Summary:
The Construction Industry Laborers Pension Fund, Central Laborers' Pension Fund and other shareholders filed a complaint against the current and former board of directors of Solarwinds in the Court of Chancery in Delaware for failure to implement or oversee any reasonable monitoring system concerning cybersecurity risks fundamental to SolarWinds’ only line of business.
Important Excerpts:
The culpability and responsibility of the board:
In 2018, the SEC imposed on boards of directors disclosure and oversight obligations concerning cybersecurity risks, the Company’ s SEC filings acknowledged these risks and the need to monitor them, and the NYSE’s cybersecurity guidelines for directors issued in 2015 likewise recognized directors’ critical cybersecurity monitoring obligations.
As fiduciaries to the Company and its stockholders (as well as under express SEC guidance) SolarWinds’ Board was obligated to implement and oversee corporate monitoring and reporting systems concerning the Company’s mission critical cybersecurity risks. This means that, at a minimum, SolarWinds was obligated to: (i) implement protocols requiring management to keep SolarWinds’ Board apprised of cybersecurity compliance practices, risks, and reports, on an ongoing basis; (ii) nominate and appoint directors with appropriate expertise in cybersecurity and technology and regularly educate board members on these matters; (iii) discuss, on a regular basis, any key cybersecurity issues; and (iv) take remedial action when apprised of cybersecurity deficiencies
Solarwinds lacked "modern" security practices:
SolarWinds: (i) used weak passwords for its software download webpages such as “solarwinds123”; (ii) did not properly segment its IT network; (iii) directed its clients to disable antivirus scanning and firewall protection on its Orion software; (iv) cut investments in cybersecurity; and (v) listed its sensitive and high-value clients on its webpage for anyone to see.
The lack of modern security practices facilitated the SUNBURST Breach:
In the years before the SUNBURST hack, SolarWinds’ employees took notice that the Company’s cybersecurity was an apparent low priority, recounting that “every part of the business was examined for cost savings and common security practices were eschewed because of their expense.”20 A former software engineer at SolarWinds said that the Company “appeared to prioritize the development of new software products over internal cybersecurity defenses.”
FireEye (the company that first discovered SUNBURST) noted in a detailed report on the SUNBURST hack that “[o]nce the attacker gained access to [SolarWinds’] network with compromised credentials, they moved laterally,” further suggesting SolarWinds had poor or non-existent network segmentation. The CEO of the cybersecurity software firm Remediant echoed this, stating that “[l]ateral movement is an attack vector that has plagued the industry for several decades now” and was “a key theme around the SolarWinds attack.”
In a letter from CISA’s executive director to Senator Ron Wyden regarding the “2020 SolarWinds supply chain cybersecurity compromise,” the agency stated the following: “CISA agrees that a firewall blocking all outgoing connections to the internet would have neutralized the [SUNBURST] malware,” and that “CISA did observe victim networks with this configuration that successfully blocked connection attempts and had no follow-on exploitation.”
Impact of the SUNBURST Breach:
In the days following the Company’s initial public disclosure of SUNBURST in December 2020, SolarWinds’ stock lost nearly 40% of its value. As of today, the stock trades at more than a 30% discount to its pre-revelation trading price. For the six months ended June 30, 2021, the Company incurred $34 million in direct expenses related to SUNBURST, stemming from, inter alia, costs to investigate and remediate the cyberattack; legal, consulting, and other professional service expenses; and public relations costs
In the first six months ended June 30, 2021, the Company also experienced a 27% decline in its license revenue relative to the previous year. SolarWinds explained that this decline was “primarily due to decreased sales of our licensed products as a result of the Cyber Incident [i.e., SUNBURST]” (among other factors). The Company’s net increase in cash and cash equivalents for the same period was down over 74% relative to the previous year, which the Company also attributed, in part, to SUNBURST
The Company is also under investigation from numerous domestic and foreign law enforcement agencies and other governmental authorities, including the DOJ, SEC, and state Attorneys General, and is subject to several private class action lawsuits. SolarWinds has stated that it “expect[s] to continue to incur additional legal and other professional services costs and expenses associated with the Cyber Incident in future periods,” including increased expenses related to “insurance, finance, compliance activities, and to meet increased legal and regulatory requirements.” The Company forecasts that additional costs to “enhance [the] security measures across [its] systems and [its] software development and build environments” will be “approximately $20 million on an annual basis.”
The plaintiffs are requesting the following judgment and relief:
Declaring that Plaintiffs may maintain this derivative action on behalf of SolarWinds and that Plaintiffs are proper and adequate representatives of the Company;
Declaring that Defendants have breached their fiduciary duties to SolarWinds;
Determining and awarding to SolarWinds the damages it has sustained as a result of the breaches of fiduciary duties set forth above from each of the Defendants, jointly and severally, together with interest thereon;
Directing SolarWinds to implement policies and procedures and to maintain adequate operational controls and Board governance of management concerning the Company’s cybersecurity;
Awarding to Plaintiffs the costs and disbursements of the action, including reasonable attorneys’ fees, costs, and expenses;
Awarding pre- and post-judgment interest; and
Granting such other and further relief as this Court deems just and equitable.
from Hacker News https://ift.tt/3HGgxm5
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.