Last Updated Jan 9, 2018 7:25 PM EST
Intel (INTC) CEO only three months before the chipmaker disclosed could invite scrutiny from the Securities and Exchange Commission, according to experts.
Like many Fortune 500 CEOs, Krzanich sells restricted stock and exercises options that he earns as compensation under a preset schedule with the SEC, designed to avoid the appearance that he's profiting from insider information.
Krzanich's latest sale on Nov. 29, however, stood out for several reasons.
According to Ben Silverman of InsiderScore, Krzanich exercised options valued at more than $28 million and unloaded about 250,000 shares of restricted stock. This was a sea change from his previous sales from 2015 to 2017 that averaged between 35,000 and 79,000 shares, which he did under prior preplanned purchases. But in June last year -- months before Krzanich's latest sale -- cybersecurity experts informed Intel about vulnerabilities that would enable hackers to gain access to chips made by Intel and others.
Those flaws were revealed to the public just last week. Since then, two U.S. lawmakers -- Sen. Jack Reed, a Rhode Island Democrat, and Sen. John Kennedy, a Louisiana Republican -- have asked federal regulators to open an investigation into the stock sales. The two made their demand in a letter sent Tuesday to the Securities and Exchange Commission and the Justice Department. Intel says it will cooperate with any investigation.
According to Intel, Krzanich continues to hold shares of the tech bellwether in line with corporate guidelines. The company also defended how it disclosed the security issue.
"In this case, the security researchers presented their findings in confidence, and other companies and we worked together to verify their results, develop and validate firmware and operating system updates for impacted technologies, and make them widely available as rapidly as possible," according to a company spokesperson.
Krzanich's sales, however, may be problematic.
"The $64,000 question is what did he know, and when did he know it," said James Cox, a professor at Duke Law School, who specializes in securities law. He added that the SEC may take a closer look at Krzanich's actions. "I think his goose is cooked quite frankly, given how long the information was in the organization and his proximity to the information."
Executives at major corporations like Intel have their insider sales scrutinized by both internal compliance departments and often by their personal attorneys, according to Jacob Frenkel, a former SEC enforcement attorney. A spokeswoman for the SEC declined to comment for this story.
Intel remains in damage-control mode following last week's disclosure of two vulnerabilities, dubbed Meltdown and Spectre, which could allow hackers to steal data from insider the memory of computers. Most Intel-equipped computers sold during the past two decades could be at risk. It isn't clear how many smartphones and tablets made by Apple (AAPL), Samsung, Qualcomm (QCOM) and others that run on chips based on ARM technology, may be affected.
Krzanich opened his keynote talk Monday night at the annual CES gadget show in Las Vegas by addressing the hard-to-fix flaws disclosed by security researchers last week. At an event known for its technological optimism, it was an unusually sober and high-profile reminder of the information security and privacy dangers lurking beneath many of the tech industry's gee-whiz wonders.
Some researchers have argued that the flaws reflect a fundamental hardware defect that can't be fixed short of a recall. But Intel has pushed back against that idea, arguing that the problems can be "mitigated" by software or firmware upgrades. Companies from Microsoft to Apple have announced efforts to patch the vulnerabilities.
And Krzanich promised fixes in the coming week to 90 percent of the processors Intel has made in the past five years, consistent with an earlier statement from the company. But he also added that updates for the remainder of those recent processors should follow by the end of January. Krzanich did not address the company's plans for older chips.
"Hardware vulnerabilities have been identified and exploited in the past, but what's unique about this is the pervasiveness of the vulnerability," said Charles Carmakal, a vice president with the cybersecurity firm FireEye's (FEYE) Mandiant business. "Nearly all modern microprocessors are vulnerable. Servers, workstations, laptops, mobile devices and others."
Though the financial impact on Intel likely will be "limited," the security flaws will be a "black eye" to the chipmaker, according to Raymond James analyst Chris Caso.
"Enterprise server and cloud customers will naturally take this issue more seriously, and we would expect them to quickly identify any applications that would suffer from performance degradation after a patch is applied," he wrote in a client note. "But in such cases, the most likely remedy would be to simply buy a new server."
Operating systems, public cloud service providers such as Amazon (AMZN) Web Services, device manufacturers and others have issued patches. The average computer user likely won't notice any significant change in performance after installing the patches, according to Intel. So far, there is no evidence that hackers have exploited the vulnerabilities.
"However, just to be clear, that doesn't mean that it hasn't been exploited," Carmakal said. "We just don't have evidence of it yet. It's possible that we will later learn that this had been exploited in the past. With other types of vulnerabilities, we have learned of past exploitation after vulnerabilities had been publicly disclosed."
If any such evidence does surface, it will only make Krzanich's seat even hotter.
--With reporting by The Associated Press.