Navigating the New Age of Cybersecurity Enforcement
The SolarWinds SEC lawsuit illuminates the potential risks faced by CISOs and other cybersecurity executives.
COMMENTARY
On Oct. 30, 2023, the Securities and Exchange Commission (SEC) shook the assumptions of security leaders across industries when it filed a landmark lawsuit against SolarWinds and its chief information security officer (CISO). Many equate this move as akin to a bomb going off for people working in the CISO role. It is also the first time an SEC lawsuit has called out an individual from a company in this manner.
With the case now unfolding, do you understand your personal liability as a CISO? One thing is clear: This case sends a message. CISOs are now faced with unprecedented potential liability risks, prompting the need for a proactive approach to legal exposure for security executives. To shed light on this complex issue, we brought together more than 60 CISOs, former SEC members, and legal experts for a panel discussion. Background and credibility were vital in recruiting panelists to discuss this high-stakes topic. Our goal was simple: to provide the CISO community with authoritative guidance and clarity on liability management.
The panel dissected the SolarWinds case, noting that the SEC's focus appears to be on negligence rather than egregious fraud. While the case is portrayed as aggressive, the substance may not be as robust. Experts suggest that CISOs take this case as a wake-up call, emphasizing the need for proactive measures and a good-faith approach to cybersecurity.
The insights gathered from this discussion offer a roadmap for CISOs to navigate this new era of cybersecurity enforcement. Here are some of the most important pieces of advice we learned from the panel.
Build Strong Alliances With General Counsel
One of the first — and perhaps most critical — takeaways from the panel discussion is the importance of CISOs building strong relationships with the general counsel (GC). According to the experts, the GC can be a crucial ally in times of crisis, providing valuable legal guidance and support. In the wake of the SolarWinds case, CISOs are advised to proactively align themselves with their GC, ensuring a collaborative and well-prepared response to potential legal challenges.
Establish FBI Connections
Another essential piece of advice from the panel is to establish a relationship with the local FBI field office as soon as possible. An FBI representative in the discussion stressed the importance of pre-existing relationships with the FBI. Having a contact within the FBI can be instrumental in navigating situations similar to the SolarWinds case. It's all about the trust factor, according to the panel's FBI representative. They also noted that the FBI views companies in such situations as victims, which is why CISOs are encouraged to establish a relationship with their local FBI field office long before a crisis occurs.
Take Care in Adhering to Standards
The panel also highlighted the significance of aligning cybersecurity practices with objective standards, such as those outlined by the National Institute of Standards and Technology (NIST). The SEC, as demonstrated in the SolarWinds case, may demand proof of adherence to these standards. "Any time you align yourself to an objective standard, like NIST, the SEC will want proof of that," one of our SEC representatives noted. So, if you're going to publicly announce that you're using a set of standards, also ensure you adhere to the standards you choose. CISOs must maintain thorough documentation to provide evidence if needed.
Coordinate Legal Counsel and Internal Investigations
When it comes to legal counsel, the topic of whether or not a CISO needs their own counsel drew varying opinions from the panel. So, what's a CISO to do? The panel agreed that a personal lawyer, especially when being interviewed by the SEC or the Department of Justice (DOJ), is likely needed. Having legal representation during internal investigations and interactions with in-house counsel may also be a smart move.
Consider D&O Insurance
Understanding and investing in directors and officers (D&O) insurance was another crucial aspect emphasized by the panel. In the face of potential legal action, having D&O coverage can provide financial protection for CISOs. The experts recommend familiarizing yourself with the coverage, checking for any existing claims, and even considering standalone coverage for added protection.
Embrace the Three Pillars: Align, Clarify, Escalate
In this new era of heightened cybersecurity enforcement, CISOs are advised to adhere to three key pillars: align, clarify, and escalate. Align cybersecurity practices with recognized standards, clarify communication with legal and FBI contacts, and escalate concerns up the chain of command. These pillars form the foundation of a proactive and protective approach to the evolving challenges faced by cybersecurity executives.
CISOs Must Take Proactive Measures Now
The SolarWinds SEC lawsuit has illuminated the potential risks faced by cybersecurity executives. CISOs are urged to take proactive measures to protect themselves from legal exposure. Building strong alliances with the general counsel, establishing connections with the FBI, adhering to cybersecurity standards, obtaining D&O insurance, and embracing the three pillars of alignment, clarification, and escalation are key steps in navigating the challenges of this new age of cybersecurity enforcement. As the landscape continues to evolve, CISOs must stay vigilant and well-prepared to ensure the security of their organizations and safeguard their own professional standing.
About the Author
You May Also Like