Skip to main content

Clifford Chance

Clifford Chance
All
Cyber<br />

Cyber

Talking Tech

The SEC's Evolving Cybersecurity Enforcement Landscape: CISO Liability

Cyber Security Fintech 12 January 2024

On October 30, 2023, the Securities and Exchange Commission (SEC) charged SolarWinds Corp. (SolarWinds) and its Chief Information Security Officer (CISO), with violations of  the Securities Act of 1933, the Securities Exchange Act of 1934, and applicable rules thereunder related to alleged actions by SolarWinds to conceal supposedly deficient cybersecurity practices from its shareholders and regulators through material misstatements and omissions in its public filings (the SEC Action).

Background

The SEC Complaint alleges that in January 2019, following its initial public offering, unauthorized individuals accessed SolarWinds' virtual private network (VPN) by exploiting an unmanaged third-party device and using stolen login credentials. According to the SEC, this unauthorized access persisted from January 2019 through approximately November 2020, and resulted in malicious code being distributed to SolarWinds' customers. The SEC alleges that SolarWinds became aware of the breach in mid-2020, but did not publicly disclose the attack in a Form 8-K filing on December 14, 2020.

The cyberattack revealed the true state of SolarWinds' cybersecurity practices. The company's Security Statement and SEC Filings (Form S-1, S-8, and 8-K) boasted of supposedly strong cybersecurity practices related to the company's readiness, procedures, and capabilities. As part of its investigation, however, the SEC determined those earlier public statements were misleading.  SEC investigators found inconsistent and conflicting findings regarding the strength of SolarWinds cybersecurity practices. SolarWinds allegedly failed to implement certain cybersecurity practices pursuant to the Security Statement (e.g., secure development lifecycle, password standards, and access control issues) and other industry standards (e.g., NIST). The CISO also allegedly made multiple statements about the risk of the company's cybersecurity infrastructure, including a statement in an internal presentation about the vulnerable state of the company due to security concerns. Further, the SEC found internal correspondence, including by the CISO, that referenced cybersecurity issues and poor security posture. SolarWinds and its CISO were alleged to have concealed the company's poor cybersecurity practices and its heightened—and increased—cybersecurity risks through misstatements, omissions, and schemes. 

The SEC's decision to bring action against the CISO is attributed to

  • the materiality of the hack
  • the widespread financial implications for the company
  • the SEC's evolving standards for cybersecurity compliance. 

While other US authorities have brought claims against security executives - for example, in October 2022, a jury found , a former Chief Security Officer of Uber Technologies, Inc. guilty of obstruction of proceedings of the Federal Trade Commission (FTC) and misprision of felony in connection with an  alleged cover-up of a hack and data breach involving millions of Uber user records - this is the first SEC enforcement action against a cybersecurity executive directly. In addition, CEOs and CFOs have not been charged personally by the SEC for cybersecurity related violations. More importantly, together with the revised SEC Cybersecurity Disclosure Rule (see our article: SEC adopts new cybersecurity disclosure requirements) , the SEC Action makes clear the SEC's increased focus on compliance with cybersecurity requirements, and its willingness to hold CISOs individually accountable.  

Key Takeaways

The SEC Action against the CISO demonstrates the continued expansion of the use of the Sarbanes-Oxley Act (SOX) to bring enforcement actions against corporate executives beyond the CEO and CFO roles. SOX, enacted in the wake of corporate scandals like Enron and WorldCom, introduced more specific individual requirements on corporate executives associated with the company's financial reporting and disclosure requirements under applicable securities law. Similarly, this SEC Action highlights the increasing importance of cybersecurity in today's digital landscape. CISOs are now under heightened scrutiny to ensure their organizations have robust cybersecurity measures in place and to promptly report and address security breaches. Senior executives must remain vigilant and proactive in addressing critical aspects of their organizations' operations to protect stakeholders and maintain public trust.

The SEC Action underscores the importance of clearly defining the CISO role and the expectations for identifying and managing cyber risk. The CISO's work must be informed by other relevant executives and business areas to reflect the larger corporate objectives and risks. Proactive coordination within an organization is crucial to ensure that the CISO's guidance is aligned with the priorities and obligations of the wider corporation. Close alignment with other internal departments ensures that security is integrated into the organization's overall strategy and operations, reducing cybersecurity risks, and safeguarding critical assets.

Key considerations for the CISO role:

  • Coordination with Legal. Coordination with the legal department will bolster the CISO's ability to interpret and navigate the complex legal and regulatory landscape related to data protection, privacy laws, and issuer disclosure requirements under securities laws.
  • Coordination with Auditors and IT. Working with the audit department will enable the CISO to effectively assess and monitor security controls and compliance with industry standards. Close collaboration with the Office of the Chief Information Officer (CIO) is also critical to align IT strategies with the company's overall security objectives.
  • Alignment with Procurement. Collaboration with the procurement team is crucial for vetting and selecting secure technology solutions and vendors, and as such the CISO's involvement in the procurement process is key to implementing an effective cybersecurity strategy with regard to third party services and technologies used by the organization.
  • Liaise with Human Resources. Liaising with the human resources department allows the CISO to implement organization-wide employee information security training and awareness programs. Consider how the CISO role and corresponding responsibilities are allocated in your organization. Does the CISO have sufficient autonomy to: (1) escalate critical vulnerabilities to the highest levels of the organization, (2) lead efforts to mitigate cyber risk, and (3) continuously evolve the company's cyber practices and risk framework to adjust for the changing threat landscapes.
  • Authority to Escalate and Report. The CISO should  have the authority to escalate security issues to the highest levels of leadership when necessary, ensuring that critical security concerns are promptly addressed and that appropriate resources are allocated to mitigate risks. With respect to reporting, CISO's must be given the opportunity to be proactive in the preparation of disclosure statements, especially in the event of a security breach or incident, to provide accurate and timely information to stakeholders and regulatory authorities. To maintain transparency and trust, it is critical that the CISO be empowered to disclose security-related information as needed, fostering a culture of openness and accountability within the organization.
  • Focus on Mitigation Strategies. The CISO should  be well-equipped to effectively mitigate cybersecurity events, and secure adequate funding is a critical aspect of this readiness. To accomplish this, the CISO's cybersecurity strategy should address the specific security measures, technologies, and resources required to mitigate cyber threats. The CISO should be able to communicate, and where possible quantify, the potential financial and reputational risks associated with cybersecurity incidents to the executive leadership and the board of directors, making a compelling case for investment in cybersecurity initiatives. By demonstrating the value of proactive cybersecurity measures and effectively advocating for the necessary resources, the CISO can enhance the organization's ability to prevent, detect, and respond to cyber threats effectively.
  • Ability to Foster Continuous Improvement. To stay ahead of evolving cybersecurity threats, the CISO must have autonomy to continually evolve their cybersecurity program. One essential mechanism to aid improvement includes regular vulnerability assessments and penetration testing to identify (and in turn mitigate) weaknesses in the organization's defenses. Continuous monitoring of network traffic and system logs, including  implementing the most current advances in these tools, can help detect unusual activities and potential threats in real-time. Collaboration with industry peers and participation in threat-sharing communities can provide valuable insights into emerging threats. Implementing threat intelligence feeds and automated threat detection tools can also enhance the ability to identify and respond to new vulnerabilities and attack vectors promptly. Additionally, fostering a culture of cybersecurity awareness among employees and conducting ongoing training and education programs ensures that the entire organization is vigilant and proactive in identifying and reporting potential security issues. Remaining stagnant in the face of evolving threats can be as detrimental as not taking any action at all, making a dynamic and adaptive approach to cybersecurity essential for safeguarding the organization's assets and reputation.

Toolkits & Client Log-in