Posted by Anne-Marie Avalon
October 31, 2023
Recent actions by the U.S. Securities and Exchange Commission (SEC) represent a significant moment for Chief Information Security Officers (CISOs) everywhere. On October 30, 2023, the SEC announced it was bringing charges against Austin, Texas-based software company SolarWinds and its CISO, Timothy G. Brown. This move illustrates a shift in regulatory attitudes, making it clear that CISOs can and will be held personally accountable for cybersecurity lapses. Read more to learn why CISOs are under fire and the new legal frontline in cybersecurity.
The Origins of the SolarWinds Cybersecurity Breach
This case stems from a significant cybersecurity breach that targeted SolarWinds over nearly two years, which U.S. officials have attributed to Russian intelligence services. The intruders exploited vulnerabilities in SolarWinds’ Orion IT monitoring software to compromise multiple high-profile targets, including various U.S. government departments and large corporations.
SEC Alleges Misrepresentation of Cybersecurity Safeguards
The SEC argues that, during the period leading up to the public disclosure of this cyberattack, SolarWinds and Brown knowingly misrepresented the state of the company’s cybersecurity safeguards to shareholders. The regulatory body alleges that both had been aware of specific security flaws, which had been highlighted in internal reports. Despite this knowledge, the SEC claims that SolarWinds and Brown opted to present an overly rosy picture of their cybersecurity landscape, thereby misleading investors.
SolarWinds Refutes SEC Allegations, Cites National Security
A spokesperson for SolarWinds disputed the SEC’s allegations, arguing that the regulatory body’s action could have broader implications for national security. Brown’s legal representation has also emphasized his commitment to enhancing SolarWinds’ cybersecurity posture over his tenure at the company.
The ramifications of these charges are serious.
The SEC’s complaint, filed in the Southern District of New York, alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.
Increasing Legal Risks for CISOs
This development adds to the growing concerns among Chief Information Security Officers (CISOs) about the personal and legal risks associated with their roles, an issue that was previously spotlighted when a former Uber security chief faced legal consequences for his handling of a data breach.
Regulatory bodies like the SEC are now willing to hold CISOs personally accountable for the cybersecurity posture of their organizations. This sets a precedent that extends the risk landscape for CISOs to not only operational and reputational risks but also legal ramifications.
So, what does this mean for CISOs?
In light of the legal complexities surrounding the CISO role, here’s a series of key strategic steps for mitigating risk:
🔑 The Importance of Documentation in Cybersecurity
Documentation is Key: CISOs should maintain meticulous records of security assessments, identified vulnerabilities, mitigation plans, and board-level communications. This paperwork can serve as a defense in case they face legal scrutiny.
🔑 The Role of Board-Level Reporting in Risk Management
Board-Level Reporting: CISOs need to be more assertive in seeking board-level attention for cybersecurity issues, to ensure that there is a top-down approach to risk management. Detailed minutes should be kept of these interactions.
🔑 Being Transparent with Stakeholders and Investors
Transparency with Investors and Stakeholders: Always be transparent about the company’s cybersecurity risks in public disclosures. Avoid making overly optimistic statements that could be viewed as misleading.
🔑 Legal Consultation is Crucial for CISOs
Legal Consultation: Having an attorney with experience in cybersecurity law can be beneficial for navigating the complex legal environment surrounding data protection and disclosures.
🔑 Cross-Departmental Collaboration for Cybersecurity Resilience
Enhanced Collaboration: To ensure all-around cybersecurity resilience, CISOs should work closely with Chief Legal Officers (CLOs) and Chief Financial Officers (CFOs), among others.
🔑 Continual Cybersecurity Monitoring and Adjustment
Continual Monitoring and Adjustment: Cybersecurity is not a ‘set and forget’ function. CISOs need to continually evaluate the risk landscape, adapt to new threats, and update the senior management and the board.
🔑 Third-Party Risk Management in Cybersecurity
Third-Party Risk Management: Given that the SolarWinds attack was a supply chain attack, focus on evaluating the security posture of third-party vendors as well.
🔑 The Role of Cyber Insurance in Risk Strategy
Cyber Insurance: While not a substitute for robust cybersecurity measures, insurance can be a useful part of the risk management strategy.
🔑 Exploring Personal Liability Insurance Options for CISOs
Personal Liability Insurance for Executives: Considering the legal ramifications, CISOs may also want to explore personal liability insurance options.
🔑 Fostering a Security-Aware Employee Culture
Employee Training and Culture: Last but not least, cultivating a security-aware culture can act as a line of defense against many types of cyber incidents.
The New Reality for CISOs
The heightened legal scrutiny means CISOs should exercise extreme diligence, keep robust documentation, collaborate across departments, and most importantly, be transparent about cybersecurity risks and practices.
Understanding the SolarWinds Software Compromise
The SolarWinds cyberattack primarily involved the compromise of the company’s Orion IT monitoring software. Attackers manipulated software updates by inserting malicious code, which then granted them unauthorized access to the networks of various organizations using the compromised software. It should be noted that the initial breach was facilitated by a weak server password, emphasizing the need for strong cybersecurity measures at every touchpoint to include secrets management.
While the primary focus of the attack was to exploit software vulnerabilities for unauthorized access, rather than targeting secrets management systems specifically, the weak server password that facilitated the initial breach serves as a potent reminder of the critical need for comprehensive cybersecurity measures in all areas, including the robust management of secrets.
The Role of Secrets Management in a Holistic Security Posture
Secrets management specifically deals with protecting sensitive data like API keys, passwords, and certificates. In a well-fortified environment, even if an attacker gains access to the system, strong secrets management can make it difficult for them to move laterally or escalate their privileges without the necessary ‘secrets.’
SaaS Secrets Management with Audit-Ready Logging and Tracking for Compliance
For CISOs dealing with an evolving landscape of personal and legal risks, comprehensive logging and tracking is more than just a best practice—it’s a lifeline in the murky waters of legal scrutiny and audits. Akeyless SaaS Secrets Management offers invaluable tools in this area. From complete, time-stamped logs of secret retrievals, modifications, and revocations to compliance support for major global regulations like GDPR, HIPAA, and CCPA, Akeyless is designed to turn audit readiness from a daunting task into a strategic advantage.
Lessons from SolarWinds: The Need for Comprehensive Security Measures
SolarWinds serves as a cautionary tale. It reinforces the need for organizations to bolster all aspects of their security posture, including secrets management. Akeyless, with its robust set of tools and functionalities, adds that essential layer of defense. It offers more than just enhanced protection—it facilitates compliance and audit readiness, making it an indispensable resource for CISOs.
Contact Us for Enhanced Security Solutions
Are you a CISO concerned about the evolving landscape of personal and legal risks? Contact us to see how Akeyless SaaS Secrets Management can add that critical layer of defense, helping to protect both you and your enterprise from potential vulnerabilities.