NYT on SolarWinds: "The Cybersecurity Lawsuit That Boards Are Talking About"

The Cybersecurity Lawsuit That Boards Are Talking About

“I’ve been doing this for 25 years, and I’ve always been protecting others,” said George Gerchow, the chief security officer and senior vice president of information technology at Sumo Logic, a software company. “Now, all of a sudden, I’m in a weird position where I’m having to protect myself.”

Perhaps more alarming to boardrooms is that SolarWinds did disclose some cybersecurity risks — in the same way that just about all public companies do.

“You can track it across a hundred different companies, that they’re all basically using the exact same language,” said Josephine Wolff, an associate professor of cybersecurity policy at Tufts University.

Now it seems the S.E.C. no longer considers those boilerplate disclosures to be sufficient if the company knows of more specific risks. The lawsuit is the first in which the S.E.C. has charged a company with intentional fraud related to cybersecurity disclosures, according to the law firm White & Case.

Regulatory Spotlight on Private Funds

The end of September marked the close of the 2023 fiscal year for the United States Securities and Exchange Commission (the “SEC”). In remarks last week, SEC Director of Enforcement, Gurbir Grewal, noted that, “[w]hile we have not yet released our 2023 fiscal year-end numbers, I can give you a sneak preview: we had another incredibly productive year on behalf of the investing public.” Focusing on private funds, Director Grewal stated earlier this year that private funds were a “substantive priority area” for the Division of Enforcement—and that has certainly been borne out in the 2023 docket.

***

Taking stock of the last fiscal year, we expect 2024 to reflect enhanced scrutiny of the private funds industry, with an increasing risk of enforcement referrals in the examination context, an appetite to pursue enforcement actions for relatively minor violations and the risk of substantial penalties….

Lagarde calls for European SEC

It’s time for a European edition of the SEC, says Christine Lagarde, president of the European Central Bank (ECB).

In a speech at the European Banking Congress in Frankfurt, Lagarde made the case for creating a strong single regulator to facilitate the development of a unified capital market in the region.

While a capital markets union (CMU) has long been a policy goal for Europe, it has failed to advance, she said.

“[It] is clear that the conditions for capital markets to develop in Europe have not yet been satisfied. Most importantly, we have lacked a unifying project around which CMU can be anchored,” she said.

At the same time, the region is facing a collection of common challenges, such as deglobalization, demographics and decarbonization. “Addressing all these challenges at the same time will require a generational effort — and massive investment is needed in a short space of time,” she said.

Wall Street’s ESG Craze Is Fading

Wall Street rushed to embrace sustainable investing just a few years ago. Now it is quietly closing funds or scrubbing their names after disappointing returns that have investors cashing out billions.

The about-face comes after tightened regulatory oversight, higher interest rates that have slammed clean-energy stocks and a backlash that has made environmental, social and corporate-governance investing a political target.

Lockbit Hacks Two More Financial Firms, Threatens Data Dump

The criminal ransomware gang behind the recent attack on the Industrial & Commercial Bank of China Ltd. has claimed responsibility for two more hacks on US financial firms.

The Lockbit gang added the Chicago Trading Company and Alphadyne Asset Management this week to a list of victims on its darkweb page. The gang has given them deadlines to make an unspecified payment, and is threatening to publish stolen data online if its demands aren’t met.

Hackers Complain to SEC Company They Hacked Failed to Disclose the Incident

In a move that may set a record for hacking chutzpah, a cyber ransom gang has filed a complaint with the SEC reporting that a company they hacked had failed to report the incident to the SEC within the time required by the agency’s new cybersecurity disclosure guidelines. The gang apparently filed the complaint after the hacked company failed to respond to the hackers’ ransom demand. The hacking incident and the SEC report were first reported in a November 15, 2023, post on the DataBreaches.net site, and further detailed in a November 15, 2023, post on the BleepingComputer.com site.

***

I will say that evaluating the SEC complaint ploy as a publicity stunt, you have to give the hackers some credit; they managed to get themselves (and their breach) into the Wall Street Journal.