"management wasn’t informed by staff for nearly a year after they occurred."
Doesn't sound very likely.
Verisign has admitted in an SEC filing that it suffered numerous data breaches in 2010, but that management wasn’t informed by staff for nearly a year after they occurred. In the 10-Q filing, the company said that it suffered multiple data breaches during 2010, and that data was stolen. Exactly what is missing the company isn’ …
If it were a BOFH, management would never have found out about it, and they probably would have wound up down a well somewhere or crushed in a lift. Knowing Symantec, those responsible more closely resemble Laurel and Hardy than Simon and the PFY and did not tell management lest they be terminated.
DNS is so inherently insecure after all, if some hacker can steal sensitive data using vulnerabilities in Adobe products and transmit it pretending to be Windows Update, and spoof update.microsoft.com so instead of it going to an Akamai server network it goes to a botnet. And let's not forget how inherently insecure digital signatures are... even though there probably isn't a line of MS code being used at Verisign....
OK, I got it out of my system. Downvote away. It's 3 PM, I'm fried... :-)
If I remember the furore around Enron and the Sarbanes-Oxley legislation that was brought in afterwards, one of the key features was that the senior management was required to make sure they became aware of all risks to business continuity and the bottom line.
If the management was not aware they cannot hide behind that. They are still liable for criminal prosecution if the SEC takes the view that investors were not informed of the risk to the business in a timely manner.
Watch this space. If sarbox has teeth and the regulators are serious about keeping things under control then we can expect sanctions against the directors here.