Regulators are holding chief information security officers (CISOs) liable for the cybersecurity challenges they or their companies face, as evidenced by the SEC charges against SolarWinds and its top security executive, Timothy Brown.
The SEC’s complaint alleges that SolarWinds misled investors about the state of the company’s cyber defenses in the years leading up to a massive 2020 Russian cyberattack. The charges come a few months after a jury found former Uber security executive Joe Sullivan guilty of obstructing an active Federal Trade Commission investigation into Uber’s security practices and concealing a 2016 data breach.
These cases signal a new willingness on the part of regulators to hold CISOs accountable for cybersecurity failures, which is raising concerns among security executives. Some worry that the new SEC cyber disclosure rules, which go into effect next month, could lead to more frequent charges against CISOs, as they will require publicly traded companies to disclose material cyber incidents within four business days and share details about their internal cybersecurity strategies each year.
CISOs are now worried that any statements they make early in their incident response, or even in the years before an attack, could lead to legal problems years later, as it has for SolarWinds.
In an op-ed, Sullivan argued that the SolarWinds’ charges will lead “the private sector to become afraid to work closely with the government” after an attack.
Prospective security leaders may also be discouraged from taking on top roles in the wake of the SolarWinds and Sullivan cases, said Michael Sikorski, CTO and VP of engineering for Palo Alto Networks’ threat intelligence team.
The sources for this piece include an article in Axios.