In a recent development, the SEC has taken a significant step in its cybersecurity enforcement efforts by accusing SolarWinds Corporation and its Chief Information Security Officer (CISO) of securities fraud and related violations. This legal action marks a departure from the SEC's historical focus on negligence-related disclosure breaches following cyber incidents involving the compromise of individual personal information. Unlike past cases, the SEC's Complaint, which notably includes charges against a CISO, asserts that SolarWinds and its CISO deliberately made misleading public statements about the company's cybersecurity practices. This alleged misinformation, coupled with the omission of crucial details, underscores a new dimension in the SEC's approach to cybersecurity enforcement. This blog delves into the implications of the SEC's pursuit of SolarWinds and its potential impact on cybersecurity leaders navigating this evolving regulatory landscape.
Litigation Background
· SEC filed a complaint against SolarWinds and CISO Timothy Brown, alleging securities fraud and violations related to misleading statements from October 2018 to January 2021.
· Misleading statements allegedly led to a drop in SolarWinds’ stock after the disclosure of the SUNBURST cyberattack.
Allegations against SolarWinds
· False claims of adherence to cybersecurity standards like the NIST framework and use of SDL practices.
· Periodic filings contained generic cybersecurity risk statements that did not address known risks.
· Failure to disclose confirmed attacks against customers during the drafting of the Form 8-K on the SUNBURST incident.
· Unprecedented charge against a CISO for fraud, signifying a shift in SEC focus.
Implications
· Cyber Risk Disclosures Matter: Hypothetical risk disclosures without material incidents can be misleading.
· Form 8-K Scrutiny: Disclosures about material cyber events need to provide comprehensive information.
· Individual Accountability: CISO held accountable for deceptive public statements, aiding Solar Winds' violations.
· Section 13(b)(2)(B) Charges: Application of this section to cybersecurity signals expanded regulatory reach.
Changing Role and Responsibilities of Cybersecurity leaders
· Crafting Public Statements: All statements regarding cybersecurity must be carefully crafted, extending beyond SEC filings.
· Heightened responsibility for CISOs in ensuring accurate representations of a company’s cyber health. The SEC alleges that the CISO knowingly made deceptive public statements—including in podcasts and blog posts—that touted the Company’s cybersecurity practices and hygiene.
· Potential permanent officer and director bar against the CISO.
· Supply Chain Scrutiny: Supply chain companies, especially in software, face heightened scrutiny for cybersecurity practices.
In the aftermath of SEC allegations, discussions with security leaders unveiled the three key challenges they grapple with in meeting escalating regulatory obligations:
1. Data Overload from Cyber security prioritization systems: Cybersecurity leaders contend with the deluge of data generated by security prioritization systems. Navigating through this sea of information becomes a formidable task, hindering the efficient identification and mitigation of potential risks.
2. Never enough time and budget for both operational management and strategic risk reporting: The perpetual struggle to balance operational management with strategic risk reporting creates a significant hurdle for cybersecurity leaders. The scarcity of both time and budgetary resources often forces leaders into a reactive stance ,leaving strategic risk decisions vulnerable to ambiguity. Resolving this challenge requires streamlined processes and innovative tools that not only optimize operational efficiency but also facilitate comprehensive and timely strategic risk reporting.
3. Fragmented tools for Cyber risk management: Security leaders ought to have the right tools to drive strategic and proactive Cyber conversations in front of the board and regulators. To fulfil this role effectively, cybersecurity leaders must be equipped with tools specifically designed to foster a proactive cyber risk management approach. These tools should provide not only a comprehensive understanding of current threats but also offer predictive insights to stay ahead of evolving risks. Empowering cybersecurity leaders with the right technological tools enables them to articulate cybersecurity strategies coherently and proactively engage with key stakeholders.
1. Leverage Automation Technology to Convert Security Controls into Cyber Risks: Leverage Cyber Risk Automation Platform that can seamlessly integrate with enterprise security tools through APIs and understand the state of controls with reduced ambiguity. Leverage MITRE ATT&CK and D3FEND frameworks to translate security controls into the likelihood of Cyber Risks. It allows companies to regularly monitor and assess their cybersecurity maturity to identify and address risks. This includes staying up-to-date with the latest cyber security threats and trends and implementing necessary changes to the security controls landscape to stay ahead of potential risks. Alfahive integrates seamlessly with enterprise security tools and leveraging frameworks such as MITRE ATT&CK and D3FEND, and champions in translating security controls into the likelihood of cyber risks.
2. Assess the Impact of Cyber Risks to Your Business: Leverage technologies like Alfahive's Automation platform, trained on extensive cyber loss events data and industry-specific risk scenarios. It effortlessly assesses the impact of Cyber risks on your business, enabling informed risk management and reporting decisions. Automation technology provides a transparent methodology for assessing the impact of cyber risks, facilitating informed risk decisions, and disclosing material cybersecurity risks and incidents transparently.
3. Simulate, Prioritise Risks and Report Strategically: Automation platform automates risks prioritization by simulating the controls against cyber threats. With built-in reporting and dashboarding capabilities ,the need for manual reporting is significantly reduced, enabling strategic engagement with board members and regulators. It ensures that the Companies prioritize cybersecurity and invest in robust security measures to protect their digital assets and customer data. This includes regular security audits using platforms and maintain an audit trail of all the risk decisions.
The SolarWinds case serves as a wake-up call for organizations worldwide. This highlights the importance of robust cybersecurity practices and the need for transparency in disclosing cyber risks and incidents. This also underscores the critical role of CISOs in not only ensuring the security of digital assets but public trust as well.
As we move forward, the world is looking up to CISOs and their teams to perform their roles well. The public at large counts on them to ensure that their investments are not taken for granted. It is a responsibility that cannot be taken lightly and one that requires constant vigilance, transparency, and commitment to excellence.