The CISO Under Attack – Cyber Security Elevated to a Securities Fraud Concern?
On October 30th 2023, the US Security Exchange Commission (SEC) charged SolarWinds, a company that suffered significant cyber-attack, and their Chief Information Security Officer (CISO) with fraud and internal control failures. We assess that the outcome of the charges will significantly shape the future of information security governance globally.
The attack of the century?
SolarWinds is a US-based provider of network monitoring software with many European and US businesses and governments on the client list. SolarWinds was subject to a major sophisticated cyber-attack that started as early as 2017 that went unnoticed until December 2020. As an outcome of the attack, a number of corporations and governments were compromised and suffered severely from the breach. It is widely believed that Russian Foreign Intelligence Service SVR, nicknamed Cozy Bear, stands behind the attack.
The US SEC alleges that SolarWinds’ CISO was aware of the risks, vulnerabilities, and red flags, yet addressed these issues insufficiently, and at times failed to sufficiently raise attention for the risks[1]. Consequently, the company allegedly was not able to provide reasonable assurances that its most valuable assets, including its flagship product Orion, were adequately protected.
More importantly, at least for SEC, being a financial regulator, the suit alleges that SolarWinds “misled investors by disclosing only generic and hypothetical risks at a time when the company and the CISO knew of specific deficiencies in SolarWinds’ cybersecurity practices”. This puts renewed stress on CISOs, risk assessments and risk reporting. It is no longer enough to report platitudes about cyber risk and exposure for listed companies. Doing so may put you personally in legal jeopardy.
Oh CISO, where art thou?
The responsibility and placement of the CISO differs depending on the organisation, sector or even individual preferences of the organisation leadership. Simplifying a bit, the CISO typically resides in one of two positions: In the first line of defence, combined with business and operational functions, or in the second line of defence, combined with governing function. Each of these CISO configurations have their opportunities and challenges.
The second line of defence CISO does not engage in day to day business, but are independent of the business. Its job is essentially a control function. But a second line of defence CISO has unique challenge of driving information security strategy forwards as by design. A second line CISO does not, for instance, control budget. Having the CISO in the second line of defence is recommended by recent regulations, such as DORA in the financial sector and NIS2 in critical sectors in the EU.
In the first line of defence, the CISO may personally make greater positive security impact faster but it raises the question if good security is really a business goal in itself. It rarely is. Often it is seen as a cost center, and first line CISOs can often be neutered by being too eager to please the business.
Internal control failure
When the SEC charges the CISO and the firm for lacking risk reporting and misleading the investors of the firm, they point at “internal control failure”. Internal control is a process for assuring achievement of an organisation’s objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.
Usually, when internal control fails, it can be attributed to how the organisation works, and we are left to make assumptions:
- The CISO, who in this case reports to the CFO, has had a hard time getting his boss to fund the necessary improvements to security. The CFO is probably more interested in the financial bottom line, and it is not unreasonable to assume that the security function has been managed as a cost center.
- Being on the business side of things, the CISO has (allegedly) repeatedly ignored reports of security weaknesses and risks and failed to address them. We do not know why, but in security, you can live with pretty big vulnerabilities and have a healthy business until you suddenly do not. This makes it hard to argue for large, costly projects.
- Reporting cyber risks is hard and reporting to the market is doubly hard. The risks must be balanced against other operational risks, and you hardly want to be seen as someone that “cries wolf” in your financial reporting. At the same time, you have to represent risk faithfully. You cannot say “we’re vulnerable” in an internal presentation, and “we’re secure” to the market. An open question also remains how the market would react to a SEC filing that said that “you know, our flagship product that accounts for 45 % of our revenue has severe security deficiencies, but don’t worry, we are working on it”. That is what you should report, though.
Most likely the internal control failure is a case of “all of the above”. The key consideration for any CISO is to consider your placement in the organisation (and your boss), and if you receive repeated warnings about poor security practices, take action and escalate the issues. Most importantly, do not make your security posture look better than it is.
Unwanted consequences?
The regulatory reporting requirements for listed companies in Europe differ from the US. Corporate governance is important whether a business is regulated by the US or EU jurisdiction, as large companies are increasingly becoming more global. The consequences of the case could therefore have repercussions for EU companies as well. There is a trend that stock exchanges, cyber security insurance companies, and regulatory bodies are asking for more hands-on reporting on cybersecurity posture. Based on our experience as advisors, we know that cyber security posture is often reported with generalities rather than hard facts.
If cyber security is raised to being a Securities Fraud issue, the CISO’s role may dramatically change. This landmark lawsuit should in theory raise the CISO to a position of greater influence and responsibility within the organisation. Interestingly, the CISO’s boss and SolarWinds’ CFO are not mentioned in the lawsuit.
In our opinion this should be an orange light for CISOs in listed companies: Your exposure may be greater than you think. If you think the buck stops at top management or the Board level, you may be mistaken. If you are not allowed a seat at the table, either as a control function or a business CISO, you should consider your options. You may find that the legal exposure may outweigh the benefits of the role.
It is not a stretch to think that CISOs in other listed companies would look at this risk and decide that the rational choice would be to leave their roles. This would be an unwanted consequence in a cyber security world that already thirsts for more qualified people.
For more information please contact:
[1] U.S. Securities and exchange commission, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures, 2023. https://www.sec.gov/news/press-release/2023-227
