Categories
The Woody Report

The Woody Report: The Solar Winds Dismissal

Welcome to The Woody Report, where Washington and Lee, School of Law Associate Professor Karen Woody and host Tom Fox discuss issues on white collar crime, compliance issues, international corruption, securities and accounting fraud, and internal corporate investigations. From current events to topical issues to academic research and thought leadership, Karen Woody helps lead the discussion of these issues on the new and exciting podcast.

In this episode, Tom, Karen and a few colleagues explore dismissal of the SEC Complaint against Solar Winds and its CISO.

Karen delves into a significant SEC case involving SolarWinds, focusing on the company’s cybersecurity practices and the ensuing legal battle. The discussion covers the SEC’s allegations of securities fraud and misleading statements about cybersecurity, particularly surrounding the Orion software platform and the Sunburst cyber-attack. Woody emphasizes the internal controls provision, citing a judicial opinion that narrows its applicability to accounting controls.

The conversation also highlights the lingering personal liability for SolarWinds’ CISO, Timothy Brown, and broader implications for the industry, including accountability and the need for clearer cybersecurity regulations.

Key Highlights:

  • Overview of SolarWinds and SEC Allegations: Internal Controls and Legal Implications
  • Judge’s Ruling and Its Impact
  • Broader Implications for enforcement for data breaches going forward

 Resources:

Karen Woody on LinkedIn

Karen Woody at Washington & Lee, School of Law

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Everything Compliance

Everything Compliance: Episode 138, The AI in The EU Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. We have a plethora of topics for this episode, including the DOJ Whistleblower Incentive Program, a look at Solar Winds, a new Caremark decision, an effective internal audit and the new AI law in the EU, which we slice and dice from a variety of perspectives.

We have the full quintet of Matt Kelly, Jonathan Armstrong, Karen Woody, Jonathan Marks, and our newest panelist, Karen Moore, all hosted by Tom Fox.

1. Jonathan Armstrong takes a look at the new EU Low regarding AI. He shouts out to Sir Andy Murray for a great career and life.

2. Matt Kelly asks multiple questions about the form of the guilty plea and what it may mean for compliance professionals going forward. He rants about Wyoming Senator Cynthia Lummis and her legislation for a Strategic Bitcoin Reserve.

3. Karen Moore considers the Centene case, which denied a Caremark claim. She rants about German TV only showing German competitors in their Olympic coverage and she shouts out to the perseverance of Ukrainians, where students attending class at the Kyiv School of Economics will stop class during an air raid and start class again when the All Clear is given.

4. Tom Fox shouts out to Simone Biles and the beauty, power, and grace of women’s gymnastics at the Olympics, going back to Olga Korbut.

5. Karen Woody takes a deep dive into the district court’s recent dismissal of the SEC complaint against SolarWinds. She shouts out to President Biden for bringing hostages home from Russia and a job well done.

6. Jonathan Marks reviews what makes internal controls effective.

The members of Everything Compliance are:

The host, producer, rantor (and sometimes panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the award-winning Compliance Podcast Network.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Major Cybersecurity Incidents and Regulatory Challenges

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the dismissal of the SEC’s enforcement action against Solar Winds and CrowdStrike cybersecurity failures.

Tom and Matt begin with UnitedHealth’s costly ransomware attack, a federal judge’s ruling against the SEC’s lawsuit over SolarWinds’ cybersecurity practices, and CrowdStrike’s flawed software update impacting global corporations.

The episode explores the regulatory challenges of enforcing effective cybersecurity controls and the implications for companies and their compliance programs. The discussion highlights the need for better IT general controls and the role of different stakeholders, including Congress, regulatory agencies, and audit firms, in addressing these cybersecurity risks.

Key Highlights:

  • UnitedHealth Ransomware Attack Breakdown
  • SolarWinds Cybersecurity Lawsuit
  • Regulatory Challenges and Implications
  • Operational Risk Management and IT Controls
  • Call to Action for Compliance and Audit Professionals

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending July 20, 2024

Welcome to 10 For 10, the podcast which brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes hear about the stories every compliance professional should be aware of from the prior week.

Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • Does Amazon Prime Day cause injuries?   (WaPo)
  • Deutsch Bank flouted accounting rules. (FT)
  • Senator Robert Menendez is guilty.  (WSJ)
  • Carlos Watson was found guilty. (Bloomberg)
  • The mayor of Venice is under investigation for corruption.   (ABCNews)
  • An ex-Goldman banker pleads not guilty to bribery and corruption charges.   (WSJ)
  • Nigeria refuses to release Binance compliance professionals. (Bloomberg)
  • The judge tosses the SEC suit against Solar Winds. (Law360)
  • A Chinese tycoon was convicted of fraud in US.   (BBC)
  • An ex-Segantii Capital Management employee was alleged to be accused of ‘disreputable conduct’. (FT)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day, here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Solar Winds Under GDPR: Corporate Responsibility and Risks in Data Protection

The General Data Protection Regulation (GDPR) has significantly changed how organizations handle data protection and privacy. It emphasizes the importance of transparency and honesty in disclosing data breaches and vulnerabilities. In a recent episode of the podcast Life with GDPR, Tom Fox and Jonathan Armstrong from Cordery Compliance discussed the topic of corporate responsibility and risks in data protection, with a particular focus on the SolarWinds case.

To recap, in late 2023, the SEC filed a lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach, bringing the issue of executive liability in cybersecurity disclosures to the forefront. The lawsuit raised important questions about the personal liability of senior executives for inaccurate risk disclosures and has potential implications for other industries under US securities law.

The 2020 breach, orchestrated by Russian hackers, targeted SolarWinds’ software, Orion, and exposed highly sensitive information. The hackers gained access to SolarWinds and planted spyware in the Orion program. SolarWinds then distributed an update to its corporate customers, unknowingly spreading the Russian spyware. This allowed the hackers to access the highest levels of the US government and major corporations.

The SEC’s lawsuit against SolarWinds and Tim Brown focused on the poor disclosures about the company’s information security throughout 2018, 2019, and 2020. While SolarWinds publicly claimed to have good cybersecurity, internal communications revealed that employees were aware of the company’s cybersecurity issues and considered them a mess. This discrepancy between internal knowledge and external disclosures formed the basis of the SEC’s allegations.

The SEC complaint alleged that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

Beyond this SEC enforcement action, there were other implications as well. One key takeaway from the episode is the pressure on corporate leaders, including CISOs, Data Protection Officers, and Compliance Officers, to disclose data breaches promptly. While GDPR offers some protection to Data Protection Officers, they are not entirely exempt from liabilities. The SolarWinds case serves as a reminder of the need for specific and timely disclosure of breaches and the importance of addressing system vulnerabilities.

The risks associated with data breaches are not limited to regulatory fines. Litigation risks are a significant concern for organizations, with shareholders and whistleblowers potentially seeking legal action. The episode highlights the importance of transparency and not misrepresenting information to regulators. Misrepresentations can lead to severe consequences for individuals in positions of responsibility within corporations.

Budget constraints can also hinder the timely fixing of vulnerabilities, ultimately leading to breaches. Organizations need to take proactive measures to identify and address vulnerabilities promptly. Realistic resource assessments are crucial to ensuring that adequate resources are allocated to data protection efforts. Additionally, having adequate insurance protection, such as Directors and Officers (D&O) insurance, can help protect individuals in positions of responsibility from potential liabilities.

The episode also emphasizes the need for organizations to consider the impact on their stock exchange filings when deciding whether to disclose a data breach. The decision to admit a violation of a stock exchange can be challenging and depends on factors such as materiality. Organizations need to assign a dedicated team to consider these factors, mainly when engaged in transactions like mergers and acquisitions or fundraising.

Transparency and honesty are key principles in data protection and privacy. Audit reports and investigation findings must be acted upon promptly to address vulnerabilities. Emails and other forms of communication can serve as evidence in legal proceedings, highlighting the importance of careful communication within organizations.

The potential for litigation is significant in data breach cases. Shareholders may seek legal action if they believe the value of their stock has been affected. Whistleblowers, incentivized by various jurisdictions, may also come forward with information. This highlights the need for organizations to maintain a culture of transparency and integrity and for individuals to review their remuneration packages to avoid conflicts of interest.

In conclusion, GDPR, corporate responsibility, and risks in data protection are interconnected. Organizations must prioritize transparency, honesty, and timely disclosure of breaches and vulnerabilities. Proactive measures, realistic resource assessments, and adequate insurance protection are crucial to mitigating risks. By considering the impact on stock exchange filings and maintaining a culture of integrity, organizations can navigate the challenges associated with data protection and privacy in the GDPR era.

Categories
Life with GDPR

Life With GDPR: Episode 104 – Solar Winds and Your Mother – Tell The Truth

Tom Fox and Jonathan Armstrong, renowned experts in cyber security, co-host the award-winning Life with GDPR. In this episode, they look at the continued fallout from the Solar Winds data breach.

In the complex world of data protection, the General Data Protection Regulation (GDPR) has placed a spotlight on the importance of transparency, honesty, and corporate responsibility. Experts Tom Fox and Jonathan Armstrong bring their unique perspectives to this topic, shaped by their extensive experience in compliance and data protection. Fox emphasizes the potential legal consequences for corporate leaders who fail to disclose vulnerabilities or engage in dishonest practices, while Armstrong highlights the increasing pressure on individuals and corporations to disclose data breaches, with regulators focusing more on individual liability. Both stress the importance of transparency, the potential for litigation, and the role of whistleblowers.

Join Fox and Armstrong as they delve deeper into these issues on this episode of the Life with GDPR podcast.

Key Takeaways:

  • The Importance of Truthfulness in GDPR
  • The Importance of Transparency in Data Breaches
  • Legal risks in data breaches and cybersecurity
  • The Impact of Budget Constraints on Vulnerability Fixes

 Resources:

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here. Check out the Cordery Data Breach Academy here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
Compliance Into the Weeds

Compliance Into The Weeds: Key Compliance Issues for 2024

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into issues Matt has on his radar for compliance professionals in 2024.

Matt Kelly is well known for zigging when everyone else is zagging. At the start of each year, he publishes a column that looks at key issues for compliance professionals in the year ahead. This podcast takes a deep dive into these issues. The rapidly evolving landscape of AI, cybersecurity, and governance is increasingly shaped by regulatory and compliance trends. In this context, industry experts Tom Fox and Matt Kelly offer insightful perspectives. We consider governmental oversight of AI, with more specific AI regulations in 2024, while also highlighting the potential of AI integration into compliance products and platforms. We also look at issues with the SEC, PCAOB, and DOJ.  Join Tom Fox and Matt Kelly as they delve deeper into these topics in this episode of the award-winning Compliance into the Weeds.

Key Highlights:

  • FEPA and its enforcement
  • NOCLAR and the PCAOB
  • SEC v. Solar Winds and its CISO
  • AI-Regulation and Business Use
  • SEC right to disgorgement 

Resources:

Matt Kelly on LinkedIn

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Everything Compliance

Everything Compliance – Episode 125 – The Post – Thanksgiving Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of, Jonathan Armstrong, Matt Kelly, Karen Woody, and Jay Rosen all hosted by Tom Fox, joining us on this episode of our fan-fav Shout Outs and Rants section.

1. Matt Kelly says the US Supreme Court Code of Ethics is already broken. Kelly has a book review shout-out to Peter Cappelli for his book Our Least Important Asset.

2. Karen Woody takes a deep dive into the SEC enforcement action against Solar Winds and its current CISO. She shouts out to Megan Rapinoe and Ali Krieger who both retired from professional soccer for their great careers and leading lights of social justice.

3. Jonathan Armstrong talks about David Cameron returning to the UK government and the need to eliminate sleaze in government. He rants about sliced salami announcements by politicians.

4. Jay Rosen looks at the ongoing corruption scandal in Santa Clara County CA, involving the former sheriff and the alleged sale of concealed carry permits. He shouts out to Giles Martin, son of Sir George Martin, for his remastering of the Beatles’ Red and Blue albums.

The members of the Everything Compliance are:

•       Jay Rosen– Jay is Vice President of Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks can be reached at jtmarks@gmail.com.

The host and producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Blog

SEC, Solar Winds and Compliance

The recent SEC lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach, has brought the issue of executive liability in cybersecurity disclosures to the forefront. This case sheds light on the culture of deception within SolarWinds, where lower-level employees struggled to communicate the severity of cybersecurity issues to management. The lawsuit raises important questions about the personal liability of senior executives for inaccurate risk disclosures and has potential implications for other industries.

The 2020 breach, orchestrated by Russian hackers, targeted SolarWinds’ software, Orion, and exposed highly sensitive information. The hackers gained access to SolarWinds and planted spyware into the Orion program. SolarWinds then distributed an update to its corporate customers, unknowingly spreading the Russian spyware. This allowed the hackers to gain access to the highest levels of the US government and major corporations.

The SEC’s lawsuit against SolarWinds and Tim Brown focuses on the poor disclosures about the company’s information security throughout 2018, 2019, and 2020. While SolarWinds publicly claimed to have good cybersecurity, internal communications revealed that employees were aware of the company’s cybersecurity issues and considered them a mess. This discrepancy between internal knowledge and external disclosures forms the basis of the SEC’s allegations.

The SEC complaint alleges that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

The case raises important questions about the responsibility and liability of senior executives for misleading disclosures. In this instance, the focus is on the former CISO, Tim Brown, who is facing civil penalties and potential trial. The SEC is seeking to bar him from serving at publicly traded companies. However, the case also raises questions about the CEO’s potential liability. In SolarWinds’ case, the former CEO, Kevin Thompson, who did not have a cybersecurity background, may have relied on assurances from the CISO regarding the company’s cybersecurity risks and disclosures.

The issue of executive liability in cybersecurity disclosures is complex. Should senior executives be held accountable for inaccurate assurances provided by their subordinates, especially in areas where they may not have expertise? Security is a complex matter, and executives may rely on the expertise of others to make informed decisions. However, this case highlights the potential consequences of such reliance and the need for executives to ensure accurate and transparent disclosures.

The SEC’s lawsuit against SolarWinds and Tim Brown also raises broader questions about the liability of executives in charge of risk, such as compliance officers. If executives are given assurances that turn out to be incorrect, where does the liability lie? This case could have implications beyond the cybersecurity realm and may impact how executives approach risk disclosures in various industries.

Balancing the need for accurate risk disclosures with the challenges of understanding complex cybersecurity issues is a tradeoff that executives must navigate. The case highlights the importance of fostering a culture of transparency and effective communication within organizations. It also emphasizes the need for executives to stay informed and engaged in areas of risk, even if they do not have direct expertise.

Moving forward, organizations should consider implementing the NIST framework for cybersecurity to effectively defend against cyber threats. This framework provides a comprehensive approach to managing and mitigating cybersecurity risks. By following best practices and ensuring accurate risk disclosures, organizations can reduce the likelihood of facing legal action and protect their stakeholders.

In the SEC Press Release Gurbir S. Grewal, Director of the SEC’s Division of Enforcement said “We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company. Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.” Finally,  “Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

In conclusion, the SEC’s lawsuit against SolarWinds and Tim Brown brings executive liability in cybersecurity disclosures into focus. The case highlights the importance of accurate and transparent risk disclosures and raises questions about the responsibility of senior executives. Executives must balance the need for accurate disclosures with the challenges of understanding complex cybersecurity issues. By fostering a culture of transparency and implementing best practices, organizations can mitigate risks and protect their stakeholders.

Categories
Compliance Into the Weeds

Compliance into the Weeds: SEC Sues Solar Winds and CISO

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more thoroughly, looking for some hard-hitting insights on sanctions compliance. Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into the recent SEC Civil Complaint against Solar Winds and its CISO, Timothy Brown, for undisclosed failures in the company’s cybersecurity compliance program disclosures prior to, during, and after the infamous Solar Winds data hack.

The recent SEC lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach has sparked a critical conversation about executive liability in cybersecurity disclosures. Matt views this lawsuit as a significant development that raises essential questions about the personal liability of senior executives for inaccurate or misleading disclosures about cybersecurity risks. He emphasizes the potential implications this case could have for other executives in charge of trouble, such as compliance officers.

Tom underscores the concerns regarding the accuracy and transparency of SolarWinds’ cybersecurity disclosures. He highlights the evidence of a culture of deception within the company and the need to hold executives accountable for inaccurate disclosures. Join Tom Fox and Matt Kelly as they delve deeper into this topic in the latest episode of the Compliance into the Weeds podcast.

 Key Highlights:

  • Liability of Senior Executives in Cybersecurity
  • SolarWinds’ Orion Software: Russian Government Cyberattack
  • Personal Liability for Misleading Cybersecurity Disclosures
  • Implementing Relevant Controls for Cybersecurity

 Resources:

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn