Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

SEC Notice To SolarWinds CISO and CFO Roils Cybersecurity Industry (csoonline.com) 34

The US Securities and Exchange Commission has roiled the cybersecurity industry by putting executives of SolarWind on notice that it may pursue legal action for violations of federal law in connection with their response to the 2020 attack on the company's infrastructure that affected thousands of customers in government agencies and companies globally. From a report: Current and former employees and officers of the company, including the chief financial officer (CFO) and chief information security officer (CISO), have received so-called Wells Notices notices from the SEC staff, in connection with the investigation of the 2020 cyberattack, the company said in an SEC filing.

"The Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws," SolarWinds said in its filing. A Wells Notice is neither a formal charge of wrongdoing nor a final determination that the recipient has violated any law, SolarWinds noted. However, if the SEC does pursue legal action and prevails in a lawsuit, there could be various consequences.

This discussion has been archived. No new comments can be posted.

SEC Notice To SolarWinds CISO and CFO Roils Cybersecurity Industry

Comments Filter:
  • Until company articles of incorporation are revoked and the company veil is pierced making people personally responsible, security in the enterprise world is going to be a joke and a bad one, for almost anything. The only industry I know where companies actually respect security is the MPA, where if a company has a breach, they get their contract pulled on a movie, no second chances. Next to that, almost all regs, even the vaunted GDPR, are all but toothless.

    • by Entrope ( 68843 ) on Thursday June 29, 2023 @06:23AM (#63642590) Homepage

      Piercing the corporate veil [wikipedia.org] is about holding shareholders responsible for the same things as the corporation. That's going to backfire for any widely held company. Cases like this hold executives responsible, which is a different legal concept, and is likely to be much more effective in managing the behavior of corporate executives.

      • by dnaumov ( 453672 )

        Piercing the corporate veil [wikipedia.org] is about holding shareholders responsible for the same things as the corporation. That's going to backfire for any widely held company. Cases like this hold executives responsible, which is a different legal concept, and is likely to be much more effective in managing the behavior of corporate executives.

        When your property causes damages to others, you, the owner, get billed, not an inanimate object. If you don't feel comfortable enough with being responsible for what your property is doing, why do you continue to own this property? And why should I care or that it's "widely held"?

        • by Entrope ( 68843 ) on Thursday June 29, 2023 @08:29AM (#63642866) Homepage

          A corporation is not an inanimate object. The directors and employees have volition, regardless of how one legally or morally allocates agency for their actions. Unless you want to impose chattel slavery on those employees, they're not property, and so your analogy fundamentally falls.

          Beyond that, the rules around corporate liability represent a long train of thought and experience about how to balance the various interests of society at large, and you haven't engaged with any of that.

          And you also haven't discussed the practicalities of holding millions of shareholders liable for corporate acts: will they be jointly and severally liable (i.e. if some cannot pay, the others must), or liable in proportion to their ownership (i.e. whoever sued the corporation needs to chase down payments from those millions), or something else? That's an important aspect of how piercing the corporate veil backfires with so many shareholders.

      • by DarkOx ( 621550 )

        Holding share holders (who have voting stock) accountable isn't a terrible idea. There would have to be lots of rules and limitations.

        The idea you should be able to say own part of a criminal enterprise, continually elect board members to run that enterprise who you are aware are at least negligent in their oversight of management, collect dividends for years and be beyond legal reach when crimes are discovered - does not strike me as something that want deeply woven into our social fabric.

        Now obviously in

        • by Entrope ( 68843 ) on Thursday June 29, 2023 @08:34AM (#63642888) Homepage

          You may be surprised to find out that we already have laws that more or less do what you suggest: the Racketeer Influenced and Corrupt Organizations (RICO) Act. But, well, I'll let PopeHat explain: https://www.popehat.com/2016/0... [popehat.com]

          • by DRJlaw ( 946416 )

            You may be surprised to find out that we already have laws that more or less do what you suggest: the Racketeer Influenced and Corrupt Organizations (RICO) Act. But, well, I'll let PopeHat explain:

            Wait, you linked a post where PopeHat (Ken White) himself wrote "It's never RICO" to claim that it is RICO?

            You've got some big papier mache balls on you...

            • by Entrope ( 68843 )

              DarkOx's comment recognized that RICO would need "lots of rules and limitations". Ken White explained what that means in practice. My argument is not that this civil action by the SEC could instead be a RICO criminal protection by the DOJ, but simply that we do have the kind of law that DarkOx suggested (in the first half of that comment -- the second part, about liability attaching only to voting shares, is a separate question).

        • It's not hard to hold shareholders accountable, the fine just needs to be big enough to affect share price. Unfortunately penalties have so far been a slap on the wrist.
          • by sjames ( 1099 )

            If you want the message to stick, once found guilty, the company must issue stock to the government equal to 100% of currently outstanding shares. Those get sold off immediately.

        • by sheph ( 955019 )
          The problem I see with that is shareholders often are not the decision makers and rarely have intimate knowledge of how security is or is not implemented. Managers are usually the ones doing bad things through their employees and when something goes wrong they immediately throw that employee under the bus. They need to start holding C-level executives accountable because even if you have a bad employee you should know you have a bad employee and it would keep them from being able to pass the buck when the
          • by sjames ( 1099 )

            For shareholders, substitute "irresponsible absentee owners".

            At the least, holders of voting stock should bear some responsibility to make sure their company isn't being run by crooks.

      • by Zak3056 ( 69287 ) on Thursday June 29, 2023 @07:27AM (#63642690) Journal

        Cases like this hold executives responsible, which is a different legal concept, and is likely to be much more effective in managing the behavior of corporate executives.

        The executives are almost certainly going to be indemnified and the costs of defending them (and likely any monetary penalties) are likely going to be borne by the company (i.e. shareholders). The only way to "manage" corporate executives is with criminal charges--and even here their defense is likely provided for--but the penalties would be theirs alone.

        • Criminal charges are fine, but let's keep the financial burden on the shareholders too. They have a lot of sway at preventing a lot of stupidity that happens, especially stupidity that is supposedly done out of fiduciary duty to the shareholders.

          • by HiThere ( 15173 )

            Most shareholders don't have any say in, or even knowledge of, the decisions. I'm fine if you hold those who hold more than, say, 10% of the stock liable. (And I think that's already, theoretically, done.)

          • by thegarbz ( 1787294 ) on Thursday June 29, 2023 @09:29AM (#63643092)

            but let's keep the financial burden on the shareholders too. They have a lot of sway at preventing a lot of stupidity that happens

            No they don't. In fact to stay on this same topic thread, the concept of Piercing the Veil is highly dependent on whether shareholders had any say in the matter at all.

            I'm reminded of the episode of 3rd Rock from the Sun where Dick finds out as a shareholder he's an "owner" of a company, and decides to just barge in to the corporate office and then is surprised when he's escorted out by security. Shareholders have fuck-all say in how a company is run beyond voting on a couple of one line talking points at annual meetings.

            You want to hold them accountable, then you're going to have to show that they had any knowledge or say in the matter.

            • You want to hold them accountable, then you're going to have to show that they had any knowledge or say in the matter.

              You aren't owed gains on someone else's bad behavior regardless. By choosing to keep your money there you are accepting the risk whether you are directing it or not.

              • By choosing to keep your money there you are accepting the risk whether you are directing it or not.

                No. You don't universally accept risk. There's really no debate about this. The law is incredibly clear about this.

                • You do know I'm talking about the stock price tanking due to the company's financial state, right?

            • by Slayer ( 6656 )

              If you are a large share holder, then you can influence the composition of corporate management, and these folks better follow your advice lest they are replaced. If, on the other side, you own very few shares, you can still chose to sell these shares. If enough "owners of few shares" do this, share price will drop, and those folks with many shares will likely take action.

              Therefore it's quite fair to punish share holders either for their choice of management, or for their choice of investment, or both.

              • If you are a large share holder, then you can influence the composition of corporate management

                Yes you can, and that's a concept so abstract from individual and specific cases that get companies in legal trouble that Shareholders are almost never held accountable because they have little impact in the first place.

                What do we hear from the neighbours of people involved in school shootings: "Oh he was always such a nice kid". You don't get held accountable about details you can't control or foresee. Now if the Shareholders decided to make up corporate management from a group that were publicly known to

          • Criminal charges are fine, but let's keep the financial burden on the shareholders too. They have a lot of sway at preventing a lot of stupidity that happens, especially stupidity that is supposedly done out of fiduciary duty to the shareholders.

            Shareholders that are not employees of the company have little to no sway. Here's a list of shareholder duties, based on my own experience:

            - They can vote yes/no/abstain on members of the Director's board.

            - They can vote yes/no on approving the company's selected auditor.

            - They can vote yes/no on any number of shareholder submitted proposals that meet company-defined criteria for addition to the shareholder ballot.

            - They sometimes vote on general and-or very high-level oversight to the various oversight boa

  • That is the million dollar question.
    Or the 478 million dollar question in case of the real Caroline.

  • by ALicecrook45 ( 10449826 ) on Thursday June 29, 2023 @07:13AM (#63642652)
    The issuance of Wells Notices to current and former employees and officers of SolarWinds, including the CFO and CISO, by the US Securities and Exchange Commission (SEC) indicates that the SEC staff has made a preliminary determination to recommend civil enforcement actions against them. These actions are related to alleged violations of certain provisions of US federal securities laws in connection with SolarWinds' response to the 2020 cyberattack. It's important to note that a Wells Notice is not a formal charge of wrongdoing, nor does it represent a final determination of violation of any law. However, it signifies that the SEC staff has completed its investigation and believes there is sufficient evidence to potentially pursue legal action. If the SEC decides to proceed with legal action and is successful in a lawsuit, there could be various consequences depending on the specific charges and outcomes of the case. Possible consequences may include fines, penalties, injunctions, and other remedies imposed by the court or agreed upon through a settlement. It's worth following the developments of this case through reliable news sources for the most up-to-date information on any actions taken by the SEC and the resulting outcomes.
  • If I understand the article, about time, maybe if they use Solarwinds as an example, companies will smarten up.

    The Medical Industry just lived through an example with Theranos, now it is time for a wakeup call to Corporations that love to ignore System Security. No looking for a peon to sacrifice has they do all the time.

  • First up, the SEC sure does seem to be taking its time here - a preliminary determination at least 3 years after the actual event!?

    Secondly, how is SolarWinds still a thing? I can't imagine anyone recommending it now, or do they? I guess if you've got a long-standing install it'll take some time to switch to something else (and doubtless there'll be some long support contracts to run out first), but surely by now it should have a tiny install base left, shouldn't it?

    Or does this stuff just not matter to the

    • Kaseya has bought most everything else. Given the choice, I would still pick Solarwinds.

    • First up, the SEC sure does seem to be taking its time here - a preliminary determination at least 3 years after the actual event!?

      What's the rush?

      Secondly, how is SolarWinds still a thing? I can't imagine anyone recommending it now, or do they?

      That depends. One theory is that it's better to partner with someone who has made a mistake and learnt from it than someone who has never made a mistake and thus is ignorant of all the things they are doing wrong. Secondly it's not cheap, easy, or quick to purge someone embedded in your infrastructure. SolarWinds made over $700m in revenue last year. No doubt some of these customers are still paying them while in parallel looking for ways to rid themselves of their products/services.

  • Solar Winds was attacked by a foreign government, namely, Russia. If a government with that kind of money goes after YOUR company, they are going to succeed in breaching your systems. It's not a question or a possibility, they will succeed.

    While I agree companies should be regulated in the area of cybersecurity, and they should face penalties if they don't comply, it seems wrong to me to sue a victim of a breach, if the company was in fact complying with existing regulations.

  • I don't know if insider trading in scope for a Wells Notice, but if they were aware of the scope of the breach, but it wasn't public knowledge, and traded on that information. Totally comfortable with the SEC going after them.

  • The US Securities and Exchange Commission (SEC) has sent Wells Notices to current and former employees and officers of SolarWinds, including the CFO and CISO. These notices indicate that the SEC staff has made a preliminary determination to recommend the filing of a civil enforcement action against the recipients for potential violations of certain provisions of US federal securities laws. The investigation is related to the 2020 cyberattack on SolarWinds' infrastructure, which impacted numerous customers,

One person's error is another person's data.

Working...