As SEC’s SolarWinds charges reverberate, companies scrutinise cyber risk disclosures

'Do not state anything that is subjective and avoid adjectives (e.g., "state of the art," "mature," "advanced," "appropriate," "comprehensive," or "reasonable")' say experts.

As SEC’s SolarWinds charges reverberate, companies scrutinise cyber risk disclosures

The decision by the Securities and Exchange Commission (SEC) to charge SolarWinds and its CISO Tim Brown with fraud and internal control failures reverberated through the cybersecurity community this week.

Gurbir Grewal, SEC’s Division of Enforcement said the action “... charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

With the dust settling in the wake of the SEC’s decision (covered with context by The Stack here and described by one senior cyber risk professional, Ramy Houssaini as “what amounts to a Sarbanes Oxley moment for cybersecurity”), many organisations are starting to think about how to update their cyber risk disclosures in the wake of the move.

To EY’s Brian Levine, MD, Cybersecurity & Data Privacy and a former Department of Justice computer crime national coordinator, there are seven key things organisations should be considering. In a well-received LinkedIn post, he urged cyber risk leaders to do the following:

Do not say anything that could even arguably be considered a false statement or omission.
Avoid any ambiguity or language that is overly technical.
Don't overstate. For example, no matter how good your program is, it cannot "prevent" cybersecurity incidents.
Do not state anything that is subjective and avoid adjectives (e.g., "state of the art," "mature," "advanced," "appropriate," "comprehensive," or "reasonable").
Do not provide unnecessary details that might expose the Company to additional risk. For example, if threat actors know the specific tools and products you use, they may also know or search for vulnerabilities in those products.
Provide sufficient explanation of your risk disclosure program so that readers (and the SEC) understand that you are (a) regularly identifying and considering improvements to your controls; and (b) constantly finding and attempting to handle significant vulnerabilities and weaknesses.
Review your disclosures each and every time they are to be published to ensure that they are still accurate and not misleading. If you said that certain events "might" or "could" happen and they have since happened, update your disclosure to reflect the change.

Yet CISOs remain concerned at the potential for liability to fall on their shoulders, despite reiteration by the SEC that the charges were not brought on security failings nor indeed the SolarWinds’ breach alone, but rather stem from the company’s “misstatements, omissions, and schemes that concealed [its] poor cybersecurity practices and its heightened –  and increasing – cybersecurity risks.”

Concerns about personal liability for enterprise security failings nonetheless remain rife amongst CISOs. As Dr Alex Constantinidis, Group CISO at the Qatar National Bank at QNB Group put it on LinkedIn: “Has anyone found a way to convey to non-technical audiences daily challenges such as patch management? An average organisation with 10,000 assets needs to deploy over 600,000 security patches per year. 

“At any given month that leaves 50,000 unpatched vulnerabilities per month (while patches are saturated). Do you honestly think that a court understands this or will they focus on the numbers?” he asked. 

Keith Price, CISO at National Highways added: “Anyone calling for amnesty or ‘eff the SEC’ needs to check their ethics. Will this change the senior security landscape? Yes. But honest CISOs can now negotiate D and O [Directors' and Officers'] and other covers and still do the right thing…”

Music to the ears of whistleblowers?

Notably, as Jason Zuckerman and Matthew Stock of Zuckerman Law emphasised this week, the decision may also give cybersecurity whistleblowers an increased incentive to come forwards.

The two wrote: “Information security and data privacy whistleblowers are often in a position to identify and remedy vulnerabilities—and therefore prevent breaches—if only decision makers would act on their concerns. 

“In our practice representing cybersecurity whistleblowers, we find that all too often, chief information security officers and other information security professionals encounter indifference or retaliation when they raise concerns about vulnerabilities.  The SEC whistleblower program offers a powerful incentive for cybersecurity whistleblowers to report violations to the SEC and assist the SEC in taking decisive enforcement actions that will encourage registrants to provide accurate disclosures about cybersecurity and maintain appropriate cybersecurity controls.”

With both internal and external communications, sales and marketing materials potential artefacts of intentional or unintentional misrepresentations at various risk levels, there may be some house-cleaning to do – and hopefully substantial security improvements in many quarters too; Microsoft being first out of the gates with the promise this week to embark on its biggest overhaul of cloud, software product and engineering security in nearly two decades.

Your views on the SEC charges and cyber risk disclosures? Get in touch.

Follow The Stack on LinkedIn