In a development that is certainly sparking discussions in CISO circles, SolarWinds and its head of information security are being charged with negligence in addressing known cybersecurity risks and fraudulent false reporting to inflate company stock value.
The SolarWinds breach played out over the course of 2020, but the SEC says that these issues go all the way back to the company’s IPO in October 2018. The agency paints a picture of endemic failure to control serious cybersecurity risks, which in turn opened the door to hackers. Seemingly damning internal memos, emails and presentations point the finger at CISO Tim Brown as playing a central role in all this, but it remains to be seen exactly what punishment he will ultimately face (and how the CISO job market will react).
How much culpability can CISOs face for unmanaged cybersecurity risks?
One aspect of the case seems clear-cut: a willingness to mislead investors as to the capability of the company’s cybersecurity program. That is an obvious source of legal trouble, but the case leaves some question about what CISOs could be facing when a company pressures them to endorse questionable statements of robust security or simply under-resources them to the point they cannot effectively address threats.
This case, and the one prior that is related to the CISO role (the conviction of Uber infosec chief Joseph Sullivan earlier this year), unfortunately do not say much clearly other than that federal regulators may seek to remove people from the career field or make them pay personal restitution if breaches are bad enough. However, these cases both involved extremely large and high-profile data leaks that the subjects attempted to cover up to both investors and investigating federal agents; Brown additionally sold a large amount of his company stock ahead of the breach disclosure.
Most CISOs will not face such extreme circumstances in their career, but may still be left with natural concerns about being made a scapegoat for cybersecurity risks that are organizational in nature. This is the angle that SolarWinds is certainly playing up in its own defense, arguing that this will set a devastating precedent for the career field. However, it should be noted that Sullivan ultimately only paid a $50,000 fine and received three years probation, and the SEC does not appear to be seeking jail time for Brown either. Federal agencies, at least at this point, seem focused on removing particularly bad CISOs from their positions and ensuring they do not wind up in a similar job again.
Uber, SolarWinds cases show beginnings of a pattern
If there is one thing that CISOs can take from these cases, it is to document everything and to not sign their names to anything that could be seen as misrepresenting serious cybersecurity risks. Perhaps easier said than done, but there is nothing wrong with a CISO performing their duties by bringing a serious known risk to the CEO and Board of Directors to be formally addressed.
Brown’s case highlights some specific things to NOT do: ignoring engineers that raise serious cybersecurity risks internally, putting together annual presentations that clearly demonstrate how known risks have not been addressed at all in the past year, and failing to disclose risks that could have a material impact on investments.
Brown and SolarWinds are facing charges under the Securities Act of 1933 and of the Securities Exchange Act of 1934. If Brown is held personally liable his consequences would likely be similar to those of Sullivan: removed from his position, no longer able to work as a CISO, and potentially having to pay some personal restitution to investors that were misled by his statements.