With the US Securities and Exchange Commission (SEC) having taken legal action against CISOs at both SolarWinds and Uber, security executives feel the pressure to be absolutely precise when writing up security incidents that the company has decided are material. Things get tricky because even if the CISO's report is perfect, someone up the line-the CEO, the CFO, general counsel, or even a board member-might make a change that the SEC finds problematic and possibly fraudulent.

Here's the big problem: if the CISO sees the final version and realizes that the filing is misleading the SEC, that CISO can't just sit back and say, "Well, what I wrote was fine. If the CEO makes a change, that's on the CEO." The CISO is legally required to report that fraud to the SEC under federal SEC whistleblower protections. Otherwise, the CISO could face charges of being an accessory after the fact to the fraud.

As bad as that may seem, it's worse. Whistleblower protections only exist if the CISO is right and there actually is fraud. If the CISO is wrong, there are no protections, and the company can retaliate any way the company wants.

This gets worse yet. The CISO's task to determine if a filing is truly fraudulent is remarkably complicated. First, enterprises are permitted to not share details in some key areas, such as if the information would reveal too much to potential attackers or the information is preliminary and might be incorrect. Secondly, these rules are brand new, and the SEC is likely to give CEOs and CFOs a lot of leeway-at least initially-in deciding what to share.

The risks to CISOs are not clear but very real

"The SEC has not been clear enough [about] what is required from the CISO and from management. The process is usually owned by legal and never the CISO's office," said Michael Oberlaender, a former CISO with Sudzucker AG, Heidelberg Americas, and FMC Technologies, among others.

In short, if the CISO does not report fraud, the CISO could be in legal trouble. If the CISO does report alleged fraud to the SEC and is wrong, the CISO could be in serious corporate trouble.