COMMENTARY

In October 2023, the Securities and Exchange Commission (SEC) dramatically altered the landscape for security professionals by initiating a groundbreaking lawsuit against SolarWinds Corp. and its chief information security officer (CISO). The case was notably the first time the SEC has charged a CISO individually in an enforcement case and has many security leaders questioning what immediate steps they should take to protect both themselves as individuals, as well as their organizations, against similar litigation.

Most everyone working in cybersecurity today is aware of the SolarWinds breach, which occurred in 2020, when a threat actor gained unauthorized access to the networking company’s environment and planted malware in its Orion software. SolarWinds unknowingly disseminated the Orion update containing the malware to customers.

Late last year, the SEC sued SolarWinds and its CISO, Timothy Brown, alleging both made false and misleading statements to investors about SolarWinds’ cybersecurity risks, practices, and vulnerabilities in documents filed with the SEC, in a “Security Statement” posted to the company’s website, and in various other media, including press releases, podcasts, and blog posts. 

What Should CISOs Do?

The SEC’s case may take years to resolve through litigation, but here are five action items all public company CISOs should consider now.

  • Establish a clear line of communication with the CFO and financial reporting team. The SEC reporting and information security functions must be closely aligned. Coordination is especially important in light of new 8-K reporting rules for material cybersecurity incidents. 

  • Ensure statements intended for customers or vendors are subject to comparable levels of review as those intended for shareholders. It is a common misconception that liability under the US securities laws attaches only to statements made in SEC filings. As the SolarWinds case shows, the SEC takes the position that all public communications — including blog posts, press releases, and oral statements — can influence the total mix of information for investors. There is a fine line between marketing puffery and potentially misleading investors, and all public statements must be crafted with investors and potential securities liability in mind.

  • Be certain that information security policies and controls are state of the art. One of the most controversial elements of the case is the SEC’s allegation that by engaging in this misconduct, SolarWinds did not maintain adequate internal accounting controls over its financial reporting. However this issue is ultimately resolved via litigation, the SEC may look to bring similar claims in the future against other companies. CISOs should also take stock of insurance and corporate indemnities available to them.

  • Team with internal audit and other assurance providers. Testing systems can make them more resilient, and having more than one set of eyes on external communications can help mitigate errors.

  • When in doubt, consult counsel. The SEC’s views on cybersecurity are complex and rapidly evolving. When novel or uncertain fact patterns emerge, be sure to discuss them with cybersecurity counsel experienced in SEC matters.

The SEC prioritizes investor protection when addressing cybersecurity breaches, which often involve complex issues like data privacy and national security. Recently, the SEC has mandated that public companies enhance transparency by reporting cybersecurity oversight in annual reports and disclosing significant incidents within four business days. It will be interesting to see how things play out with the SEC, but there is no question that these cases are setting a precedent that could reshape how cybersecurity disclosures are handled across industries, underscoring the increasing importance of transparency and accountability in the digital age.

Source: www.darkreading.com