[HN Gopher] SEC notifies SolarWinds CISO and CFO of possible act... ___________________________________________________________________ SEC notifies SolarWinds CISO and CFO of possible action in cyber investigation Author : miguelazo Score : 43 points Date : 2023-06-30 21:08 UTC (1 hours ago) (HTM) web link (www.cybersecuritydive.com) (TXT) w3m dump (www.cybersecuritydive.com) | taeric wrote: | Wow, Matt Levine's take that "everything is securities fraud" is | rather amusing to apply here. I'm curious what the actual charges | will be. | duped wrote: | I mean as "selling a quarter billion dollars of stock before | publicly disclosing the cyber crime of the century that you | likely knew about for quite some time" is less "anything" and | more "trading on material non public information." | walrus01 wrote: | What's most amazing is they apparently thought this wouldn't | be noticed by the SEC? execs of a company of that size | absolutely should know better. | miguelazo wrote: | Would mark a major escalation in executive accountability... | Still no criminal charges, though. | | >"Sunburst was a _highly sophisticated and unforeseeable attack_ | that the United States government has said was carried out by a | global superpower using novel techniques in a new type of threat | that cybersecurity experts had never seen before," a company | spokesperson told Cybersecurity Dive in an emailed statement | grun3 wrote: | Wasn't the root cause of this attack someone setting a prod | system password to 'solarwinds123'? Not very sophisticated nor | unforseeable. | | Not just any prod system... the one that distributed their | trusted updates to their entire customer base I believe. | donmcronald wrote: | Haha. I didn't follow it. After a bit of searching I had to | laugh. They got owned by the 'hunter2' meme and call it a | _highly sophisticated and unforeseeable attack_. | dragonwriter wrote: | > Would mark a major escalation in executive accountability... | Still no criminal charges, though. | | If there was a criminal referral they wouldn't announce it and | any charges would usually sigbificantly trail civil enforcement | action, judging from every other SEC civil + DOJ criminal | action I've seen. | 666satanhimself wrote: | [dead] | eganist wrote: | The more these happen, the more likely it'll be that the role of | CISO will need to be compensated commensurate to risk. | | And report up to the CEO. | | But it also depends on the nature of the action that's about to | come down. My guess is something to do with misrepresentation of | Solarwinds' security posture. | candiddevmike wrote: | Or should the CISO be an employee of a federal agency? | ethbr0 wrote: | For systemically-important tech firms? | | There should definitely be a government inspector general | empowered to poke around. | | SolarWinds was a sophisticated operation, but there are a ton | of security orgs for very important companies that are just | inept, underfunded, or both. And absent mandated ability to | inspect, they're not going to get the harsh spotlight of | "unfuck this now" they deserve. | toomuchtodo wrote: | CISO needs to report to either chief risk officer (edit: who | reports to the board) or the board directly imho. Anyone else | (CXO) has incentive to apply pressure at odds with the role, or | not take compliance requirements or regimes seriously. Checks | and balances. | | (thoughts and opinions my own, interim deputy CISO in finance) | eganist wrote: | Who would the CRO report to? | dvt wrote: | > CISO needs to report to either chief risk officer (edit: | who reports to the board) or the board directly imho. | | I mean, this is all company bylaws, you can't seriously | legislate this. But in any case, C-execs _do_ have skin in | the game (particularly if investigated by the SEC). They 're | usually insulated, buy if non-compliant (or grossly | negligent), directors can be personally liable. ___________________________________________________________________ (page generated 2023-06-30 23:00 UTC)