Why CISOs Should Pay Attention to SolarWinds SEC AllegationsAttorney Discusses Impact of Charges Against CISO Tim Brown in Wake of 2020 Breach
The fallout from the U.S. Securities and Exchange Commission's charges of fraud and internal control failures against SolarWinds and its CISO has implications for the entire industry. Jonathan Armstrong, an attorney with Cordery Compliance, advises security leaders "take heed and remember that the actions of today can determine your fate tomorrow."
SEC regulators filed charges Monday accusing SolarWinds and CISO Tim Brown of misleading investors about the company's cybersecurity practices and risks - disclosing only generic and hypothetical risks even though they knew about specific issues. The SEC charges come nearly three years after Solar Winds in December 2020 disclosed that its Orion network monitoring product had been compromised in an attack that was later attributed to hackers from the Russian Foreign Intelligence Service. Nine federal agencies were compromised.
"Misstatements, omissions and schemes concealed both the company's poor cybersecurity practices and its heightened - and increasing - cybersecurity risks," the SEC alleged in a complaint filed in the Southern District of New York.
"As the SEC and other regulators seek to set examples, it's a stark reminder that the responsibility of safeguarding data and ensuring transparency should never be taken lightly," Armstrong said. "Be vigilant in your role as protectors and guardians of your organization's integrity."
"As security leaders, it's our duty to bridge the gap between resource needs and systemic issues, to communicate clearly with our organizations and to confront the challenging discussions with boards," he said. It's crucial to prioritize not just the protection of our networks but also to emphasize the significance of the CISO's role and expertise, he added. Equally important is ensuring that corporate boards are adequately equipped to accurately assess the risks posed by cybersecurity threats.
In this video interview with Information Security Media Group, Armstrong discussed:
- A breakdown of the key allegations made by the SEC against SolarWinds and its CISO;
- The potential consequences Brown may face if the allegations are proven true and what this could mean for other security leaders in similar positions;
- How security leaders can strike a balance between reassuring investors and being transparent about their organization's cybersecurity challenges.
Armstrong, an experienced lawyer with Cordery in London, is an expert on data protection and data security law. He advises multinational companies on risk, compliance and technology.