Teaching Note



                 PWC Bullying



                 Executive Summary


                 As more things come under software control they

                 become vulnerable to cyber-attacks. Often
                 equipment/devices which are inexpensive and long

                 lasting may rely on software control which receive

                 patches rather updates. This becomes a problem as

                 devices increasingly become interconnected at home, in
                 businesses, utilities and in government agencies.  ESNC

                 GmbH, Munich, is an independent company specializing

                 in real time Systems, Applications and Products (SAP)

                 security auditing and security analysis.  ESNC’s flagship
                 product ESNC Security Suite is used by many large

                 enterprises for compliance controls and vulnerability

                 scanning of their SAP systems. In August 2016 ESNC
                 contacted PWC and informed them that their system was

                 affected by a critical, remotely exploitable, security flaw.

                 Two weeks later PWC sent a cease and desist letter. It was

                 the first time ESNC had ever been legally threatened for
                 doing their job. PWC demanded that they "not release a

                 security advisory or similar information" relating to the

                 flawed software and were not to "make any public

                 statements or statements to users" of the software.
                 However, as part of its responsible disclosure policy, and

                 because “it was the right thing to do”, ESNC released their

                 findings. PwC was probably on shaky legal ground if it
                 had tried to sue ESNC But the flavour of the situation