The news is by your side.

The cybersecurity issue that boards are talking about

Uncategorized
0

Over the past month, an under-the-radar lawsuit has privately been a hot topic of conversation in Fortune 500 boardrooms and corporate security departments.

In October the Securities and Exchange Commission sued a software company that was hacked by Russian agents in 2020 and accused of defrauding investors by allegedly failing to disclose known cybersecurity risks and vulnerabilities.

The lawsuit not only named the SolarWinds company, but also its Chief Information Security Officer, Timothy Brown. A year earlier, a former chief security officer at Uber, Joe Sullivan, was found guilty of failing to report a data breach to federal regulators. Cybersecurity executives feel their personal risk is increasing.

“I’ve been doing this for 25 years and I’ve always protected others,” said George Gerchow, the chief security officer and senior vice president of information technology at Sumo Logic, a software company. “Now I suddenly find myself in a strange position where I have to protect myself.”

Perhaps more alarming to boardrooms is that SolarWinds has exposed a number of cybersecurity risks – in the same way that virtually all public companies do.

“You can see across a hundred different companies that they’re all basically using the exact same language,” says Josephine Wolff, an associate professor of cybersecurity policy at Tufts University.

Now it appears that the SEC no longer considers these standard disclosures sufficient if the company is aware of more specific risks. The lawsuit is the first in which the SEC has charged a company with intentional fraud related to cybersecurity disclosures, the law firm said. White and cabinet.

In his first interview since the SEC complaint, SolarWinds CEO Sudhakar Ramakrishna told DealBook that the company was unaware of the issue that exposed it to the 2020 cyberattack, and that the lawsuit was “an attempt, we think, by the SEC to further the policy.”

The lawsuit could “actually make CISOs more anxious and disincentivized to raise their voices,” he said.

Most experts agree that regardless of the outcome of the lawsuit, it could impact how companies address cybersecurity risks. But they are divided on whether this will encourage better or worse practices.

The lawsuit isn’t the only sign that the SEC is paying attention to cybersecurity. In July, the agency adopted new cybersecurity disclosure requirements will come into effect in December. They require companies to report material attacks within four days and make annual disclosures about their cybersecurity risk management, strategy and management. In a June Speechsaid the SEC’s enforcement director, Gurbir Grewal, that there is “zero tolerance for gamesmanship” surrounding cybersecurity disclosures.

Some experts worry the lawsuit could have a chilling effect. “There were some serious warning signs that he and his team had emerged,” Wolff said of SolarWinds’ CISO. “And now that’s being used against him specifically to say, ‘You knew about this, you didn’t disclose it in the SEC filings.’ Which I think is really an incentive to never document or find vulnerabilities anywhere.” That could make it difficult for the IT department to charge for cybersecurity, she said.

Ramakrishna, the CEO of SolarWinds, said that expecting all potential security vulnerabilities to be made public could make it easier for attackers to exploit them. “First, there will be too many for the average investor to understand,” he said. “For another, I think we are playing into the hands of the threat.”

Others argue that the threat of SEC action could give executives responsible for cybersecurity more power. Jake Williams, a security expert who consults with companies when they have experienced a data breach, said he regularly saw CISOs being asked to “paint a rosy or perhaps rosier picture than it reflected reality.” But he added: “That practice died, I think, the day the SolarWinds lawsuit was filed by the agency. No CISO can now risk painting an unrealistically positive picture of cybersecurity.”

Harley Geiger is an attorney specializing in cybersecurity at the Venable law firm and is part of the representative team a coalition of technology companies including Cisco, Broadcom, Microsoft and Google. He said there are ways CISOs can respond to increased personal risks other than avoiding documentation of concerns and recommendations, including by siding with escalating risks and vulnerabilities.

“They may want to be covered by a company’s insurance policy. Maybe they want damages in their employment contracts,” Geiger said. “I think it would be the wrong message or the wrong takeaway for CISOs to choose to ignore or not escalate material cybersecurity information.”

If generic disclosures aren’t enough, what is? Being too specific about vulnerabilities can provide valuable information to attackers, while being too broad is not valuable to investors. “The question,” Wolff said, “is whether the SEC can define a clear middle ground.” – Sarah Kessler

An inflation surprise leads to a market rally. The Consumer Price Index report published on Tuesday showed that inflation cooled more than analysts expected last month, helped by a drop in energy prices. Investors cheered the news as a group of Wall Street economists concluded that the Federal Reserve was most likely done raising rates.

Once again a Republican is dropping out of the presidential race. South Carolina Senator Tim Scott suspended his campaign this week. He and the rest of the Republican field have been trailing Donald Trump by double-digit margins for months. Nikki Haley, the former governor of South Carolina, had a better week. She seemed close to winning over major conservative donors, including Citadel’s Ken Griffin.

Trump’s social media platform is struggling. Trump Media & Technology Group, the company that runs Truth Social, has suffered major losses and may not survive without new funding, a regulatory filing showed this week. Truth Social has staked its future on a long-delayed merger with a shell company intended to take it public, giving it access to about $300 million in financing.

When Fei-Fei Li, co-director of the Stanford Institute for Human-Centered Artificial Intelligenceshowed the first draft of her book project to one of her colleagues, he told her to throw it away.

“He said there are many scientists who can write about the ideas of technology,” Li told DealBook. But the colleague added that “my unique personal journey, as an immigrant, as a woman, as someone whose maturity as a scientist is so intertwined with the advent of modern AI, even those who are, In the tech world, this is not traditionally a voice to identify with.”

Li persevered and the book ‘The Worlds I See: Curiosity, Exploration, and Discovery at the Dawn of AI’ was published this month, which tells the story of the growth of AI and her own story as an immigrant from China who became one of the world’s leading experts in this field.

This interview has been edited and condensed for clarity.

What should a business leader take away from your book?

There is so much debate, confusion and, quite frankly, fear surrounding AI. Part of the fear comes from not knowing what it is. Part of it comes from not knowing what it’s going to do. I hope this book dispels both a little.

Tools are made by people, designed by people, used by people. We have both responsibilities and freedom of choice.

You write about the complex consequences of commercial investments in AI. Can you tell us a little more about that?

At the beginning of my career it was purely scientific research, curiosity. Nobody paid attention. As AI became more powerful, as more industry resources poured into it, as its social impact surfaced – it is a natural progression of profound technological change that it brings complexity.

Our ecosystem of innovation in America is hopefully driven by a combination of the private sector, the public sector, and government. Right now we have an imbalance. I hope that the public sector can still be a trusted source for evaluating, assessing, understanding and explaining this technology, but also at the forefront of scientific discoveries for the public good.

What risks are you most focused on?

Personally, I focus on social risks, from disinformation to prejudice and privacy, from violation to disruption of employment and to weaponization.

I think there is a responsibility, especially for the media, but also for the government, to participate in this discourse in a responsible way. I worry when the media focuses their megaphones on very few voices that are much more hyperbolic and focus on existential crises, rather than on the real social risks that will have a major impact on ordinary people, especially those from disadvantaged communities.

Is the government doing enough?

President Biden’s executive order was a good first step because it is broad and relatively balanced. But that is really a first step. What’s really important is the humility, especially for policymakers and business leaders, to recognize that this is new. So make sure you know what this is before creating policy.

As crypto crime observers know, Sam Bankman-Fried was found guilty on November 2 for his role in the collapse of FTX, the bankrupt cryptocurrency exchange. The big question remains: how long will the 31-year-old get in prison?

The maximum term is more than 100 years. Last Saturday we asked DealBook readers what a fair punishment would be. Many respondents shared their opinion that the judge should not go easy on Bankman-Fried during the sentencing hearing, which is scheduled for March.

Here’s a selection of what readers had to say about Bankman-Fried, the US legal system and the broader cryptocurrency market:

  • “Perhaps because I am a former prosecutor, I believe that white-collar criminals should be sentenced the same as violent criminals, or perhaps more severely because the social consequences are generally broader and the mitigating factors (socio-economic status, etc.) less be compelling. .” -Ted Baker

Thank you for reading! We’ll see you Monday.

We would like your feedback. Send your ideas and suggestions by email to dealbook@nytimes.com.

Andrew Ross Sorkin reporting contributed.

You might also like More from author

Leave A Reply

Your email address will not be published.