The notorious SolarWinds cyber breach of 2020 is making headlines once again, and CISOs everywhere are talking about how the latest legal filings may have a lasting impact on how they do their jobs.
SEC Charges SolarWinds CISO
As discussed in our earlier blog, “The Rise of CISO Accountability,” the SEC previously sent notices to SolarWinds and CISO Timothy Brown that it had launched an investigation into the company’s handling of the “Orion” cyber breach. Now, the SEC has filed civil charges against both SolarWinds and Brown personally.
Since this is a civil action, not a criminal charge, Brown isn’t facing jail time. However, he could be ordered by the courts to pay a hefty fine. In addition, if the SEC gets their way, he’ll be barred from sitting on corporate boards or being an officer of a publicly traded company ever again.
Allegations Against SolarWinds
The filing alleges that from 2018 to early 2021, SolarWinds engaged in fraudulent activities by making “misstatements, omissions, and schemes that concealed both the company’s poor cybersecurity practices, and its heightened – and increasing – cybersecurity risks.”
The SEC also claims that SolarWinds’ internal emails and documentation detailed a very different and more damning picture of their overall state of cybersecurity than their public facing statements. In statements to the media and the SEC filings SolarWinds claimed they maintained a high level of cyber security, including strict password policies and access controls. The SEC claims these statements were false.
SolarWinds Fires Back
SolarWinds and its embattled CISO are fighting back against the accusations.
In a statement posted on their corporate website, SolarWinds claimed they had appropriate cybersecurity controls in place and called the lawsuit, “fundamentally flawed—legally and factually.” They further accused the SEC of quoting emails and documents out of context, and constructing a false narrative about their security posture.
SolarWinds also emphasized the potentially negative effect of the lawsuit on cybersecurity. They argued that the pressure to disclose sensitive security information in public filings and the potential chilling of candid internal communications among security personnel could ultimately harm overall cybersecurity efforts.
Other cybersecurity experts agree. No company has complete alignment between internal and external messages. The discrepancy stems partially from legitimate security considerations, as no company would publicly invite threat actors in by publicly disclosing vulnerabilities. However, it’s vitally important to discuss these issues internally so they can be fixed.
CISOs in the Regulatory Crosshairs
The SolarWinds lawsuit unfolds against the backdrop of new SEC regulations which were adopted in July, 2023 placing new requirements for cybersecurity risk management and reporting on all public companies.
Among the most controversial regulations is the requirement for companies to report a cybersecurity breach or incident within only four business days. That short window of time puts a heavy burden on CISOs, especially during a crisis when their focus and attention needs to be spent restoring systems to full working order, or getting production lines moving, while also possibly negotiating with ransomware threat actors.
New York Takes A Stand
Beyond the SEC, New York State is also flexing its regulatory muscles against companies they view as lax on cybersecurity. In two recent cases, the New York Attorney General imposed large fines against two companies that suffered major cyber attacks. First, a substantial $450,000 fine was levied against US Radiology, a major private radiology company, due to a 2021 ransomware attack compromising data from almost 200,000 patients. The state claims that US Radiology failed to address a known vulnerability in a SonicWall device. Similarly, Long Island’s Personal Touch home care agency faced a $350,000 penalty for failing to protect data from 300,000 New Yorkers. In both cases, the company’s failure to take proper proactive measures led to public harm.
Where Does This Leave CISOs?
On the hot seat, for better or worse.
Now that we know CISOs may be held legally liable it’s more important than ever for them to take proactive measures. Here are several steps CISOs can take right now.
Consider D&O Insurance:
Verify that you are covered by your organization’s Directors and Officers (D&O) insurance policy. This insurance, typically employed to shield company leaders from personal claims, can be extended to the CISO. In the event of personal financial losses stemming from lawsuits or other costs arising from a cybersecurity incident, D&O insurance functions as a crucial safety net. It serves as a protection against personal liability, offering coverage for legal costs and damages should decisions related to cybersecurity measures lead to legal challenges.
Consult with Corporate Legal Counsel, Often:
CISOs should not navigate these challenges alone. Regular consultations with corporate legal counsel and those in direct communication with the SEC are imperative, especially if there’s a material cybersecurity incident.
Document, Document, Document:
We can’t stress this enough. Meticulous documentation is vital to the CISO. Decision-making should be anchored in demonstrable data rather than instinct. A comprehensive paper trail detailing decisions and the rationale behind them becomes crucial, offering both accountability and a robust defense. This is particularly true in cases where, unfortunately, the CISOs recommendations are not being followed, or there are corporate officers not willing to take necessary steps to ensure cybersecurity.
The best way to create a cybersecurity defense plan is with a platform that is created by CISOs for exactly that purpose.
SAGE, an AI-driven cyber defense platform, serves as a valuable ally in the CISO’s mission to establish and sustain an efficient defense plan. By autonomously assimilating reports and assessments from diverse vendors, SAGE ensures the plan remains relevant and adaptable. Its AI functionalities connect and analyze the intricacies of the defense strategy, offering practical support for CISOs navigating the complexities of cybersecurity.
To learn more about how SAGE can help you with cyber defense planning, book a demo today.