Adrian Johnson
TLDR:
- The SEC initiated a groundbreaking lawsuit against SolarWinds Corp. and its CISO in October 2023.
- CISOs should take immediate steps to protect themselves and their organizations against similar litigation.
In the case of the SEC vs. SolarWinds, the Securities and Exchange Commission charged SolarWinds Corp. and its CISO, Timothy Brown, for making false statements regarding cybersecurity risks. The case highlights the importance of CISOs taking proactive measures to protect themselves and their organizations. Here are five key actions that public company CISOs should consider:
1. Establish clear communication with the CFO and financial reporting team to align SEC reporting and information security functions.
2. Ensure that statements intended for customers or vendors undergo the same level of review as those for shareholders to avoid potentially misleading investors.
3. Maintain state-of-the-art information security policies and controls to avoid allegations of inadequate internal accounting controls over financial reporting.
4. Collaborate with internal audit and assurance providers to enhance system resilience and reduce errors in external communications.
5. Consult cybersecurity counsel experienced in SEC matters when novel or uncertain fact patterns arise to address complex issues effectively.
The SEC’s emphasis on investor protection in cybersecurity breaches highlights the need for transparency and accountability in the digital age. Companies are now required to report cybersecurity oversight in annual reports and disclose significant incidents promptly. CISOs should be proactive in addressing cybersecurity issues to mitigate risks and uphold regulatory compliance.
As the case evolves, it will set a precedent for cybersecurity disclosures across industries, emphasizing the increasing importance of transparency and accountability in the digital age.
