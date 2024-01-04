In a landmark enforcement action that has become a transformational moment for CISOs and corporate cybersecurity practices, the US Securities and Exchange Commission (SEC) charged the SolarWinds Corporation and its CISO, Timothy Brown, with fraud and financial disclosure failures related to their cyber risk management practices. This case, stemming from the infamous SUNBURST cyberattack, highlights the grave consequences of inadequate cybersecurity risk management and disclosure practices. The development and implementation of a defined cyber risk management program will be necessary to protect against this new liability.

The SUNBURST attack, attributed to Russian state-sponsored hackers, exploited vulnerabilities in SolarWinds' network to insert malicious code into the company's Orion software, affecting over 18,000 global customers. Internal communications revealed that Brown and SolarWinds employees were aware of significant cybersecurity deficiencies, including issues in developing secure products and access control failures. Despite this knowledge, SolarWinds posted what the SEC said were misleading statements about its cybersecurity practices, suggesting a more secure environment than what existed internally.

The SEC’s complaint alleges that from at least October 2018 through January 2021, SolarWinds and Brown engaged in a series of misstatements and omissions, painting a false picture of the company's cybersecurity controls, and exposing investors to undisclosed risks. The SEC’s action against Brown marks a significant shift, holding individuals personally liable for cybersecurity-related disclosure deficiencies. Unlike other cases based on claims of negligence and bad security hygiene, the fundamentals of this case revolve around risk management - in particular the ability to properly identify risks, escalate those risks, and meet mandated disclosure obligations. This case underscores the critical need for CISOs to move beyond ad-hoc risk practices and implement clearly defined cyber risk management programs to navigate these heightened regulatory expectations effectively.

Current cyber risk management practices often lack a systematic approach and instead rely on ad-hoc risk tools and processes. These are supported by governance structures that function merely as informed bodies, failing to fulfill their intended purpose of providing effective oversight for a cyber risk management program. This absence of a standalone and clearly defined cyber risk program exposes executives, board members, and now CISOs to emerging obligations.

SEC focuses on risk management disclosures to protect investors

The SEC over the last few years has been consistent with its expectation that enterprises develop and implement mature cyber risk management programs. In 2018 it said "We believe disclosures regarding a company's cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area."

The commission has since codified this guidance into the new cyber risk disclosure rules. On July 26, 2023, the SEC adopted final rules that fundamentally reshape how public companies approach and disclose their cybersecurity practices. International securities regulators have established similar oversight obligations that have become common expectations with burdening accountability.