If your business collects data—and let’s be frank, even a cash-only dog-walking service collects data about their shaggy customer base—then you’ve probably spent at least a little time worrying about the consequences of a breach. If you were hacked, what would be the impact on your reputation? On your insurance rates? On your bottom line?
But these days, Chief Information Security Officers (CISOs) and their teams have a lot more to think about beyond breaches. At the risk of playing the Harbinger of Doom role here (it’s a risk for all cybersecurity experts!), there is another area of very serious liability that you may not have thought of: proper governance.
Don’t believe me? Ask SolarWinds and its CISO.
Overview of SEC Charges
The Securities and Exchange Commission (SEC) recently filed a complaint against SolarWinds Corporation and its CISO, Timothy Brown, alleging securities fraud and internal accounting control violations. The company is accused of misleading investors about its cybersecurity practices leading up to the Sunburst attack in December 2020, which had widespread ramifications for SolarWinds and its customers.
This alleged failure to adequately disclose its cybersecurity weaknesses has drawn attention to the critical role that accurate and transparent communication plays in ensuring the security of organizations and their stakeholders. The case highlights the serious implications of misleading investors and the significance of maintaining robust cybersecurity practices, especially in the face of evolving cyber threats. The charges brought by the SEC against SolarWinds and its CISO serve as a stark reminder of the potential legal and financial consequences of failing to prioritize cybersecurity practices and disclosure requirements.
The SolarWinds complaints certainly should serve as a wake-up call for C-suite executives, particularly CISOs, that the time has come to actively enforce cybersecurity risk management and control frameworks. It is also a cautionary tale, emphasizing the severe consequences of neglecting cybersecurity practices and misleading investors about a company’s cyber resilience. For instance, SolarWinds allegedly ignored warning signs that put the company’s cybersecurity at risk in 2020.
Cybersecurity Governance: A Growing Concern
While the SolarWinds case is indeed a landmark example of the SEC holding executives accountable for cybersecurity misstatements, it didn’t happen in a vacuum. There are other instances where companies and individuals have faced legal consequences for cybersecurity-related misrepresentations.
In 2017, Equifax was fined $125 million by the CFPB for failing to disclose a massive data breach that affected hundreds of millions of Americans. This case, while not involving fraud charges, highlights the potential financial consequences of cybersecurity misstatements.
In 2018, Marriott International was fined $122 million by the FTC for a data breach affecting 500 million guests. Like Equifax, this case shows how regulatory bodies can penalize companies for security lapses related to miscommunication.
In 2018, Yahoo’s former CEO Marissa Mayer and former CFO Ken Xie faced a class-action lawsuit for allegedly failing to disclose two cyberattacks in 2014 that impacted hundreds of millions of users. While no criminal charges were filed, this set a precedent for holding executives accountable for cybersecurity breaches
These examples showcase the growing attention paid to cybersecurity-related misstatements and the potential legal repercussions for companies and individuals. SolarWinds is likely to be a key turning point in the evolving landscape of cybersecurity accountability. You should expect to hear more about the evolving field of cybersecurity crisis management in 2024.
The increased scrutiny on C-suite executives, especially CISOs, signals a pivotal moment for the enforcement of cybersecurity governance standards. It highlights the imperative for CISOs and other executives with cybersecurity oversight responsibilities to proactively enforce new disclosure requirements, diligently evaluate and address cybersecurity risks, and ensure transparent communication about the organization’s cybersecurity posture to stakeholders, including investors and customers.
It’s time for CISOs across all industries to get serious about prioritizing cybersecurity governance and ensuring full compliance with regulatory requirements.
Role of CISOs and Boards
CISOs are responsible for establishing and maintaining robust cybersecurity practices, safeguarding sensitive data, and protecting against cyber threats. The case against SolarWinds highlights the potential legal and financial consequences that CISOs may face if they fail to fulfill their obligations. For instance, Timothy Brown is alleged to have played a pivotal role in the company’s failure to adequately disclose the organization’s cybersecurity vulnerabilities to investors.
Additionally, the case spotlights the significance of implementing robust cybersecurity governance and compliance best practices within organizations. This includes the development of comprehensive cybersecurity strategies, prudent allocation of resources to bolster cybersecurity defenses, and meticulous response planning for potential cybersecurity incidents. CISOs and executive leadership absolutely must recognize that a proactive and comprehensive approach is essential to mitigate cyber risks and protect the organization from potential regulatory actions, financial losses, and reputational harm.
The charges against SolarWinds also underscore the critical role of directors and board members in ensuring robust cybersecurity measures within their organizations. In light of increased scrutiny on C-suite executives, board members are compelled to actively oversee cybersecurity practices, hold management accountable, and comprehend the potential legal and financial repercussions of cyberattacks.
Best Practices for Cybersecurity Governance
Best practices involve a comprehensive approach that integrates tailored cybersecurity plans and processes. There is really no one-size-fits-all solution here; different types of organizations will have different requirements and needs. For example, a government agency may need to focus on securing sensitive citizen data and critical infrastructure, while a private company may prioritize protecting customer information and its own intellectual property.
Organizations can strengthen their cybersecurity governance program through various proactive measures. An example of a proactive measure in cybersecurity governance is the implementation of multi-factor authentication (MFA) to enhance access control and protect against unauthorized access. By requiring users to provide multiple forms of verification, such as a password and a unique code sent to their mobile device, organizations can significantly reduce the risk of unauthorized access to sensitive systems and data.
Providing comprehensive cybersecurity training is another proactive measure that can help build a culture of security within your organization. Implementing cyber-risk analytics allows organizations to identify and address potential threats, while continuous monitoring and improvement ensure that cybersecurity measures remain effective in the face of evolving threats.
Sometimes it’s tough to see your own organization clearly, because you are so close to it. That’s why organizations can benefit from the outside, objective viewpoints of security experts like the TMG team. At TMG, we live and breathe cybersecurity and governance. Start the new year off right! Let’s talk about what we can do for your organization.