SEC’s Cyber Enforcement Action: Your Move
11–6–2023 (Wednesday)
Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, November 6, 2023, and hopefully all of you - especially those of you with kids - have managed to get rid of the Halloween candy that’s juts hanging around your houses. If not, time to pitch it - believe me, nobody needs those things just hanging around.
Speaking of having things just hanging around, this week’s One Big Thing focuses on what happens when security leadership fail to raise the alarm or close the gap.
SEC and Cyber Enforcement Action: Your Next Move
Last week, the United States Security and Exchange Commission filed charges of fraud and internal control failures against SolarWinds and their CISO, Timothy Brown.
The complaint, which alleges violations of the Securities Act of 1933 and the Securities Exchange Act of 1934, claims that “SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments.”
There’s been much consternation in the security community since these charges were announced, and I think it’s worth taking a step back and placing them in context.
To start, let’s look at what they’re really alleging here. In simple terms, the assertion is that the company - and their CISO - knew that their security posture wasn’t very good, certainly not as good as they wanted it to be, and that material risks were present. That’s not the problem - that’s true for lots and lots of companies.
The problem comes when they know it’s not good, but tell people - investors, in particular - that their security posture actually good, preventing investors from making informed investment decisions.
The SEC calls this out specifically in the announcement of their charges, noting that:
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
The point of these charges, and the SEC’s broader approach isn’t subtle, but neither is it unreasonable.
I would also note that the press release announcing the charges specifically includes some mechanics targeted at putting a very real sense of gravitas on other regulated entities, noting both that the SolarWinds breach was reported via a Form 8-K filing (which is now required within 4 days of a material cyber incident) and notes that stock prices dropped 25% in the following 2 days, ultimately leading to a 35% drop by the end of that month.
But - despite what might seem like saber rattling from the SEC - let’s make no mistake about the message: implement strong controls and level with investors about known concerns.
The era of a pass on lax cyber controls has passed. It’s time to grab a shovel and start digging those moats. The Board and security leadership at companies, both public and private, should heed this advice and begin their own process of assessing cyber risk exposure, making risk-informed decisions, and communicating clearly about these risks - particularly those they are accepting or know to be insufficiently controlled.
The US Government has been very clear about their approach to cybersecurity in the broader context - which boils down to this: the free markets have had 50 years to get cyber right. They haven’t, so it’s time to regulate and enforce.
I also see lots of doom and gloom about CISOs going to jail or taking on undue liability, or any other myriad of bad things. I don’t see it this way. Instead, I see it as an opportunity for security leaders at organizations of all sizes to use these charges as a reminder to their leadership that their job is actually simple: call it like it is, and be transparent about the state of cyber risk. If you feel like you need to paint a rosier picture to investors, customers, or partners - this should be a signal to double down on investing in cyber, not to continue to gaslight yourselves and others.
I’m hopeful that this marks yet another inflection point in how we talk about cyber risk at the highest levels - because nothing will materially change if we don’t materially change our conversations at the leadership level. Cybersecurity simply can’t happen from the bottom up - and these charges should serve as notice for the top down to get to work.
Fundraising
From a fundraising perspective, we continue to see some interesting contradictions.
On the one hand, we have more than $25B in newly committed capital this week, including Ares Management raising $6.6b for its second fund focused on private asset-based credit and KPS Capital Partners raised a combined $9.7b for its sixth flagship buyout fund and second mid-cap fund.
The $6.6B from Ares is particularly interesting - asset-based credit is one of the many issues addressed in a long Financial Times article this week entitled “Private equity: higher rates start to pummel dealmakers.”
The article discusses concepts around “defending the portfolio” using financial engineering mechanics like “payment-in-kind” debt and “net asset value financing” - noting that these could be a harbinger for more difficult times ahead. With high debt loads and a lack of a clear exit path, we may see a continued slowdown in deals.
The article concludes by noting that “the number of private equity exit transactions is approaching a 10-year low. Buyout firms are sitting on a record $2.8tn in unsold investments leaving “a towering backlog” of companies to exit” and that “Some pensions and endowments have even resorted to selling large stakes in private equity funds at discounts to their stated value to raise cash.”
A good reminder that cash is king, and that leverage can cut both ways - particularly in high rate environments like the one we find ourselves in.
You can find links to the articles we covered below, back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.sec.gov/news/press-release/2023-227
https://www.bankinfosecurity.com/sec-alleges-solarwinds-ciso-tim-brown-defrauded-investors-a-23439
https://www.ft.com/content/8b4a5df6-7f6d-480f-8d20-55793854c37e