SolarWinds, Okta breaches underscore shifting cybersecurity responsibilities

Nov 4, 2023 · 3 mins read

This week, the SEC has charged SolarWinds and its CISO with fraud (PDF) following an investigation that revealed that *“SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks”. Specifically, that the CISO defrauded investors through “misstatements, omissions and schemes that concealed both the company’s poor cybersecurity practices and its heightened — and increasing — cybersecurity risks”.

This is the most recent in a series of unprecedented actions by the SEC, starting with the issuance of Wells Notices to SolarWinds in October 2022 and June 2023, followed by the introduction of a landmark Final Rule on cybersecurity disclosures the following month. This is the first time a CISO has been charged by the SEC in corporate misconduct.

These actions, along with Executive Orders signed this year, indicate that federal regulators are taking cybersecurity seriously. And it’s not just government regulators - media coverage is also shifting the blame from end-users and low-level employees to senior management.

Jake Williams, a former National Security Agency (NSA) hacker and IANC Research faculty member, called the precedent a “holy hand grenade” given to CISOs, suggesting that it would have a greater impact on cybersecurity than another decade of breaches. He’s quoted in SecurityWeek and VentureBeat saying:

“CISOs, especially those at publicly traded companies, should take stock of their security programs and ensure that what’s being communicated to the public is rooted in reality rather than spin and wishful thinking. For those in privately held organizations, the SEC is setting a new standard for security disclosures with this lawsuit. Don’t be surprised to see that standard used in litigation if you make false, incomplete, or misleading statements about security to customers or business partners.”

He further says that this complaint should “be a wake-up call to all public companies that the SEC is serious about holding executives responsible for following its cybersecurity guidelines and shoring up cybersecurity deficiencies”, and emphasizes the role of internal communications in litigation and regulatory actions:

Internal communications like “Even if we start to hire like crazy, which we will most likely not, it will still take years. Can’t really figure out how to unf**ck this situation. Not good” will never be read in the most favorable light to the defendant.

While industry reactions are of course varied, many expect to see increased transparency around cybersecurity program maturity, as well as integration of cyber risk into the organization’s risk management program. This increased responsibility and liability is projected to either make the CISO role less attractive, or put it on par with CEO and CFO positions in terms of insurance, legal representation, and compensation.

While some implications may take months or years to play out, we believe the basics are clear: