If you are a publicly traded software company, and your customers access your product through a server, and you provide them with a default password to log into the server, and the default password is “password,” is that securities fraud? You know the answer!
Is that right? It feels not quite right, in the sense that you rarely see equity research notes about public companies that are like “upgrading this company to a Buy based on its strong password policies.” The claim here is not really, not seriously, that investors read SolarWinds’ password policy, and decided to invest based on that policy, and then lost money when the password policy turned out to be fake. The more likely story is that investors blithely assumed most companies have good practices across a range of domains and figured that, if SolarWinds really was just letting anyone into its software, someone would tell them.
‘Enforcement 40’ for 2020
Join Us On LinkedIn
Join the Securities Litigation and Enforcement Group on LinkedIn