An Analysis of the SEC notice to SolarWinds CISO and CFO
The cybersecurity landscape is witnessing an unprecedented shift. The recent move by the U.S. Securities and Exchange Commission (SEC) to issue Wells Notices to the CFO and CISO of SolarWinds is a bellwether of this change.
A Wells Notice is a communication from the SEC indicating that it has made a preliminary decision to recommend enforcement action against the recipient, although it is not a formal charge of wrongdoing or a final determination of violation.
The SEC’s decision suggests a new emphasis on individual accountability within organizations for cybersecurity management and incident disclosure. However, this development also shines a light on a complex challenge: the multifaceted and collective nature of cybersecurity.
Why is this significant?
Firstly, it demonstrates an increased scrutiny of companies’ responses to cyberattacks. In this case, the SEC alleges that SolarWinds violated certain provisions of U.S. federal securities laws in its cybersecurity disclosures, public statements, and internal controls following the cyberattack in 2020, which affected thousands of customers globally.
Secondly, this is unusual because a Wells Notice is typically sent to a company itself, not individuals within the company. Wells Notice are usually reserved for CEOs or CFOs in cases of Ponzi schemes, accounting fraud, or market manipulation.
This development suggests that the SEC might be moving towards holding individuals, particularly CISOs, more accountable for managing cybersecurity and disclosing cyber incidents. One possible violation that a CISO might commit is a failure to disclose material information, such as failing to disclose the gravity of an incident or failing to do so in a timely manner. This is a trend confirmed by the the previous conviction of Uber’s CISO and his sentence.
However, some cybersecurity professionals argue that attributing blame solely to the CISO or CFO might not always be fair or accurate, because…
… Cybersecurity management typically involves various stakeholders
In today’s digitized world, a Chief Information Security Officer (CISO) plays an essential role far beyond just implementing and managing security measures. The CISO’s duty also involves making other CXOs accountable for their part in cybersecurity. This includes ensuring that for instance that:
- HR make sure that the resources completes the necessary security training,
- Risk Management keeps cyber risks within defined thresholds,
- Finance aligns the security budget with mitigation strategies (that in turn are based on the organization strategies and risks),
- IT oversees the secure development and maintenance of applications.
- …
But what happens when risk acceptance is chosen as the path forward?
If a CXO or the CEO decides to accept a risk, they should be accountable for that decision. It is crucial that such risk acceptance is well-documented and tracked.
I assume that in SolarWind and Uber incidents top management might have wanted to take a risk acceptance decision but didn’t want it to be documented (I assume because I personally saw this happening).
Conversely, a too accommodating CISO who fails to enforce necessary security measures might find themselves, and put their organization, in the firing line.
The Challenge of Execution
An important yet often overlooked aspect of cybersecurity is the actual execution of security measures. Even when a CISO or security leader gives orders for security actions, the implementation may not always follow through, especially if the person responsible isn’t part of the cybersecurity team. These orders may go unfulfilled due to conflicting priorities, and performance objectives that do not include security are not helping.
This state of affairs points to the need for organizations to align their objectives across departments and ensure that security is a shared priority. Without this alignment, the cybersecurity of the organization remains fractured and vulnerable.
No matter how robust the cybersecurity measures are, it’s impossible to prevent all cyberattacks. I think that the sophistication of the SolarWind attack is a great example of that.
Risk mitigation doesn’t aim for 100% security—residual risks are inevitable. Therefore, managing risks effectively within acceptable thresholds becomes the primary goal. This goal underlines the need for comprehensive risk management strategies that involve all stakeholders in an organization. Let’s not forget that security is just one of many goals of an organization, which also has to do business, and too much security might make the company non-competitive.
The Road Ahead
The SEC’s move towards increased individual accountability in cybersecurity could have profound implications for how organizations manage cybersecurity risks. However, it’s essential for organizations (and governments) to remember that cybersecurity is a collective responsibility. It requires coordinated efforts across departments and roles.
This reality makes the role of the CISO even more critical. They need to bridge the gap between different stakeholders and ensure a holistic approach to cybersecurity. While the SEC’s move might bring with it new challenges and pressures, it also presents an opportunity: to reaffirm the collective responsibility of cybersecurity, reinforcing that it is a task that falls on everyone’s shoulders within an organization.
A persisting question I have is: what should a CISO do if the CEO orders them not to disclose material information and to avoid documenting this decision?
A CISO who blindly follows such orders risks becoming a Scapegoat Officer, serving as a convenient fall guy in the aftermath of a cyber incident rather than actively improving the security posture of their organization. And he/she might not be inclined to do so if they will be put behind bars for that.
That’s a real pickle, so a second question arise: what a government should do to avoid it?
Maybe foresee a sort of Whistle-blowing channel for CISOs that would guarantee a criminal shield in case of situations like the SolarWind and Uber ones?
Last question, what would happen if the company uses a vCISO or a CISO-as-a-Service?
Navigating this new landscape will be challenging, but with clear communication, well-defined roles, and a shared commitment to security, organizations can rise to the occasion. It’s not just about preventing the next big cyberattack—it’s about fostering a culture of shared responsibility and vigilance that permeates every level of the organization. In this era of increasing cyber threats, there is no other way forward.
Leave a Reply