Below are the 5 takeaways from the SolarWinds case where a CISO was held personally liable for fraud…
1. Culture & a sub-certification process for government filings is important
CISO at the time signed the sub-cert SolarWinds’ executives relied on. The CISO was also the “approver” and accountable for the Security Statement on the public website. The Statement included claims about relying on a secure development lifecycle (SDL). The SEC alleges several employees knew about inadequate disclosures & misrepresentations in the filings and website and they willingly participated in the cover-up or failed to take action to fix the public statements.
2. Internal communications can make a case for regulators
The facts showed many communications re: concerns including one “Well, I just lied” about a failure to disclose issues to a client. The communications seemed to be mostly within the CISO’s department.
3. A disclosure committee can be helpful
The SEC alleged the risk disclosures were too generic & hypothetical especially because known risks were not disclosed. A disclosure committee can help avoid stale disclosures.
4. Gatekeepers have an important role
It appears as though the board & lawyers did not detect or prevent the failure to disclose/inadequate disclosures. With smart inquiry, I wonder if some of the issues could have been mitigated.
SolarWinds had government clients that were harmed. As a government contractor, adequate disclosure of security incidents should be a top issue because of anticipated enhanced scrutiny & the nature of SolarWinds business as an expert offering cybersecurity products.
There were several failures of security controls including non-compliance with the NIST Framework. Why wasn’t this discovered by third-party audits and/or internal audit tests of the Company’s cybersecurity program?
5. Insiders need to carefully consider when to exercise stock options
The SEC claims the failure to disclose was tied to the CISO’s self-interest in keeping SolarWinds’ stock price inflated.