim to be good at your job and know you're not good at your job turns out to be fraud.

Re:

[Narcocide]

I'm not gonna let you guys forget they passed me over at a fraction of the price and straight up told me they were going to pretend to instigate this on purpose while feigning incompetence.

hmm

[antus]

from what ive seen nobody at board level gives a shit about security. they see it as risk management, damage control and mitigation after the fact.

Re:

[gweihir]

from what ive seen nobody at board level gives a shit about security. they see it as risk management, damage control and mitigation after the fact.

That changes very fast once they are regulated and the board has personal liability unless they can prove they made sure things are done right. Well, done right on their level.

Unfortunately common

[GeekWithAKnife]

Once worked for an MSP, the customer was software company. We audited them at their request and discovered their many applications never had a code review from a security standpoint. Never had vulnerability testing other than the very cheapest and mist basic of premiter tests. Having raised these and other security concerns one exec levelled with me in private. He said they are afraid of what such thorough checks and reviews might find...and that they's rather not know. 16 months later an alleged incident

Re:

[antdude]

And which company was this? :P

More news from Captain Obvious

[TomGreenhaw]

Any well run company does a periodic risk assessment. No one is fully immune to all kinds of mayhem including hacked network systems, computers and supply chains. We assess the risks and mitigate the risks as much as practical.

I personally have a low tolerance to risk and probably go way overboard, but publicly held companies have a duty to their shareholders to make a profit.

While I'm not excusing Solar Winds specifically or many of the myriad egregious lapses in common security sense, to say a board

Re:

[drinkypoo]

publicly held companies have a duty to their shareholders to make a profit.

Publicly held companies have a duty to follow their charter. There, FTFY