SolarWinds And A Controversial New Era For CISOs
The notorious SolarWinds cyber breach of 2020 is making headlines once again, and CISOs everywhere are talking about how the latest legal filings may have a lasting impact on how they do their jobs.
What You Will Learn
- The SEC charges against SolarWinds and its CISO Timothy Brown
- Allegations of fraud and misrepresentation in SolarWinds’ cybersecurity practices
- The implications of new SEC regulations on CISOs, including reporting requirements
- Actions CISOs can take to protect themselves, including insurance, legal counsel, and documentation
SEC Charges SolarWinds CISO
The SEC had previously informed SolarWinds and CISO Timothy Brown that it had launched an investigation into the company’s handling of the “Orion” cyber breach. Now, the SEC has filed civil charges against both SolarWinds and Brown personally.
Since this is a civil action, not a criminal charge, Brown isn’t facing jail time. However, he could be ordered by the courts to pay a hefty fine. In addition, if the SEC gets their way, he’ll be barred from sitting on corporate boards or being an officer of a publicly traded company ever again.
Allegations Against SolarWinds
The filing alleges that from 2018 to early 2021, SolarWinds engaged in fraudulent activities by making “misstatements, omissions, and schemes that concealed both the company’s poor cybersecurity practices, and its heightened – and increasing – cybersecurity risks.”
The SEC also claims that SolarWinds’ internal emails and documentation detailed a very different and more damning picture of their overall state of cybersecurity than their public facing statements. In statements to the media and the SEC filings SolarWinds claimed they maintained a high level of cyber security, including strict password policies and access controls. The SEC claims these statements were false.
SolarWinds Fires Back
SolarWinds and its embattled CISO are fighting back against the accusations.
In a statement posted on their corporate website, SolarWinds claimed they had appropriate cybersecurity controls in place and called the lawsuit, “fundamentally flawed—legally and factually.” They further accused the SEC of quoting emails and documents out of context, and constructing a false narrative about their security posture.
SolarWinds also emphasized the potentially negative effect of the lawsuit on cybersecurity. They argued that the pressure to disclose sensitive security information in public filings and the potential chilling of candid internal communications among security personnel could ultimately harm overall cybersecurity efforts.
Other cybersecurity experts agree. No company has complete alignment between internal and external messages. The discrepancy stems partially from legitimate security considerations, as no company would publicly invite threat actors in by publicly disclosing vulnerabilities. However, it’s vitally important to discuss these issues internally so they can be fixed.
CISOs in the Regulatory Crosshairs
The SolarWinds lawsuit unfolds against the backdrop of new SEC regulations which were adopted in July, 2023 placing new requirements for cybersecurity risk management and reporting on all public companies.
Among the most controversial regulations is the requirement for companies to report a cybersecurity breach or incident within only four business days. That short window of time puts a heavy burden on CISOs, especially during a crisis when their focus and attention needs to be spent restoring systems to full working order, or getting production lines moving, while also possibly negotiating with ransomware threat actors.
New York Takes A Stand
Beyond the SEC, New York State is also flexing its regulatory muscles against companies they view as lax on cybersecurity. In two recent cases, the New York Attorney General imposed large fines against two companies that suffered major cyber attacks. First, a substantial $450,000 fine was levied against US Radiology, a major private radiology company, due to a 2021 ransomware attack compromising data from almost 200,000 patients. The state claims that US Radiology failed to address a known vulnerability in a SonicWall device. Similarly, Long Island’s Personal Touch home care agency faced a $350,000 penalty for failing to protect data from 300,000 New Yorkers. In both cases, the company’s failure to take proper proactive measures led to public harm.
Where Does This Leave CISOs?
On the hot seat, for better or worse.
Now that we know CISOs may be held legally liable it’s more important than ever for them to take proactive measures. Here are several steps CISOs can take right now.
Consider D&O Insurance:
Verify that you are covered by your organization’s Directors and Officers (D&O) insurance policy. This insurance, typically employed to shield company leaders from personal claims, can be extended to the CISO. In the event of personal financial losses stemming from lawsuits or other costs arising from a cybersecurity incident, D&O insurance functions as a crucial safety net. It serves as a protection against personal liability, offering coverage for legal costs and damages should decisions related to cybersecurity measures lead to legal challenges.
Consult with Corporate Legal Counsel, Often:
CISOs should not navigate these challenges alone. Regular consultations with corporate legal counsel and those in direct communication with the SEC are imperative, especially if there’s a material cybersecurity incident.
Document, Document, Document:
We can’t stress this enough. Meticulous documentation is vital to the CISO. Decision-making should be anchored in demonstrable data rather than instinct. A comprehensive paper trail detailing decisions and the rationale behind them becomes crucial, offering both accountability and a robust defense. This is particularly true in cases where, unfortunately, the CISOs recommendations are not being followed, or there are corporate officers not willing to take necessary steps to ensure cybersecurity.
The best way to create a cybersecurity defense plan is with a platform that is created by CISOs for exactly that purpose.
SAGE, an AI-driven cyber defense planning & optimization platform, serves as a valuable ally in the CISO’s mission to establish and sustain an efficient defense plan. By autonomously assimilating reports and assessments from diverse vendors, SAGE ensures the plan remains relevant and adaptable. Its AI functionalities connect and analyze the intricacies of the defense strategy, offering practical support for CISOs navigating the complexities of cybersecurity.
To learn more about how SAGE can help you with cyber defense planning, book a demo today.
Key Takeaways
- The SEC has filed civil charges against SolarWinds and its CISO for alleged misrepresentation of cybersecurity practices.
- SolarWinds disputes the charges, claiming the lawsuit distorts their actual security posture.
- New SEC regulations require public companies to report breaches within four business days, adding pressure on CISOs.
- New York State has imposed fines on companies for failing to address known vulnerabilities, highlighting increased regulatory scrutiny.
- CISOs should ensure they have Directors and Officers (D&O) insurance, regularly consult with legal counsel, and maintain thorough documentation of cybersecurity decisions.