As SEC SolarWinds Case Plays Out, CISOs Shift Into Defensive Mode
The SEC is on a tear over cyber risk, with new rules and a SolarWinds lawsuit that have shaken the CISO community. Experts say this is just the start of regulators demanding more cybersecurity transparency. Here’s how CISOs need to adapt.
Between its contentious lawsuit against SolarWinds, which met with fiery legal pushback last week, and new rules requiring more cybersecurity transparency, the Securities and Exchange Commission is rattling nerves throughout the CISO community.
Some CISOs (chief information security officers) at publicly traded companies are so shaken that they’re even thinking of leaving the profession. Those sticking it out are heeding experts’ advice and taking steps to protect themselves.
The SEC’s ramped-up scrutiny began last July when, in what many saw as a heavy-handed move, the regulatory body approved new rules requiring publicly traded companies to annually detail how they manage risk.
Effective as of last month, the rules call for companies to:
- Disclose cybersecurity incidents within four days of learning about them if they are “material,” meaning they could affect shareholder value. The disclosure would be through an 8-K form.
- Divulge in their annual 10-K reports their processes for managing material cybersecurity risks.
- Detail in these filings how often their boards of directors are addressing or minimizing risk as well as their knowledge and experience for doing so.
The enactment of these rules came on the heels of the SEC in October charging SolarWinds and its CISO, Timothy Brown, with allegedly misleading investors about the company’s security posture and failing to take basic security precautions leading up to the catastrophic Sunburst cyberattack that occurred between 2018 and 2020. That attack affected the supply chains of more than 30,000 public and private organizations.
Denying the allegations, SolarWinds filed a motion to dismiss the case on January 26. The company claims the SEC was out of its depth and calls the charges “absurd” and “as unfounded as they are unprecedented.” The motion went on to describe the SEC’s targeting of Brown as “unwarranted” and “inexplicable,” noting there was no evidence “remotely suggesting” he’d tried to deceive investors. CISOs themselves have expressed varied views on the suit and culpability of their fellow security leader.
The charges mark the first time the SEC had targeted a specific CISO or held one personally liable for actions related to a major breach. (Uber’s security chief, Joe Sullivan, was sentenced to three years probation after being convicted of obstructing a Federal Trade Commission investigation into a breach that exposed the data of 57 million customers and drivers in 2016).
Ironically, the SEC, while going after SolarWinds for supposedly not doing enough to fortify its networks, was itself hacked in early January after IT staff reportedly disabled multifactor authentication protections.
“Obviously, the timing was not ideal,” says former McDonald’s CISO Shaun Marion. “It just goes to show that these things can happen to anyone. Managing a large-scale security program is complex.”
CISOs feeling the heat
Marion says many of his CISO peers “actually agree” with the SEC’s efforts to improve transparency for shareholders but vigorously disagree with its tactics, which are causing them to rethink or even abandon their cybersecurity careers – especially those with publicly traded companies. And this is at a time when qualified CISOs are already hard to find.
To know I could be held personally liable because of a decision someone else made without involving me . . . man, that’s not the job I got into.
The risk of being personally blamed for a security incident is particularly concerning, he says, because CISOs are not the only ones involved in executing or communicating about security. Employees across organizations make frequent decisions impacting security posture that CISOs never see or hear about, he says.
Yet, unlike those C-suite executives, many CISOs are not really considered officers, he notes. So about one in three (34%) U.S. CISOs do not receive director and officer (D&O) insurance protection, according to a Heidrick & Struggles CISO survey.
“This has caused me to rethink my job,” admits Marion. “I got into this profession because I was a tinkerer. I loved to see what bounds I could push with security. I was always trying to do the right thing. But to know I could be held personally liable because of a decision someone else made without involving me . . . man, that’s not the job I got into.”
Don’t blame the SEC – entirely
So how should CISOs who intend to stay in the profession respond after the SEC complaint? The answers lie in understanding what it’s all about.
CISOs will no longer be able to completely conceal their cybersecurity policies and practices to keep hackers guessing.
At their core, the charges should be viewed more broadly than one government entity going after one company or one individual, experts say. Rather, they argue, CISOs should see this as the first of what could be many similar salvos from regulatory bodies demanding more cybersecurity transparency. It should not matter if it’s the SEC, FCC, DHS, CFPB, or any other three- or four-letter agency; going forward, they will all become interchangeable names in an ongoing government crackdown, they say.
“I would be surprised if this didn’t happen again,” says Frank Dickson, an IDC cybersecurity analyst. “If not in the U.S., it almost certainly will happen again in Europe.”
[Read also: How CISOs can fight burnout and extend their careers]
The key takeaway, he says, should be that CISOs will no longer be able to completely conceal their cybersecurity policies and practices to keep hackers guessing. More disclosures will continue to be required, and CISOs will have to accept that.
Strive for communication consistency
Similarly, experts say CISOs will not be able to get away with presenting one set of facts about their organization’s security posture internally while issuing different statements externally. A core allegation in the SEC’s action is that SolarWinds and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices and the increasingly elevated risks it faced – and admitted as much in internal communications. But externally, the agency alleges, they painted a “false picture” through misstatements, omissions, and schemes that hid their “poor cybersecurity practices” and increased risk.
This increased emphasis on internal and external communications could have a “chilling effect” on CISO communications, says Dickson.
“The role of the CISO has fundamentally changed over the past five years,” he says. “CISOs are no longer security practitioners but are seen as corporate security architects who actively counsel executives as well as customers. If they aren’t factually congruent in everything they say or write, they could run into people or agencies claiming they’re being misleading, which is the last thing most CISOs want.”
[Read also: How CISOs can talk cyber risk so that CEOs actually listen]
Dickson recommends CISOs continue communicating but says they should double down on being thoughtful and deliberate whenever they talk about their cybersecurity priorities and actions. To head off potential legal landmines, Dickson adds CISOs should also run pertinent internal and external communications past their in-house attorneys.
Take notes like crazy
At the same time, although most corporate attorneys would counsel otherwise, security experts recommend CISOs keep copious notes of all critical conversations with senior executives, especially those where they may have warned of cybersecurity issues or recommended measures to address them.
Write more stuff down and make sure you have everything documented in a ledger.
“Write more stuff down and make sure you have everything documented in a ledger,” advises Andrew Jaquith, former CISO for the Covington & Burling law firm. “If a cybersecurity incident is ever revisited, you want to be able to show you did your utmost to get the underlying issue fixed and prove you had a dialogue about it with senior management. Have a paper trail.”
Marion agrees but advocates even stronger defensive measures.
“I am making sure for my own self-preservation that I’ve got a paper trail of the decisions I made, why I made them, when I got pushback, and from whom, because I have to be my own advocate,” he says. “I’m going to err heavily on over-reporting cybersecurity incidents, working through my legal counsel, because I don’t want to be in the position of not reporting something we should have. Also, when it comes to risk at the company, I’m also going to be much more aggressive with how I relay that to senior leaders. I am no longer going to be the sole person who is aware of the risk and trying to manage it. I am going to share that risk with others.”
Demand D&O insurance
Security experts also say it is time for CISOs to speak up and use the SEC action against SolarWinds and Brown to justify their companies finally giving them D&O and Errors & Omissions (E&O) insurance, even though few are considered true officers. At a minimum, it should happen as part of salary negotiations before taking a CISO job. But CISOs can also negotiate such things after they’ve been hired, experts say.
That might not be easy because such coverage is expensive. In fact, Kirsten Bay, CEO of Cysurance, which specializes in cyber insurance for small and midsize companies, says such policies range between $35,000 and $60,000 per year for smaller organizations and go even higher for midsize and large enterprises. Coverage usually extends to a handful of officers for that price. But companies can often find ways to add other executives, like CISOs, with a little negotiation, she says.
Bay believes that with increased personal liability for security incidents becoming more of an issue, insurers could start offering packages of cybersecurity, D&O, and E&O policies and extending them to CISOs – much as traditional companies bundle home, life, and auto policies together.
“It makes sense to link them together because not everyone is aware you don’t have D&O and E&O in cyber insurance policies,” she says.
At the end of the day, experts like Marion say they hope the SEC action turns out to be more of a starting point for improving industrywide reporting processes than an exercise in blame and punishment.
“If we could sit down with a handful of relevant policymakers, the SEC, and a consortium of CISOs, we could start to develop a framework for reporting risk and expectations for CISOs themselves,” he says. “That would allow us to remove ambiguity and start to build clarity. It would be a win-win for everyone.”
TO LEARN MORE
Check out these exclusive interviews with CISOs and other security leaders in our “Success Stories” series.
- CISO Success Story – Predicting Cyber Risk (Accurately) Is Easier With This Guy’s Formula
- CISO Success Story – How LA County Trains (and Retrains) Workers to Fight Phishing
- CISO Success Story – How to Build Trust With the Board? Don’t Talk Cybersecurity (Much)
- CIO Success Story – Looking At the Flip Side of Third-Party Risk
- CISO Success Story – How Zoom Achieved Cybersecurity 2.0 With Cyber Risk Scoring