Cyber Risk Disclosures in Crosshairs as SEC Charges SolarWinds with Fraud

CISOs are on alert as SEC steps up enforcement on cyber breach disclosures

The Securities and Exchange Commission has left some cybersecurity professionals and chief information security officers “spooked” following news that the agency in late October charged SolarWinds Corporation and its CISO Timothy G. Brown with fraud and internal control failures for allegedly ignoring “repeated red flags” and misleading investors for years about the company’s cybersecurity risks and vulnerabilities — issues that eventually led to a 2020 supply chain cyberattack.

You’re forgiven if you don’t recall the SolarWinds breach with great clarity, as details emerged alongside the other pressing headlines in 2020. To recap, Russian hackers launched a massive online attack on SolarWinds through the software company’s IT platform to infiltrate the networks of nine government agencies and roughly 100 companies. The attack is considered to be the largest and most sophisticated cybersecurity event in history.

As part of its response to the breach, SolarWinds filed a form 8-K with the SEC in December 2020 that provided only a vague description of the incident and offered very little information about the software involved and the mechanics of the attack.

The SEC found the company’s explanations lacking and charged SolarWinds and its CISO with fraud. The agency alleges that beginning in October 2018 to “at least” January 12, 2021, SolarWinds and Brown knew about specific deficiencies in the company’s cybersecurity practices and the “increasingly elevated risks” the company faced, but they “engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

SolarWinds in a rebuttal posted November 8 “categorically” denied the SEC’s allegations and vowed to “clarify the truth in court.”

“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk,” a SolarWinds spokesperson said in a statement. “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country.”

The potential liability for CISOs has cybersecurity executives more than a bit nervous. Former Uber CISO Joe Sullivan, who was sentenced in May to three years of probation for his involvement in a 2016 data breach at the company, wrote that the corporate information security executive community “shook in its boots” after the SEC announced its charges against Brown and SolarWinds. He called for the SEC to “attempt regulation through rulemaking rather than through ugly and costly enforcement actions that target IT professionals for doing their jobs.” And Jessica Sica, CISO at communications software company Weave, said she is concerned that the SEC’s decision to charge Brown could push candidates away from the CISO role entirely. “It will likely have a chilling effect,” she said.

The SEC’s enforcement action against SolarWinds was announced just weeks before the agency is set to begin enforcing its new cybersecurity rules for publicly traded companies. The new rules require companies to disclose material cyber incidents within four business days and to share details about their cybersecurity programs in annual reports. Some security executives are concerned about how the SEC intends to use cyber incident disclosures, though, and whether the agency will use them to hold CISOs liable for cyberattacks.

Considering the SEC’s continued focus on cybersecurity issues, it is worth noting that cyberattacks are unlikely to slow anytime soon. Boeing recently confirmed it is dealing with a “cyber incident” in which attackers had targeted elements of Boeing’s parts and distribution business.