The Securities and Exchange Commission shook up the cybersecurity community this week when it announced it was charging not only SolarWinds but also its Chief Information Security Officer (CISO) with fraud for a 2020 cybersecurity incident.
The SEC alleges that the company and its CISO misrepresented its cybersecurity posture going as far as saying the company lied to its investors by “overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.”
SolarWinds, was at the center of a December 2020 hack that affected multiple U.S. government agencies. The 2020 SolarWinds hack affected several large companies as well as the Defense Department, Justice Department, Commerce Department, Treasury Department, the Department of Homeland Security, the State Department, the Department of Energy, and more. The U.S. government has attributed the incident to the Russian Foreign Intelligence Service.
The SolarWinds executive is not the first c-suite executives targeted by the federal government in the past year. In May, a judge sentenced the former chief security officer (CSO) at Uber to three years’ probation for a 2016 incident in which the government accused the CSO of obstructing an active Federal Trade Commission (FTC) investigation into Uber’s security practices and concealing the cyberattack. The sentence was likely the first time a security executive faced criminal charges for mishandling a data breach.
The Uber conviction, and this week’s SolarWinds indictment, sent a chilling message to the cybersecurity community. How culpable should executives, specifically security executives be when it comes to company incident response?
Signup for our Newsletter
When it comes specifically to security executives, often they are beholden to higher executives such as a CEO or a board of directors. This means they can be overruled, especially in critical moments of a response. Additionally, could the threat of punitive damages in the case of mishandling incident response dissuade professionals from taking CISO roles? This would be incredibly detrimental to a profession that is already lacking qualified people to fill high profile roles.
A survey by Proofpoint found that 60% of CISOs in the U.S. had experienced burnout in the past 12 months. 62% say they are concerned about their own personal liability.
CISOs are facing an overwhelming number of responsibilities including navigating increasing regulatory hurdles and scrutiny. Add the potential of punitive damages or even jail time to this list and what does that mean for the future of the role and the potential that qualified individuals will want to take CISO roles, especially in high profile or publicly traded companies?
Late last year, a former Twitter security executive blew the whistle on what allegedly were less than ideal cybersecurity practices by the social media company, which has recently been rebranded to X. The allegations included a lack of adequate network logging and that Twitter had misrepresented the stability of its data centers and recovery plans to the SEC.
Often security issues at companies go beyond its security executives. Security executives can’t necessarily force other executives or boards of directors to care about cybersecurity. They can do their best, but at the end of the day, it is usually others outside of security executives who have control of the purse strings.
The above cases highlight the need for transparency. In the past, high profile security incidents were less common. Today, they splash the headlines. A recent example is the way vulnerabilities in MOVEit’s file transfer software impacted private and public sector organizations, including potentially revealing the personal information of nearly every citizen of Louisiana.
Trying to cover up an incident has always been reckless, but today its criminal. It is important for security executives to be transparent throughout an incident. Information sharing has become easier. The Cybersecurity and Infrastructure Security Agency (CISA) has done a good job of trying to create resources for organizations to share information during an incident or potential incident.
Of course, the threat of punitive action does not want to make anyone be transparent. It seems rather counterproductive. However, if you are open about what occurred and how you are trying to fix it, people and regulatory bodies will likely be more forgiving than they might be if they find out afterwards there were efforts at concealment.
During an incident, make sure you are documenting the steps you are taking to mitigate the incident. Be sure, as well, to hold an after-action meeting so you can review how the event unfolded and how well you responded. This is to protect yourself as well as your organization. This should be completed within a reasonable timeframe after an incident because you want to make sure the event is fresh in everyone’s mind.
As a CISO, you may want to consider having a non-company legal representative you trust on retainer. Then if you run into an issue where you are asked to do something that does not sit well with you or feel could be construed as unethical, you can ask for consultation and advice that is unbiased toward the company.
CISOs should make sure their employers offer them the same cyber protection through directors and officers (D&O) liability insurance as the C-suite and board members receive.
Disclosure requirements when it comes to cybersecurity incidents are currently muddled in a hodgepodge of state, federal, and international regulations. This makes it increasingly difficult for CISOs to understand what they are responsible to disclose during an incident. This probably will not change any time soon.
This means for CISOs they need to proactively prepare by considering their liability in the event of cyber incident, ensuring they are documenting as much as they can during an incident, and being as open as possible with authorities during an incident.
About the Author
Corey White is a consulting services lead at Future Point of View. He is focused in the areas of cybersecurity, artificial intelligence, and data privacy. From guiding organizations on building robust incident response plans to identifying and remediating risk and even monitoring the deep and dark web for information, Corey has vast experience in keeping organizations and individuals safe in an increasingly complex, critical, and dangerous digital landscape. Learn more about Corey White.