Categories
Blog

Solar Winds Under GDPR: Corporate Responsibility and Risks in Data Protection

The General Data Protection Regulation (GDPR) has significantly changed how organizations handle data protection and privacy. It emphasizes the importance of transparency and honesty in disclosing data breaches and vulnerabilities. In a recent episode of the podcast Life with GDPR, Tom Fox and Jonathan Armstrong from Cordery Compliance discussed the topic of corporate responsibility and risks in data protection, with a particular focus on the SolarWinds case.

To recap, in late 2023, the SEC filed a lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach, bringing the issue of executive liability in cybersecurity disclosures to the forefront. The lawsuit raised important questions about the personal liability of senior executives for inaccurate risk disclosures and has potential implications for other industries under US securities law.

The 2020 breach, orchestrated by Russian hackers, targeted SolarWinds’ software, Orion, and exposed highly sensitive information. The hackers gained access to SolarWinds and planted spyware in the Orion program. SolarWinds then distributed an update to its corporate customers, unknowingly spreading the Russian spyware. This allowed the hackers to access the highest levels of the US government and major corporations.

The SEC’s lawsuit against SolarWinds and Tim Brown focused on the poor disclosures about the company’s information security throughout 2018, 2019, and 2020. While SolarWinds publicly claimed to have good cybersecurity, internal communications revealed that employees were aware of the company’s cybersecurity issues and considered them a mess. This discrepancy between internal knowledge and external disclosures formed the basis of the SEC’s allegations.

The SEC complaint alleged that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

Beyond this SEC enforcement action, there were other implications as well. One key takeaway from the episode is the pressure on corporate leaders, including CISOs, Data Protection Officers, and Compliance Officers, to disclose data breaches promptly. While GDPR offers some protection to Data Protection Officers, they are not entirely exempt from liabilities. The SolarWinds case serves as a reminder of the need for specific and timely disclosure of breaches and the importance of addressing system vulnerabilities.

The risks associated with data breaches are not limited to regulatory fines. Litigation risks are a significant concern for organizations, with shareholders and whistleblowers potentially seeking legal action. The episode highlights the importance of transparency and not misrepresenting information to regulators. Misrepresentations can lead to severe consequences for individuals in positions of responsibility within corporations.

Budget constraints can also hinder the timely fixing of vulnerabilities, ultimately leading to breaches. Organizations need to take proactive measures to identify and address vulnerabilities promptly. Realistic resource assessments are crucial to ensuring that adequate resources are allocated to data protection efforts. Additionally, having adequate insurance protection, such as Directors and Officers (D&O) insurance, can help protect individuals in positions of responsibility from potential liabilities.

The episode also emphasizes the need for organizations to consider the impact on their stock exchange filings when deciding whether to disclose a data breach. The decision to admit a violation of a stock exchange can be challenging and depends on factors such as materiality. Organizations need to assign a dedicated team to consider these factors, mainly when engaged in transactions like mergers and acquisitions or fundraising.

Transparency and honesty are key principles in data protection and privacy. Audit reports and investigation findings must be acted upon promptly to address vulnerabilities. Emails and other forms of communication can serve as evidence in legal proceedings, highlighting the importance of careful communication within organizations.

The potential for litigation is significant in data breach cases. Shareholders may seek legal action if they believe the value of their stock has been affected. Whistleblowers, incentivized by various jurisdictions, may also come forward with information. This highlights the need for organizations to maintain a culture of transparency and integrity and for individuals to review their remuneration packages to avoid conflicts of interest.

In conclusion, GDPR, corporate responsibility, and risks in data protection are interconnected. Organizations must prioritize transparency, honesty, and timely disclosure of breaches and vulnerabilities. Proactive measures, realistic resource assessments, and adequate insurance protection are crucial to mitigating risks. By considering the impact on stock exchange filings and maintaining a culture of integrity, organizations can navigate the challenges associated with data protection and privacy in the GDPR era.

Categories
Life with GDPR

Life With GDPR: Episode 104 – Solar Winds and Your Mother – Tell The Truth

Tom Fox and Jonathan Armstrong, renowned experts in cyber security, co-host the award-winning Life with GDPR. In this episode, they look at the continued fallout from the Solar Winds data breach.

In the complex world of data protection, the General Data Protection Regulation (GDPR) has placed a spotlight on the importance of transparency, honesty, and corporate responsibility. Experts Tom Fox and Jonathan Armstrong bring their unique perspectives to this topic, shaped by their extensive experience in compliance and data protection. Fox emphasizes the potential legal consequences for corporate leaders who fail to disclose vulnerabilities or engage in dishonest practices, while Armstrong highlights the increasing pressure on individuals and corporations to disclose data breaches, with regulators focusing more on individual liability. Both stress the importance of transparency, the potential for litigation, and the role of whistleblowers.

Join Fox and Armstrong as they delve deeper into these issues on this episode of the Life with GDPR podcast.

Key Takeaways:

  • The Importance of Truthfulness in GDPR
  • The Importance of Transparency in Data Breaches
  • Legal risks in data breaches and cybersecurity
  • The Impact of Budget Constraints on Vulnerability Fixes

 Resources:

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here. Check out the Cordery Data Breach Academy here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
Compliance Into the Weeds

Compliance Into The Weeds: Key Compliance Issues for 2024

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into issues Matt has on his radar for compliance professionals in 2024.

Matt Kelly is well known for zigging when everyone else is zagging. At the start of each year, he publishes a column that looks at key issues for compliance professionals in the year ahead. This podcast takes a deep dive into these issues. The rapidly evolving landscape of AI, cybersecurity, and governance is increasingly shaped by regulatory and compliance trends. In this context, industry experts Tom Fox and Matt Kelly offer insightful perspectives. We consider governmental oversight of AI, with more specific AI regulations in 2024, while also highlighting the potential of AI integration into compliance products and platforms. We also look at issues with the SEC, PCAOB, and DOJ.  Join Tom Fox and Matt Kelly as they delve deeper into these topics in this episode of the award-winning Compliance into the Weeds.

Key Highlights:

  • FEPA and its enforcement
  • NOCLAR and the PCAOB
  • SEC v. Solar Winds and its CISO
  • AI-Regulation and Business Use
  • SEC right to disgorgement 

Resources:

Matt Kelly on LinkedIn

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

SEC, Solar Winds and Compliance

The recent SEC lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach, has brought the issue of executive liability in cybersecurity disclosures to the forefront. This case sheds light on the culture of deception within SolarWinds, where lower-level employees struggled to communicate the severity of cybersecurity issues to management. The lawsuit raises important questions about the personal liability of senior executives for inaccurate risk disclosures and has potential implications for other industries.

The 2020 breach, orchestrated by Russian hackers, targeted SolarWinds’ software, Orion, and exposed highly sensitive information. The hackers gained access to SolarWinds and planted spyware into the Orion program. SolarWinds then distributed an update to its corporate customers, unknowingly spreading the Russian spyware. This allowed the hackers to gain access to the highest levels of the US government and major corporations.

The SEC’s lawsuit against SolarWinds and Tim Brown focuses on the poor disclosures about the company’s information security throughout 2018, 2019, and 2020. While SolarWinds publicly claimed to have good cybersecurity, internal communications revealed that employees were aware of the company’s cybersecurity issues and considered them a mess. This discrepancy between internal knowledge and external disclosures forms the basis of the SEC’s allegations.

The SEC complaint alleges that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

The case raises important questions about the responsibility and liability of senior executives for misleading disclosures. In this instance, the focus is on the former CISO, Tim Brown, who is facing civil penalties and potential trial. The SEC is seeking to bar him from serving at publicly traded companies. However, the case also raises questions about the CEO’s potential liability. In SolarWinds’ case, the former CEO, Kevin Thompson, who did not have a cybersecurity background, may have relied on assurances from the CISO regarding the company’s cybersecurity risks and disclosures.

The issue of executive liability in cybersecurity disclosures is complex. Should senior executives be held accountable for inaccurate assurances provided by their subordinates, especially in areas where they may not have expertise? Security is a complex matter, and executives may rely on the expertise of others to make informed decisions. However, this case highlights the potential consequences of such reliance and the need for executives to ensure accurate and transparent disclosures.

The SEC’s lawsuit against SolarWinds and Tim Brown also raises broader questions about the liability of executives in charge of risk, such as compliance officers. If executives are given assurances that turn out to be incorrect, where does the liability lie? This case could have implications beyond the cybersecurity realm and may impact how executives approach risk disclosures in various industries.

Balancing the need for accurate risk disclosures with the challenges of understanding complex cybersecurity issues is a tradeoff that executives must navigate. The case highlights the importance of fostering a culture of transparency and effective communication within organizations. It also emphasizes the need for executives to stay informed and engaged in areas of risk, even if they do not have direct expertise.

Moving forward, organizations should consider implementing the NIST framework for cybersecurity to effectively defend against cyber threats. This framework provides a comprehensive approach to managing and mitigating cybersecurity risks. By following best practices and ensuring accurate risk disclosures, organizations can reduce the likelihood of facing legal action and protect their stakeholders.

In the SEC Press Release Gurbir S. Grewal, Director of the SEC’s Division of Enforcement said “We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company. Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.” Finally,  “Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

In conclusion, the SEC’s lawsuit against SolarWinds and Tim Brown brings executive liability in cybersecurity disclosures into focus. The case highlights the importance of accurate and transparent risk disclosures and raises questions about the responsibility of senior executives. Executives must balance the need for accurate disclosures with the challenges of understanding complex cybersecurity issues. By fostering a culture of transparency and implementing best practices, organizations can mitigate risks and protect their stakeholders.

Categories
Compliance Into the Weeds

Compliance into the Weeds: What is Driving Compliance Engagement at the Board?

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, going into the weeds to explore a subject more fully and looking for some hard-hitting insights on sanctions compliance. Look no further than Compliance into the Weeds!

In this episode, co-hosts Tom Fox and Matt Kelly dissect the Navex 2023 State of Risk and Compliance Report. Tom and Matt delve into Navex’s annual benchmarking report, which surveyed 1,300 compliance professionals. The report revealed that 53% of respondents described their compliance programs as mature. Matt and Tom question whether the board is driving the conversation or if compliance officers request updates due to potential liability. The report’s findings on cybersecurity and privacy concerns, survey results on where compliance should reside in a company, and the importance of having a mature anti-bribery anti-corruption compliance program are all discussed. Tune in to hear more about how compliance officers can address pressing concerns such as cybersecurity breaches and attacks.

Key Highlights:

  • Navex’s benchmark report on compliance programs
  • Board-Compliance Officer Relationship & Cybersecurity in Compliance
  • The necessity of Dedicated Compliance Committees
  • Survey Finds Diverse Views on Compliance Placement in Companies
  • The Importance of Anti-Bribery Compliance for Cybersecurity
  • Compliance Officer Reporting to CISO Dynamics

 Resources:

Matt 

LinkedIn

Blog Post in Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

Cyber Security Failures Alleged in Mudge Whistleblower Compliant

Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. In this episode, we mine the whistleblower allegations by Peiter Zatko, AKA “Mudge,” made against Twitter for lessons for the cyber-security professional and wide compliance discipline. Highlights and questions posed include:

·      The allegations made by Mudge.

·      Why does an organization need a CISO (or CCO or CECO)?

·      How did Twitter get hacked, its employees duped, and its controls bypassed?

·      What is pedestrian yet telling in this saga?

·      Why is data mapping mandatory if not critical?

·      Where were the external auditors?

·      Is there a Caremark claim here?

Resources

Matt in Radical Compliance