In a landmark move, the U.S. Securities and Exchange Commission (SEC) has charged SolarWindsSWI Corporation and its former Chief Information Security Officer (CISO), Timothy Brown, with fraud and internal control failures related to the company’s cybersecurity practices leading up to the 2020 cyberattack.
This is the first time in its history the SEC has brought charges against a company’s CISO, in connection with a cybersecurity incident. This unprecedented action marks a turning point in the realm of cybersecurity elevating it to the same level of scrutiny and potential punishment as insider trading and other financial crimes.
The 2020 SolarWinds hack was a major cyberattack that affected thousands of organizations around the world. The hack was orchestrated by a group of Russian hackers who infiltrated SolarWinds’ systems and inserted malicious code into its Orion software (a popular IT management platform). This code allowed the hackers to gain unauthorized access to the networks of SolarWinds’ customers and steal sensitive data.
The SolarWinds hack was one of the most sophisticated and widespread cyberattacks in history. It took months for security experts to discover the full extent of the attack. The damage caused by the attack is still being assessed. The hack has had a significant impact on the way that organizations think about cybersecurity.
The SEC alleges that SolarWinds and Brown misled investors about the company’s cybersecurity practices, failed to disclose known cybersecurity risks, and had inadequate internal controls to prevent and detect cyberattacks.
The SEC’s complaint alleges that SolarWinds and Brown made a number of false and misleading statements about the company’s cybersecurity practices, including:
- Overstating the company’s cybersecurity expertise and experience
- Misrepresenting the company’s ability to detect and respond to cyberattacks
- Failing to disclose known cybersecurity risks, including vulnerabilities in the company’s Orion software product
The SEC also alleges that SolarWinds and Brown had inadequate internal controls to prevent and detect cyberattacks, including:
- Failing to implement adequate security controls to protect the company’s systems and data
- Failing to adequately monitor the company’s systems for suspicious activity
- Failing to conduct regular security assessments and vulnerability scans
The SEC’s charges against SolarWinds and its former CISO, Timothy Brown, mark a significant shift in the way the agency views cybersecurity. For the first time, the SEC has brought charges against an individual for cybersecurity-related misconduct. It has brought charges with the same level of scrutiny and potential punishment as it would for insider trading or other serious financial crimes. Brown faces an officer and director bar; this could have very serious career and reputational damages for Brown.
This raises questions about how you indemnify and protect your CISO. Corporations have standard indemnification agreements, but will they completely cover and protect the CISO? This raises a follow on question as boards begin the process of identifying who is their cyber expert on the board and how they are defining that expertise… Will the cyber expert on the board be targeted for a derivative suit or face extra scrutiny beyond what any other board member may receive?
This shift in approach signals a growing recognition by the SEC that cybersecurity is not just a technical issue. Cybersecurity breaches can have a significant impact on a company’s financial performance, and the SEC is now holding companies and their executives accountable for failing to take adequate steps to protect their systems and data.
The SolarWinds case is likely to have a chilling effect on other companies, as they now know that they could face serious consequences if they fail to take cybersecurity seriously. This is likely to lead to increased investment in cybersecurity by companies of all sizes, as they seek to avoid the same fate as SolarWinds.
In addition to the financial risks, the SolarWinds case exemplifies how failing to take the proper steps in regard to cybersecurity can have significant reputational risks for companies and their executives. The SEC’s charges have made it clear that cybersecurity is now a top priority for the agency, and companies that fail to meet its expectations could face significant reputational damage.
Key Insights and Takeaways for Board of Directors
If you are a director, there are several key takeaways from the SEC’s charges against SolarWinds and its former CISO, Timothy Brown:
1. Cybersecurity is a critical issue that must be addressed at the highest levels of corporate governance. Directors must take an active role in overseeing the company’s cybersecurity posture and ensuring that it has adequate resources and expertise in place to manage cyber risks. As a best practice, the entire board may want to look at implementing a quarterly cyber risk review.
2. Directors must hold management accountable for cybersecurity performance. This includes ensuring that management has a clear understanding of the company’s cyber risks, that there is a strong cybersecurity culture in place, and that the company is taking appropriate steps to mitigate cyber risks. Directors would be well served to have management identify specific levels of escalation. For example, at what level do the IT teams escalate something to the CISO? To the CEO? To the board?
3. Directors must be aware of the potential legal and financial consequences of cyberattacks. The SEC’s charges against SolarWinds CISO demonstrate that directors could potentially be held personally liable for cybersecurity failures.
In light of these takeaways, directors may want to consider adding the following topics to the next board meeting agenda:
1. The company’s current cybersecurity posture including an assessment of the company’s cyber risks, the adequacy of its cybersecurity controls, and the effectiveness of its cybersecurity training and awareness program.
2. The cybersecurity strategy/plan for mitigating cyber risks, investing in cybersecurity resources, and responding to cyberattacks.
3. A review of the allocation of resources for cybersecurity / ensuring that the company is devoting adequate resources to cybersecurity, including funding, personnel, and training.
4. Directors may want to ask management if the company has a robust process for identifying, assessing, and managing cyber risks. Focusing on preventing a breach is only part of the process. There also needs to be a plan in place for resiliency post a breach. What is the plan to mitigate an attack? What are the back up plans to get the business operational as quickly as possible after a cyber-attack?
5. Directors may want to ask management to go through a tabletop exercise and run through the plan for responding to cyberattacks, including procedures for data recovery, crisis communications, and regulatory reporting.
Overall, the SEC’s charges against SolarWinds and Brown are a watershed moment for cybersecurity. The case has sent a clear and chilling message that companies and their executives will be held accountable for failing to take adequate steps to protect their systems and data.
Follow me on Twitter or LinkedIn. Check out my website or some of my other work here.