The Securities and Exchange Commission’s naming of SolarWinds Corp.'s chief information security officer in its lawsuit over company missteps before a massive software hack is a warning shot to other top security executives.
SolarWinds and its CISO, Tim Brown, both misled investors about the security of their software and oversight rigor in the years before the hack compromised nine federal agencies and around 100 other customers, the SEC alleged in a Oct. 30 securities fraud complaint.
The lawsuit, said to be the first SEC cybersecurity litigation naming a CISO, signals that those corporate officers have to be aware of their own legal exposure as they wrestle with constantly evolving digital threats. Several agencies in recent years, including the Federal Trade Commission, have bolstered their cybersecurity regulations to require more executive-level oversight into breaches and more reporting about them.
“This is a wake-up moment that security has gone through an evolution of growth and now CISOs are at the big boy table,” said Michael Coates, current CISO at CoinList and former security head at Twitter.
Coates, who described the claims against SolarWinds and Brown as “egregious,” said CISOs with better cyber hygiene may still feel targeted by the SEC’s decision to point the finger at SolarWinds’ top security officer without naming other senior company executives.
In June the agency sent Brown and SolarWinds CFO J. Barton Kalsu notices warning them of potential enforcement actions, but Kalsu wasn’t mentioned in the complaint.
Sending Message
The SEC accused SolarWinds and Brown of deceiving investors over basic network security, ranging from developing new software products on secure platforms to adopting fundamental password protections, according to the complaint.
The SEC is asking a court to permanently prohibit Brown from serving as an officer or director in publicly owned companies, and seeking civil penalties against him that could top $100,000.
As the “chief internal cybersecurity expert,” Brown aided with the creation of several misleading disclosures, including a Form 8-K filed with the SEC and an online security statement, the agency alleged.
Brown’s attorney, Alec Koch of King & Spalding LLP, said Brown performed his duties with “diligence, integrity, and distinction.”
“Mr. Brown has worked tirelessly and responsibly to continuously improve the company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint,” Koch said.
The SEC’s detailed complaint could be a blessing in disguise for CISOs worried about intense scrutiny by federal regulators, according to Jamil Farshchi, Equifax Inc.'s CISO. While security leaders are under greater pressure than ever to defend their networks, their path to long-term stability is simple transparency, Farshchi said.
“What this does is tell every CISO in the country that the SEC is watching and you’ll be held accountable for the claims you make about your security posture,” Farshchi said. “Before this, I think there was quite a bit more leeway about making public claims about corporate security that ultimately just weren’t true.”
Potential Roadmap
Executive security officers and general counsels are likely to look closely at the violations alleged in the complaint side-by-side with their own compliance programs to identify any potential gaps, according to Timothy Gallagher, the chief security officer at Nardello & Co., an investigations firm.
“Bringing penalties against someone in a CISO role is sending a message that even if your name is not on the 10-K and 10-Q filings you will be held personally accountable for either misstatements or omissions,” Gallagher said.
Assigning that level of personal responsibility could make other security executives scramble to protect themselves from liability costs with director and officer insurance policies, said Mike Hamilton, the former CISO of Seattle and founder of cybersecurity firm Critical Insight.
Corporate security officers have historically reported to higher-ranking executives, like a vice president of information technology. The SEC isn’t the only agency that’s been boosting its scrutiny of people in the role.
The Department of Justice in 2022 successfully pursued a criminal conviction against former Uber security officer Joseph Sullivan for his response to a data breach.
The SolarWinds suit should alert CISOs that all public statements about cybersecurity are fair game when the SEC is investigating disclosure violations, said Jennifer Lee, a partner at Jenner & Block and a former SEC official.
“The trend that we’re seeing here is that the federal government, and specifically the SEC, they want to bring discipline to cybersecurity practices and procedures,” Lee said.
The case is SEC v. SolarWinds Corp., S.D.N.Y., No. 1:23-cv-09518, complaint filed 10/30/23.
To contact the reporters on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.