SolarWinds of Change – How the SEC Ruling Affects the Future of InfoSec Officers

Cybersecurity is more than a technical issue as it has legal and financial implications for companies and investors.  The recent U.S. Securities and Exchange Commission (SEC) charges levied against SolarWinds Corporation and its chief information security officer illustrates the serious consequences of failing to disclose and manage cybersecurity risks and incidents in accordance with federal securities laws and SEC’s rules on internal controls over financial reporting.

The SEC’s complaint focuses on SolarWinds and its CISO misleading investors about the company’s cybersecurity practices and risks, in relation to a cyberattack that compromised its Orion software and affected thousands of its customers, to include federal agencies and Fortune 500 companies.  The SEC alleges that SolarWinds and its CISO violated the antifraud provisions of the federal securities laws and the SECs rules on internal controls over financial reporting by making statements “overstating its capabilities” and “understating or failing to disclose known risks.”

The SEC’s action of enforcement sends a clear message that companies and their executives will be held accountable for failing to protect investors from cybersecurity risks and incidents.

This case shines a light on the potential liability of chief information security officers for their role in ensuring the security of their company’s information systems and data, as well as complying with relevant laws and regulations.  Chief information security officers have an obligation to report cybersecurity risks or incidents to senior management, board of directors, and the SEC, as well as to implement appropriate mitigating or remedial actions. Their duty also involves maintaining accurate documentation of their cybersecurity policies, procedures, assessments and incidents.  Chief information security officers who fail to fulfill these obligations could face civil or criminal liability, reputational damage and loss of trust from customers, partners, regulators and investors.

It further highlights and affects the expectations and responsibilities of chief information security officers relating to their cybersecurity governance, risk management, and compliance capabilities. Information security officers need to ensure that their company has robust cybersecurity frameworks aligned with industry best practices and standards. They also need to conduct regular cybersecurity audits, assessments and tests to identify and mitigate vulnerabilities and/or threats in their information systems and data. Additionally, they need to establish effective communication channels and protocols with internal and external stakeholders to report cybersecurity incidents or issues in a manner that is timely and transparent.

This complaint could have an effect on the demand and value of cybersecurity insurance for information security officers. Cybersecurity insurance covers the costs associated with cyberattacks – such as data breach response, legal fees, regulatory fines, business interruption, reputational harm and cyber extortion. Cybersecurity insurance could also provide access to expert services such as forensic analysis, crisis management, public relations and legal counsel.

Cybersecurity insurance, however, is not a panacea. It has its limitations and challenges and it does not absolve information security officers from their responsibility to implement effective cybersecurity measures and comply with applicable laws and regulations. It is a supplement, not a substitute for sound cybersecurity governance, risk management and compliance capabilities.

It is an imperative for information security officers to take proactive steps to enhance their cybersecurity posture and performance, and to foster a culture of transparency and accountability within their organization. They should also carefully review their cybersecurity insurance policy to ensure adequate coverage for their needs.  This would enable an information security officer’s ability to protect their company’s data and information assets and reputation while also ensuring their own professional reputation and career.