Heat increases on CISOs as the SEC brings charges against SolarWinds and its CISO over Sunburst cybersecurity incident
The Securities and Exchange Commission filed charges of fraud against SolarWinds and Timothy Brown, its Chief Information Security Officer, over alleged false statements to investors regarding the Sunburst cybersecurity incident and SolarWinds’ overall security posture and practices.
The SEC alleges that between SolarWinds’ October 2018 IPO and December 2020 announcement of the hack, SolarWinds “[a]t no point…disclose the numerous risks, vulnerabilities, and incidents affecting its products in its SEC filings or elsewhere.”
Essentially, the SEC is accusing SolarWinds and Brown of doing more than just putting a positive spin on their cybersecurity posture, but factually and materially misrepresenting the situation. These fraud charges require the defendant’s knowledge of the truth and an intent to hide or misstate it. Additionally, it bears mentioning that several of SolarWinds’ 18,000 impacted clients were federal agencies, including the Office of the President, the Department of Defense, the State Department, the Federal Reserve, and, among others, the Department of Homeland Security.
An Escalating Trend
It is unclear how the SEC’s case against SolarWinds and Brown will play out, but what is clear is that regulators in the federal and state context have increasingly taken more aggressive action when organizations factually misstate or hide material failings in cybersecurity.
Uber, for example, was the first to shake up the industry. Uber and its chief information security officer, CISO, actively covered up a material incident with a secret payment to the threat actors. This six -figure payment also came with a ridiculous demand that the threat actors sign non-disclosure agreements, in addition to withholding material information from the FTC. Ultimately, Uber’s CISO, Joseph Sullivan, was convicted of two felony counts in connection with the event. Although facing significant prison time, Sullivan was ultimately sentenced to three years’ probation and a $50,000 fine. It was a landmark conviction.
There are clear distinguishing features between the Uber case and the allegations present in the SEC’s complaint against Brown but the significance of both is the willingness of the government to pursue companies and their CISOs, individually, for misdeeds connected with the handling of cyber incidents.
A Path Forward for CISOs
The moral of the story for CISOs is if you are aware of vulnerabilities or shortcomings in your organization’s cybersecurity posture, lay them out for the executives. You should document what is there, and do not sign your name to documents that you know to be materially false. The stresses that CISOs are under can be immense and there is, certainly, pressure to paint a rosy picture for executives, but as the SEC complaint shows, the alternative could be much more severe.
If you have questions about your company’s compliance with cyber regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins' national data privacy and cybersecurity team. You can also find additional legislative updates by going to McDonald Hopkins' Legal Insights page.