A Twitter whistleblower complaint filed with three federal agencies was leaked last week to two major media outlets. It quickly seized news cycles, sparked congressional interest, further inflamed the Elon Musk legal battle* and motivated a stock downgrade.
The complainant, Peiter Zatko, long-known as the hacker Mudge, was hired in 2020 by then-CEO Jack Dorsey to head cybersecurity in response to well-publicized breaches of celebrity and government official Twitter accounts.
Zatko claims that Twitter’s data security controls suffer from “egregious deficiencies, negligence and willful ignorance.” CEO Parag Agrawal quickly responded that Zatko was fired in January 2022 for “ineffective leadership and poor performance” and the complaint’s “false narrative is riddled with inconsistencies and inaccuracies, and presented without important context.”
With time, effort and scrutiny, the truth will emerge. However, boards cannot wait until then to retool digital oversight — the survival stakes are high and rising fast.
Mr. Tipster
The Twitter whistleblower’s 84-page complaint is neither rare nor unprecedented. The U.S. Securities and Exchange Commission (SEC) strongly incentivizes tips, once internal company pathways have been exhausted. Reporting is at record levels.
In July 2022, Gurbir Grewal of the SEC Division of Enforcement testified in Congress that “whistleblower program had a record-breaking year [in 2021], with the SEC awarding a total of $564 million to 108 whistleblowers, compared to 39 whistleblowers in fiscal year 2020 and [over] $1 billion in [lifetime] awards.”
Peiter Zatko, former Twitter executive
Zatko asserts that he was fired for notifying Twitter’s board of significant internal control concerns. His filing documents include many serious allegations, such as:
- Senior leaders routinely overstated IT security effectiveness to the board, thereby limiting governance, clouding oversight and stalling remediation.
- Approximately 50% of Twitter’s 500,000 servers lack adequate encryption. Nearly 40% of Twitter employee devices need better cyber protection and one-third incorrectly block common software fixes.
- Under-protected employee technology allows broad and untrackable access to Twitter’s source code, databases and user accounts. Zatko attributes nearly 60% of recent security breaches to these suspected poor controls.
- Lax employee screening resulted in hiring foreign government agents.
If true, such astonishing assertions indicate IT vulnerabilities that could easily undermine or derail key business operations, revenue generation and company value. Such risk management challenges are not new nor distinct to Twitter.
X factor
As discussed in a previous Forbes post, “Here’s What Boards Need, CFOs Want And CIOs Must Do To Tackle Cyber Risk,” many companies are responding to the new cyber regulations with “corporate stagecraft” that’s inadequate and disconnected from measuring cyber threats’ real strategic, reputational, operational and financial risks.
That’s why the SEC has advanced the new cyber risk governance requirements and the National Association of Corporate Directors (NACD) provides X-Analytics Cyber Risk-Reporting Service to its 23,000 corporate director membership.
Chris Hetner, former senior cybersecurity advisor to SEC Chairs White and Clayton and currently Nasdaq Center for Board Excellence Insights Council member and Senior Cyber Risk Advisor to the NACD urges boards to center cybersecurity decisions on “the financial and business impact connected with each digital risk type. That immediately connects continuous risk assessments to strategy and business resilience.”
“This is an opportunity for the cybersecurity community to leverage advancements in financial analytics broadly deployed within the risk transfer markets into boardrooms. It’s time for the CIO and CISO community to leverage these capabilities in routine reports to boards, CFOs and audit committees,” Hetner emphasized.
Business-aligned cyber risk reporting, open communication and a resilience culture are essential, preemptive steps boards can take to avoid whistleblower crises.
Key witness
Credible public company whistleblower reports can rattle audit firms too. When such cases arise and investigations ensue, public officials, courts and regulators will logically turn to an indispensable witness - the outside auditors.
Since 2009, PricewaterhouseCoopers has audited Twitter, generating approximately $10 million in annual fees in recent years. Most recently, in Twitter’s 2021 10-K , PwC opined on February 22, 2022 that Twitter “maintained, in all material respects, effective internal control over financial reporting.” Their audit testwork parallels Zatko’s complaint timeline and could independently help expedite case resolution.
PwC must now, at great time and expense, likely prepare for congressional testimony, SEC hearings, legal depositions and other public scrutiny. PwC will be asked about its audit procedures, findings and conclusions — and the whistleblower’s credibility.
Their peer firms will be watching closely. It won’t be long before audit scope, fees and tech-related exposure complexities top audit committee agendas.
Do corporate directors understand how the Zatko complaint will drive those challenging board-audit partner conversations and resulting difficult choices?
Tight leash
Regulators have upped interest in professional service providers’ roles in misconduct. In his remarks to Congress, Grewal signaled renewed SEC attention, indicating, “Robust enforcement also includes a focus on gatekeeper accountability. Accountants and attorneys are often the first lines of defense against misconduct. When they fail to live up to their obligations, investors and the integrity of our markets suffer.”
Grewal concluded, “We will continue to take a hard look at gatekeepers to ensure that they are fulfilling their own professional responsibilities and not giving cover to corporations or executives engaged in possible misconduct.” That certainly should concern audit firms with clients facing SEC-related whistleblower disputes and can strain the relationship between corporate directors and their public accountants.
Seven questions
Here are seven questions to help boards determine if they have senior leaders who can find, explain and fix tech concerns that can (and will) jeopardize the business. Each can be adapted by legislators, regulators and litigators probing the Twitter-Zatko case.
- What is the overall financial exposure to cyber risks and cyber attacks?
- Which cyber threats types will most likely cause significant financial loss and reputational harm?
- Which investments in cyber risk tools most effectively mitigate financial loss. avert shutdowns and fortify business resilience?
- Which specific external standards should the company apply to assess cybersecurity and technology risk management effectiveness?
- Does the board have sufficient and timely oversight over internal threats to data security, IT systems and confidential information?
- How quickly and how well does the company fix IT control gaps?
- Do credible whistleblower policies and procedures exist to quell, circumvent and outpace executive resistance to bad news?
The (non)responses to these “starter” questions tell much about cyber readiness.
Time’s up
The 84-page Zatko complaint is a must-read for business leaders empowered to assess, fund and manage next-generation tech initiatives. Its subtext is a clarion call for boards to act swiftly, smartly and decisively to ensure digital era success with trusted stewardship. Going forward, deniability is no longer plausible.
Who’s whistled next?
* On August 29, 2022 (subsequent to publication of this post), Elon Musk, via his legal counsel, filed a termination letter with the SEC citing the whistleblower complaint as evidence to void the contested $44 billion share purchase deal.
