[HN Gopher] SEC notifies SolarWinds CISO and CFO of possible act...
___________________________________________________________________
SEC notifies SolarWinds CISO and CFO of possible action in cyber
investigation
Author : miguelazo
Score : 43 points
Date : 2023-06-30 21:08 UTC (1 hours ago)
(HTM) web link (www.cybersecuritydive.com)
(TXT) w3m dump (www.cybersecuritydive.com)
| taeric wrote:
| Wow, Matt Levine's take that "everything is securities fraud" is
| rather amusing to apply here. I'm curious what the actual charges
| will be.
| duped wrote:
| I mean as "selling a quarter billion dollars of stock before
| publicly disclosing the cyber crime of the century that you
| likely knew about for quite some time" is less "anything" and
| more "trading on material non public information."
| walrus01 wrote:
| What's most amazing is they apparently thought this wouldn't
| be noticed by the SEC? execs of a company of that size
| absolutely should know better.
| miguelazo wrote:
| Would mark a major escalation in executive accountability...
| Still no criminal charges, though.
|
| >"Sunburst was a _highly sophisticated and unforeseeable attack_
| that the United States government has said was carried out by a
| global superpower using novel techniques in a new type of threat
| that cybersecurity experts had never seen before," a company
| spokesperson told Cybersecurity Dive in an emailed statement
| grun3 wrote:
| Wasn't the root cause of this attack someone setting a prod
| system password to 'solarwinds123'? Not very sophisticated nor
| unforseeable.
|
| Not just any prod system... the one that distributed their
| trusted updates to their entire customer base I believe.
| donmcronald wrote:
| Haha. I didn't follow it. After a bit of searching I had to
| laugh. They got owned by the 'hunter2' meme and call it a
| _highly sophisticated and unforeseeable attack_.
| dragonwriter wrote:
| > Would mark a major escalation in executive accountability...
| Still no criminal charges, though.
|
| If there was a criminal referral they wouldn't announce it and
| any charges would usually sigbificantly trail civil enforcement
| action, judging from every other SEC civil + DOJ criminal
| action I've seen.
| 666satanhimself wrote:
| [dead]
| eganist wrote:
| The more these happen, the more likely it'll be that the role of
| CISO will need to be compensated commensurate to risk.
|
| And report up to the CEO.
|
| But it also depends on the nature of the action that's about to
| come down. My guess is something to do with misrepresentation of
| Solarwinds' security posture.
| candiddevmike wrote:
| Or should the CISO be an employee of a federal agency?
| ethbr0 wrote:
| For systemically-important tech firms?
|
| There should definitely be a government inspector general
| empowered to poke around.
|
| SolarWinds was a sophisticated operation, but there are a ton
| of security orgs for very important companies that are just
| inept, underfunded, or both. And absent mandated ability to
| inspect, they're not going to get the harsh spotlight of
| "unfuck this now" they deserve.
| toomuchtodo wrote:
| CISO needs to report to either chief risk officer (edit: who
| reports to the board) or the board directly imho. Anyone else
| (CXO) has incentive to apply pressure at odds with the role, or
| not take compliance requirements or regimes seriously. Checks
| and balances.
|
| (thoughts and opinions my own, interim deputy CISO in finance)
| eganist wrote:
| Who would the CRO report to?
| dvt wrote:
| > CISO needs to report to either chief risk officer (edit:
| who reports to the board) or the board directly imho.
|
| I mean, this is all company bylaws, you can't seriously
| legislate this. But in any case, C-execs _do_ have skin in
| the game (particularly if investigated by the SEC). They 're
| usually insulated, buy if non-compliant (or grossly
| negligent), directors can be personally liable.
___________________________________________________________________
(page generated 2023-06-30 23:00 UTC)