{"id":3747,"date":"2024-05-24T08:51:48","date_gmt":"2024-05-24T13:51:48","guid":{"rendered":"https:\/\/www.darkreading.com\/cyber-risk\/the-sec-solarwinds-case-what-ciso-should-do-now"},"modified":"2024-05-24T08:51:48","modified_gmt":"2024-05-24T13:51:48","slug":"the-secs-solarwinds-case-what-cisos-should-do-now","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/24\/the-secs-solarwinds-case-what-cisos-should-do-now\/","title":{"rendered":"The SEC&#8217;s SolarWinds Case: What CISOs Should Do Now"},"content":{"rendered":"<div class=\"media_block\"><a href=\"https:\/\/i0.wp.com\/eu-images.contentstack.com\/v3\/assets\/blt6d90778a997de1cd\/bltc1a0276e623f6a44\/65aaa12fbc4376040a01422c\/ciso_Zhanna_Hapanovich_shutterstock.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/the-secs-solarwinds-case-what-cisos-should-do-now.jpg?w=640&#038;ssl=1\" class=\"media_thumbnail\"><\/a><\/div>\n<div><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/the-secs-solarwinds-case-what-cisos-should-do-now.jpg?w=640&#038;ssl=1\" class=\"ff-og-image-inserted\"><\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold\">COMMENTARY<\/span><\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">In October 2023, the Securities and Exchange Commission (SEC) dramatically altered the landscape for security professionals by initiating a groundbreaking lawsuit against SolarWinds Corp. and its chief information security officer (CISO). The case was notably the first time the SEC has charged a CISO individually in an enforcement case and has many security leaders questioning what immediate steps they should take to protect both themselves as individuals, as well as their organizations, against similar litigation.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Most everyone working in cybersecurity today is aware of the SolarWinds breach, which occurred in 2020, when a threat actor gained unauthorized access to the networking company&#8217;s environment and planted malware in its Orion software. SolarWinds unknowingly disseminated the Orion update containing the malware to customers.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Late last year, the SEC sued SolarWinds and its CISO, Timothy Brown, alleging both made false and misleading statements to investors about SolarWinds&#8217; cybersecurity risks, practices, and vulnerabilities in documents filed with the SEC, in a \u201cSecurity Statement\u201d posted to the company\u2019s website, and in various other media, including press releases, podcasts, and blog posts.&nbsp;<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\" id=\"What Should CISOs Do?\">What Should CISOs Do?<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The SEC&#8217;s case may take years to resolve through litigation, but here are five action items all public company CISOs should consider now.<\/span><\/p>\n<div data-component=\"basic-list\" class=\"BasicList BasicList_nestedLevel_0 BasicList_variant_unordered BasicList_limited\">\n<ul data-testid=\"basic-list-unordered\" class=\"BasicList-UnorderedList\">\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"7\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"9\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold\">Establish a clear line of communication with the CFO and financial reporting team.<\/span><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> The SEC reporting and information security functions must be closely aligned. Coordination is especially important in light of new 8-K reporting rules for material cybersecurity incidents.&nbsp;<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"9.5\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"14\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold\">Ensure statements intended for customers or vendors are subject to comparable levels of review as those intended for shareholders.<\/span><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> It is a common misconception that liability under the US securities laws attaches only to statements made in SEC filings.&nbsp;As the SolarWinds case shows, the SEC takes the position that all public communications \u2014 including blog posts, press releases, and oral statements \u2014 can influence the total mix of information for investors. There is a fine line between marketing puffery and potentially misleading investors, and all public statements must be crafted with investors and potential securities liability in mind.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"8.5\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"12\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold\">Be certain that information security policies and controls are state of the art. <\/span><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">One of the most controversial elements of the case is the SEC&#8217;s allegation that by engaging in this misconduct, SolarWinds did not maintain adequate internal accounting controls over its financial reporting. However this issue is ultimately resolved via litigation, the SEC may look to bring similar claims in the future against other companies. CISOs should also take stock of insurance and corporate indemnities available to them.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"7\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"9\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold\">Team with internal audit and other assurance providers. <\/span><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Testing systems can make them more resilient, and having more than one set of eyes on external communications can help mitigate errors.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"8\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"11\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold\">When in doubt, consult counsel.<\/span><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> The SEC&#8217;s views on cybersecurity are complex and rapidly evolving. When novel or uncertain fact patterns emerge, be sure to discuss them with cybersecurity counsel experienced in SEC matters.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The SEC prioritizes investor protection when addressing cybersecurity breaches, which often involve complex issues like data privacy and national security. Recently, the SEC has mandated that public companies enhance transparency by reporting cybersecurity oversight in annual reports and disclosing significant incidents within four business days. It will be interesting to see how things play out with the SEC, but there is no question that these cases are setting a precedent that could reshape how cybersecurity disclosures are handled across industries, underscoring the increasing importance of transparency and accountability in the digital age.<\/span><\/p>\n<p><a href=\"https:\/\/www.darkreading.com\/cyber-risk\/the-sec-solarwinds-case-what-ciso-should-do-now\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>COMMENTARY In October 2023, the Securities and Exchange Commission (SEC)<\/p>\n","protected":false},"author":12,"featured_media":3748,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-3747","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/the-secs-solarwinds-case-what-cisos-should-do-now.jpg?fit=1000%2C584&ssl=1",1000,584,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/the-secs-solarwinds-case-what-cisos-should-do-now.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/the-secs-solarwinds-case-what-cisos-should-do-now.jpg?fit=300%2C175&ssl=1",300,175,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/the-secs-solarwinds-case-what-cisos-should-do-now.jpg?fit=640%2C374&ssl=1",640,374,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/the-secs-solarwinds-case-what-cisos-should-do-now.jpg?fit=640%2C374&ssl=1",640,374,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/the-secs-solarwinds-case-what-cisos-should-do-now.jpg?fit=1000%2C584&ssl=1",1000,584,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/the-secs-solarwinds-case-what-cisos-should-do-now.jpg?fit=1000%2C584&ssl=1",1000,584,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/the-secs-solarwinds-case-what-cisos-should-do-now.jpg?fit=1000%2C584&ssl=1",1000,584,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/the-secs-solarwinds-case-what-cisos-should-do-now.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/the-secs-solarwinds-case-what-cisos-should-do-now.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/the-secs-solarwinds-case-what-cisos-should-do-now.jpg?fit=1000%2C584&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3747","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3747"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3747\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/3748"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3747"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3747"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}