Are you the Chief Information Security Officer at your organization?
CISOs are a very important part of an organization’s cybersecurity and -compliance stack. When there is a role dedicated to ensuring that everyone else follows the necessary rules and best practices to keep private data protected, there chances of someone breaking into the system go down significantly.
This responsibility could soon be a double-edged sword, though. A CISO has been charged with fraud after a cybersecurity incident affected their company. Could you be held liable for data breaches, merely because you’re the CISO?
What Happened to SolarWinds?
Now, charges have been filed by the United States Security and Exchange Commission alleged that the CISO of SolarWinds misled investors about the company’s cybersecurity practices and failed to disclose known risks, leading to the massive cyberattack known as SUNBURST.
The SUNBURST attack was a highly sophisticated supply chain attack against the IT management software, SolarWinds. The attack was discovered in December 2020 and is believed to have been ongoing for at least nine months. The attackers gained access to SolarWinds’ Orion software and inserted a backdoor into the code. This backdoor allowed the attackers to remotely access and control the systems of SolarWinds’ customers, which included many Fortune 500 companies and government agencies.
The attack is believed to have been carried out by a group of Russian hackers, and it is considered to be one of the most complex and damaging cyberattacks in history, especially because of its impact on the global economy.
So…why is this years-old attack making headlines now?
Why Was the CISO Charged?
Timothy G. Brown, SolarWinds’ Chief Information Security Officer (CISO), was charged by the U.S. Securities and Exchange Commission (SEC) with fraud and internal control failures on October 30, 2023.
The SEC’s complaint alleges that, from SolarWinds’ October 2018 initial public offering (IPO) through its December 2020 8-K filing, the company was the target of SUNBURST, and defrauded investors and the public.
Allegedly, Brown and the company only disclosed generic and hypothetical risks to SolarWinds, despite knowing about specific deficiencies in the organization’s cybersecurity practices. They also issued public statements about its cybersecurity practices and risks that were allegedly at odds with its internal assessments.
So the CISO isn’t being charged with direct responsibility for the attack, but the SEC is alleging failure to effectively mitigate risks and take preemptive action in the months before the attack. In 2019 and 2020, SolarWinds internally discussed questions about the company’s ability to protect its critical assets from cyberattacks. To top it all off, the lawsuit alleges that SolarWinds made an incomplete disclosure about the SUNBURST attack in the company’s Form 8-K filing on December 14, 2020.
In addition, the SEC alleged that Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but did not resolve the issues or sufficiently raise them further within the company. SolarWinds has denied the SEC’s allegations and is contesting all charges.
What This Means for Future CISOs
What does all of this mean in regards to your responsibility and culpability as the Chief Information Security Officer at your organization? Should you be ready at any moment for the police to knock down your office door, and arrest you for zero-day vulnerabilities and undetected threat actors?
Not if you are abiding by the legal regulations and best practices expected of you as a CISO! Cybersecurity and compliance are no joke, and the SEC doesn’t find violating them funny either. They take your organization’s data privacy seriously, and so should you.
Your job doesn’t start when something suspicious happens. Cybersecurity in the modern age requires continuous monitoring and an understanding of the latest threats against and tools available for your network. As you’re developing and implementing incident preparedness plans, overseeing junior officers’ progress, and steering the organization in the right direction, remember that you are the one that workers and clients alike look to for reassurance and guidance in situations like these. It’s not just your confidence that they respond to, but your knowledge and experience in keeping private data safe!