In 84 Pages, Twitter’s Whistleblower Just Rewrote Boards’ Digital Futures

A Twitter whistleblower complaint filed with three federal agencies was leaked last week to two major media outlets. It quickly captured news cycles, piqued congressional interest, further fueled Elon Musk’s legal battle* and prompted a stock plunge.

The complainant, Peiter Zatko, long known as the Mudge hacker, was hired in 2020 by then-CEO Jack Dorsey to lead cybersecurity in response to well-publicized breaches of famous and official government Twitter accounts.

Zatko claims that Twitter’s data security controls suffer from “gross deficiencies, negligence and willful ignorance.” CEO Parag Agrawal quickly responded that Zatko was fired in January 2022 for “ineffective leadership and poor performance” and “the false narrative of the complaint is filled with inconsistencies and inaccuracies and is presented without significant context.”

With time, effort and consideration, the truth will emerge. However, boards cannot wait until then to rework digital surveillance – the survival stakes are high and rising fast.

Mr. Tipster

The whistleblower’s 84-page complaint on Twitter is neither rare nor unprecedented. The US Securities and Exchange Commission (SEC) strongly encourages advice, after the company’s internal avenues have been exhausted. Reporting is at record levels.

In July 2022, Gurbir Grewal of the SEC’s Division of Enforcement testified to Congress that “the whistleblower program had a record year [in 2021]with the SEC awarding a total of $564 million to 108 whistleblowers, compared to 39 whistleblowers in fiscal year 2020 and [over] 1 billion dollars [lifetime] prices.”

Zatko claims he was fired for notifying Twitter’s board of significant internal control concerns. His filing documents include many serious allegations, such as:

• Senior leaders routinely overestimated the effectiveness of IT security for the board, thereby limiting governance, obfuscating oversight, and delaying remediation.
• Approximately 50% of Twitter’s 500,000 servers do not have adequate encryption. Nearly 40% of Twitter employee devices need better cyber protection, and a third mistakenly block common software fixes.
• Under-protected employee technology allows extensive and untraceable access to Twitter’s source code, databases and user accounts. Zatko attributes nearly 60% of recent security breaches to these allegedly weak controls.
• Lax screening of employees resulted in the employment of foreign government agents.

If true, such startling claims indicate IT vulnerabilities that could easily undermine or disrupt core business operations, revenue generation, and company value. Such risk management challenges are neither new nor unique to Twitter.

the X factor

As discussed in a previous Forbes post, “Here’s What Boards Need, CFOs Want, and CIOs Must Do to Address Cyber ​​Risk,” many companies are responding to the new cyber regulations with “corporate ingenuity.” which is insufficient and disconnected from the real measurement of cyber threats. strategic, reputational, operational and financial risks.

That’s why the SEC has advanced new cyber risk governance requirements and the National Association of Corporate Directors (NACD) offers the X-Analytics cyber risk reporting service to its membership of 23,000 corporate directors.

Chris Hetner, former senior cybersecurity advisor to SEC Chairs White and Clayton and currently a member of the Nasdaq Center’s Council for Board Excellence Insights and NACD’s Senior Cyber ​​Risk Advisor, urges boards to focus security decisions cyber on “the financial and business impact associated with any type of digital risk. This immediately connects ongoing risk assessments to business strategy and sustainability.”

“This is an opportunity for the cybersecurity community to leverage advances in financial analytics widely deployed within boardroom risk transfer markets. It’s time for the CIO and CISO community to leverage these skills in routine reports to boards, CFOs and audit committees,” Hetner emphasized.

Business-related cyber risk reporting, open communication and a resilient culture are essential, preventative steps boards can take to avoid whistleblower crises.

The main witness

Credible public company whistleblower reports can shock even audit firms. When such cases arise and investigations continue, public officials, courts and regulators will logically turn to an indispensable witness – external auditors.

Since 2009, PricewaterhouseCoopers has audited Twitter, generating approximately $10 million in annual fees in recent years. Most recently, in Twitter’s 2021 10-K , PwC opined on February 22, 2022 that Twitter “maintained, in all material respects, effective internal control over financial reporting.” Their audit test parallels the timeline of Zatko’s complaint and may independently help expedite the resolution of the case.

PwC is now, at great expense and time, likely preparing for congressional testimony, SEC hearings, legal filings and other public scrutiny. PwC will be asked about its audit procedures, findings and conclusions — and whistleblower reliability.

Their peer firms will be watching closely. It won’t be long before the audit scope, fees and technology-related exposure complexities top the audit committee’s agendas.

Do corporate directors understand how Zatko’s complaint will prompt those challenging conversations with the board’s audit partner and the resulting difficult choices?

Narrow belt

Regulators have increased interest in professional service providers’ roles in misconduct. In his remarks to Congress, Grewal signaled the SEC’s renewed focus, stating, “Strong enforcement also includes a focus on holding gatekeepers accountable. Accountants and lawyers are often the first lines of defense against misconduct. When they fail meet their obligations, investors and the integrity of our markets suffer.”

Grewal concluded, “We will continue to take a hard look at gatekeepers to ensure they are meeting their professional responsibilities and not providing cover for corporations or executives involved in potential misconduct.” This should certainly worry audit firms with clients facing SEC-related whistleblower disputes and could strain relations between corporate directors and their public accountants.

Seven questions

Here are seven questions to help boards determine whether they have senior leaders who can find, explain and fix technology concerns that can (and will) put the business at risk. Each could be adapted by lawmakers, regulators and litigants investigating the Twitter-Zatko case.

1. What is the overall financial exposure to cyber risks and cyber attacks?
2. What types of cyber threats will cause the most financial loss and reputational damage?
3. Which investments in cyber risk tools most effectively mitigate financial loss. avoid closures and strengthen business sustainability?
4. Which specific outer standards should the company implement to evaluate the effectiveness of cyber security and risk management technology?
5. Does the board have sufficient and timely oversight? internal threats to data security, IT systems and confidential information?
6. How quickly and how well the company does it readjust IT control gaps?
7. Are reliable whistleblowing policies and procedures in place to suppress, bypass and override executive resistance to bad news?

The (non)answers to these “starting” questions tell a lot about cyber readiness.

time’s up

Zatko’s 84-page op-ed is a must-read for business leaders charged with evaluating, financing and managing next-generation technology initiatives. Its subtext is a clarion call for boards to act quickly, smartly and decisively to ensure the success of the digital fiduciary age. By extension, denial is no longer plausible.

Who was whistled next?