Misuse of third-party software at Nutanix, Inc, an American cloud computing company that sells software and cloud services, has resulted in payouts of more than $11m to the vendors involved and the dismissal of some employees.
As the WSJ reported on Tuesday, the California-based company said the software was intended for evaluation purposes only, but it was used instead for business purposes by certain departments and individuals at Nutanix. Some employees intentionally concealed their actions to one of the vendors.
Nutanix’s audit committee concluded that software from two vendors was used in a “noncompliant manner” over multiple years, including for some “interoperability testing, validation and customer proofs of concept, training and customer support”.
Vendors not named
The estimated expense related to the software’s noncompliant use is $11m, Nutanix said, and the company expects to spend low-single-digit millions for “ongoing usage of the software on an annual basis.” Rukmini Sivaraman, the company’s chief financial officer, said the business is in contact with both vendors, which she did not name.
The internal investigation was first announced in a press release on March 6, and the investigation resulted in Nutanix being late in filing its 10-Q for the quarter ending on January 31 with the SEC.
On March 6, Nutanix also hosted an earnings call with investors and analysts to discuss the company’s fiscal Q2 2023 results. During the call, when asked to clarify why using evaluation software for interoperability testing, validation, and customer proofs of concept would incur additional expenses, Rajiv Ramaswami, Nutanix’s CEO, explained that the company would be required to pay the cost of using the software beyond the scope of its intended evaluation usage.
On this news, Nutanix’s stock price fell $2.27 per share, or 7.89%, to close at $26.50 per share on March 7, 2023.
Investigation ended
A spokesperson for the business said the investigation is over and the company “determined that it was not material to our previously issued financial statements” and that it “should have minimal impact going forward.”
In the Form 10-Q submitted last week, Nutanix said it found “no evidence of wrongdoing by current senior management or by any members of the finance, legal or accounting departments”.
Nutanix’s internal probe of the software misuse further revealed a “material weakness” in its internal controls on financial reporting, which lead to a “material understatement” of expenses and liabilities going back to August 2014, the company stated.
Class-action lawsuits
After the company announced its internal investigation, a federal securities class-action suit was filed against Nutanix in the Northern District of California on April 14. The litigants allege the company made “misstatements and/or omissions in certain of our financial statements, news releases, and SEC filings” from September 21, 2021, through March 6, 2023.
And on May 5, a separate complaint was filed in the Northern District of California, alleging “breach of fiduciary duties, and aiding and abetting breach of fiduciary duties” based on similar allegations as the class-action complaint.
The April 14 lawsuit is on behalf of a class consisting of all persons and entities that purchased or otherwise acquired Nutanix securities between September 21, 2021 and March 6, 2023.
It cites how the misuse of the licensed software has resulted in company incurring significant extra expenses, causing it to make public statements that were false and misleading, which led to the stock-price tumble, plus a deficiency from Nasdaq as a result of the company’s late 10-Q filing.
Program remediation
The company said it terminated the employees found primarily responsible, and it plans to implement employee training around such things as financial reporting, buying software, and ethics, plus create additional controls around how third-party software is used.
The company’s chief information officer, Wendy Pfeiffer, resigned in March “to pursue an external opportunity,” a Nutanix spokesperson told the WSJ, and the company is searching for a replacement.
Nutanix was founded in 2009 and went public in 2016. It was the largest venture capital-backed IPO of 2016 in the United States. In 2017, the company partnered with IBM to create a series of data center hardware using IBM Power Systems for business apps. It reported an 11% year-over-year rise in revenue of $448.6m for the quarter ending April 30, higher than analysts had estimated.
Basic oversight
Despite its financials, size, and age the company surprisingly lacked some basic oversight of its software-licensing privileges and its financial reporting and financial controls.
There is certainly technology to help with the software-licensing monitoring, and businesses must fully appreciate what type of license they have for any software’s actual (and not intended) use. All software and the code embedded in it come with certain rights and obligations if used by others or incorporated into another company’s codebase.
Even open source software, although free of cost, is not free of obligations; it’s just controlled by a different sort of license. And even software licenses deemed “permissive” are not as unrestricted as those demarcated “public domain” or “unlicensed” and often require at least usage information retention.
In conjunction with monitoring third parties, companies must monitor how their employees manage vendor relationships, including how they handle vendor tools and data.
GRIP view
You can’t always trust employees to act in the best interest of your company, which not only means having policies to ensure the security of company data and information, but overseeing and enforcing those rules, training on them, and having managers attest to doing so.
Even if no senior managers participated in the wrongdoing here, the employees that intentionally concealed their actions to a vendor likely had a Nutanix supervisor there.
And the lawsuits are reminders that there is great risk when a public company subjects its shareholders to years of extra expenses due to oversights that a combination of technology, better supervision, and quality training could have prevented.
The good news: The managers who discovered the misuse during a software purchase review and brought it to the attention of the audit committee for its review deserve some credit, albeit with a delay in doing so. And the company said it is addressing their internal controls deficiencies, which will only help it avoid such lapses going forward.