SEC and Disclosure, Round 2
11–13–2023 (Monday)
Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, November 13, 2023, and - if you’re like me - you’re realizing that Thanksgiving is next week here in the US. For whatever reason, I’d thought we had more time. Turns out, we don’t - and then the holiday season and end of year crunch is upon us. Be aware and set reasonable expectations when it comes to what you can actually get done and out the door by year end - in my experience, progress tends to slow precipitously after Thanksgiving, and doesn’t really pick back up until mid January, after Martin Luther King Jr. Day.
SEC and Disclosure, Round 2
We talked last week about the SEC filing suit against SolarWinds, and their CISO Tim Brown.
SolarWinds has now responded, and IT publication The Register has run the following headline: “SolarWinds says SEC sucks: Watchdog ‘lacks competence’ to regulate cybersecurity.”
Unfortunately for SolarWinds, competence isn’t the qualifier for regulatory oversight, and it seems like SolarWinds is doubling down, with their response - entitled Setting the Record Straight - saying:
"The company had appropriate cybersecurity controls in place before SUNBURST. The SEC misleadingly quotes snippets of documents and conversations out of context to patch together a false narrative about our security posture."
They conclude their blog post (which is, essentially, what it is) by noting that “the SEC's lawsuit ‘threatens to harm security by pressuring companies to disclose sensitive security information in public filings.’
Unfortunately, this law suit isn’t what’s forcing disclosure. That comes courtesy of the new cyber rules and other disclosure mechanics, all of which are already in play.
And, there’s a newly introduced piece of legislation last week that will use the SEC to continue additional disclosure around sensitive topics, this time investments in China.
Entitled the “Disclosing Investments in Foreign Adversaries Act of 2023,” this bipartisan piece of legislation would require, amongst other things: private investment funds to annually disclose to the SEC any assets invested in China and other countries of concerns, including entity names, values, and use of proceeds.
Transactions of less than $25 million, or annual aggregate transactions below $50 million, appear to be exempted from the reporting requirements - but the vast majority of this investment activity would be required to be disclosed. Small investments in China are relatively rare - because of the scale of the market there, small dollar deals generally don’t exist or aren’t available to US investors, and also because of the amount of risk incurred, it has to be a big bet to be worth it.
The SEC already has a tremendous amount of regulatory disclosure capability, even before this piece of legislation.
As an example, Progress Software, makers of the MOVEit software that had been famously exploited earlier in the year, noted in their 10-Q filing from last week that the in addition to:
23 letters from customers seeking formal indemnification,
a notice from an insurer of a subrogation claim,
58 different class action law suits,
“several inquiries from domestic and foreign data privacy regulators,”
“inquiries from several state attorneys general,” and
“formal investigations from a US federal law enforcement agency”,
the SEC has served them with a subpoena that includes, “among other things”:
Customer entity name;
Contact Name and Email Address; and
“May include certain communications between you and Progress.”
The momentum behind regulation and additional transparency requirements around cyber risk has been building for years, and is now at the point where asking “how would you feel if this email was printed in the Wall Street Journal” is no longer a thought experiment, but a potential reality.
The underlying assertion from SolarWinds and those supporting their argument is that disclosing a lack of security controls would put them at risk.
The way to reduce this risk isn’t to avoid disclosure, it’s to implement the controls. Companies with robust, communicable, and defensible security programs aren’t spending their time yelling at the SEC in blog posts.
If implementing the controls is too cumbersome or expensive, perhaps fighting disclosure rules seems like a reasonable course of action. It’s not the nurse of action I’d ever recommend.
Fundraising
From a fundraising perspective, we continue to see the interesting contradictions and areas of contrast.
Another week with more than $25B in newly committed capital, including $5.34B from New York-based Harvest Partners for their ninth fund.
From the large players, KKR said that they expect to exceed fund-raising forecasts, while Carlyle said ti would be cutting costs and staff as it lowers expectations of new funds.
In Canada, CDPQ - Canada’s second-largest pension fund, is seeking to sell up to $2B in PE assets to free up cash for other investments.
The extrapolation, of course, is that they’re tired of waiting for their returns, and are now willing to take a lower return in exchange for liquidity - and the chance to invest in what they view as better opportunities.
This is the same sort of crunch that our FT article from last week talked about, and these elongated “value creation” phases seem poised to continue and really test the mettle of both PE funds and their investors.
Stay tuned.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.theregister.com/2023/11/09/solarwinds_sec_filing/
https://orangematter.solarwinds.com/2023/11/08/setting-the-record-straight-on-the-sec-and-sunburst/