The recent SEC lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach, has brought the issue of executive liability in cybersecurity disclosures to the forefront. This case sheds light on the culture of deception within SolarWinds, where lower-level employees struggled to communicate the severity of cybersecurity issues to management. The lawsuit raises important questions about the personal liability of senior executives for inaccurate risk disclosures and has potential implications for other industries.
The 2020 breach, orchestrated by Russian hackers, targeted SolarWinds’ software, Orion, and exposed highly sensitive information. The hackers gained access to SolarWinds and planted spyware into the Orion program. SolarWinds then distributed an update to its corporate customers, unknowingly spreading the Russian spyware. This allowed the hackers to gain access to the highest levels of the US government and major corporations.
The SEC’s lawsuit against SolarWinds and Tim Brown focuses on the poor disclosures about the company’s information security throughout 2018, 2019, and 2020. While SolarWinds publicly claimed to have good cybersecurity, internal communications revealed that employees were aware of the company’s cybersecurity issues and considered them a mess. This discrepancy between internal knowledge and external disclosures forms the basis of the SEC’s allegations.
The SEC complaint alleges that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”
The case raises important questions about the responsibility and liability of senior executives for misleading disclosures. In this instance, the focus is on the former CISO, Tim Brown, who is facing civil penalties and potential trial. The SEC is seeking to bar him from serving at publicly traded companies. However, the case also raises questions about the CEO’s potential liability. In SolarWinds’ case, the former CEO, Kevin Thompson, who did not have a cybersecurity background, may have relied on assurances from the CISO regarding the company’s cybersecurity risks and disclosures.
The issue of executive liability in cybersecurity disclosures is complex. Should senior executives be held accountable for inaccurate assurances provided by their subordinates, especially in areas where they may not have expertise? Security is a complex matter, and executives may rely on the expertise of others to make informed decisions. However, this case highlights the potential consequences of such reliance and the need for executives to ensure accurate and transparent disclosures.
The SEC’s lawsuit against SolarWinds and Tim Brown also raises broader questions about the liability of executives in charge of risk, such as compliance officers. If executives are given assurances that turn out to be incorrect, where does the liability lie? This case could have implications beyond the cybersecurity realm and may impact how executives approach risk disclosures in various industries.
Balancing the need for accurate risk disclosures with the challenges of understanding complex cybersecurity issues is a tradeoff that executives must navigate. The case highlights the importance of fostering a culture of transparency and effective communication within organizations. It also emphasizes the need for executives to stay informed and engaged in areas of risk, even if they do not have direct expertise.
Moving forward, organizations should consider implementing the NIST framework for cybersecurity to effectively defend against cyber threats. This framework provides a comprehensive approach to managing and mitigating cybersecurity risks. By following best practices and ensuring accurate risk disclosures, organizations can reduce the likelihood of facing legal action and protect their stakeholders.
In the SEC Press Release Gurbir S. Grewal, Director of the SEC’s Division of Enforcement said “We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company. Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.” Finally, “Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
In conclusion, the SEC’s lawsuit against SolarWinds and Tim Brown brings executive liability in cybersecurity disclosures into focus. The case highlights the importance of accurate and transparent risk disclosures and raises questions about the responsibility of senior executives. Executives must balance the need for accurate disclosures with the challenges of understanding complex cybersecurity issues. By fostering a culture of transparency and implementing best practices, organizations can mitigate risks and protect their stakeholders.