Black Hat , CISO Trainings , Events

SolarWinds Fallout: Legal Risks for CISOs Intensify

Jess Nall of Baker McKenzie on New SEC Rules and Cybersecurity Disclosures
Jess Nall, partner, cyber and AI, Baker McKenzie

The recent SolarWinds case has intensified the legal risks for chief information security officers. A judge validated the SEC's legal theory of intentional securities fraud under the Securities and Exchange Act 10b-5, marking the first time a federal court accepted this theory against a CISO, said Jess Nall, partner for cyber and AI at Baker McKenzie. This decision, the first of its kind, has escalated the likelihood of the case proceeding to a jury trial against Tim Brown, the SolarWinds CISO.

See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware

If Brown loses the trial, he risks being labeled a securities fraudster, which could severely damage his career and reputation, Nall said. Such a charge, she said, would also affect his ability to hold future executive roles.

New SEC disclosure regulations now require public companies to report cybersecurity incidents more promptly. "Now cybersecurity incidents of any material nature have to be disclosed within four business days. But that's a different issue, because now all companies that are public issuers in the U.S. are going to be required to disclose under Rule 105," Nall said.

In this video interview with Information Security Media Group at Black Hat 2024, Nall also discussed:

  • Regulatory enforcement in the Joe Sullivan case;
  • How discrepancies between disclosures and actual cybersecurity practices could lead to legal issues;
  • Why CISOs should secure indemnity agreements and D&O insurance.

Nall has more than 20 years of experience in internal investigations, strategy implementation and risk management. She focuses on the intersection of government enforcement and emerging technologies, including AI, cybersecurity and tech. At Baker McKenzie, she has spearheaded investigations and advisory teams in more than 75 international jurisdictions.


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.