It’s a difficult time to be a chief information security officer (CISO). Industry pressures are increasing, budgets are tight, and regulations are coming into force, creating additional requirements CISOs must manage.
Over the summer, the Federal District Court for the Southern District of New York provided good news for the CISO community, at least for a while, when it dismissed the majority of claims brought by the Securities and Exchange Commission (SEC) against SolarWinds and its Chief Information Security Officer Timothy Brown. The claims arose out of the 2020 Russian cyberattack against the company and its customers.
When the SEC initially filed charges in late October 2023, it sent shockwaves through the CISO community because it was the first time that a CISO had been personally named in a case concerning a cyber incident. Both SolarWinds and Brown were charged with fraud and internal control failures arising out of the “massive, nearly two-year long cyberattack” that the SEC claimed harmed investors “by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”
There were two main areas of focus in the ruling that have provide some clarity to CISOs:
First, that the SEC could not treat the voluntary NIST Cybersecurity Framework as an element of the company’s financial controls
Second, that statements about security made by the company and the CISO in blog posts, podcasts, and press releases amounted to “corporate puffery” and would not be relied upon by the average investor.
On the surface, this sounds great—and for the moment, it is. Had the SEC prevailed, the precedent set would have made the CISO’s mission even more precarious because (1) a company’s honest voluntary self-assessment would have to be recalibrated as an accounting control used for public financial disclosure—a very different intent; and (2) if every statement a CISO makes in public had been deemed “material” to investors, CISOs asked to talk about sensitive security issues would be at heightened risk of exposure at all times.
While the pressure has been released somewhat, it’s important to think about these dismissals in context, because the new SEC cybersecurity regulations are still in effect, and the SEC is still watching, along with its counterparts at the New York State Department of Financial Services.
The Court found that the SEC went too far when it asserted its authority over internal accounting controls applied to cybersecurity, or even more specifically, “internal controls.” This was a novel argument—the SEC had never tried to assert its securities authority over cybersecurity practices.
The SEC claimed that SolarWinds’ incident response plan mischaracterized two victim notifications that should have been elevated to executives but were instead triaged and dismissed at lower levels in the incident response plan.
The SEC also claimed that a third issue regarding security around SolarWinds’ virtual private network (VPN) tracked in the company’s NIST Cybersecurity Framework reporting was insufficient, noting parenthetically “‘second guessing by hindsight’ a company’s decisions in securities fraud claim disfavored”. The Court flatly rejected this issue, finding that the SEC had failed to state a claim against SolarWinds or Brown. That is good news for CISOs in that it clearly recognizes the SEC cannot extend its authority from one control set to another, and must stay within the confines of its statutory mandate.
The Court’s finding of adequacy of SolarWinds risk disclosure in its public filings is a reminder to CISOs to check in with those responsible for drafting the company’s public filings to ensure that they are robust enough to address a range of scenarios that could befall a company. The Court was clear in its views that the risk disclosure statement included in SolarWinds’ public filings “enumerated in stark and dire terms the risks the company faced” and that an investor “could not have been misled by the risk disclosure.” The Court helpfully explains that relevant case law does not require hyper-specific risk factors, noting:
“Spelling out a risk with maximal specificity may backfire in various ways, including by arming malevolent actors with information to exploit, or by misleading investors based on the formulation of the disclosure or the disclosure of other risks at a lesser level of specificity.”
The real takeaway is that thoughtfully developed risk factors that evolve to reflect the threats facing the business over time can be an effective shield against potential claims. It is worth noting that on Oct. 22, the SEC charged Avaya, Mimecast, CheckPoint, and Unisys with “misleading cyber disclosures” arising out of their securities filings for the SolarWinds incident, with the companies paying fines ranging from $990,000-to-$4 million. For CISOs, a close collaboration with counsel is essential, because it is clear that the SEC is reviewing 8-Ks and risk factors line by line.
The SEC also asserted that blog posts, podcasts, and press releases from SolarWinds and its CISO constituted statements about security that would mislead investors. The Court disagreed, dismissing the claims as “corporate puffery.” Given the large number of speeches, public statements, blog posts, and comments that CISOs are often required to make, the Court’s ruling is a welcome victory for CISOs.
The examples cited in the Court’s opinion reflect fairly generic statements from the company itself, including one that stated that it was committed “to high security standards, which its partners rely on to help keep the systems they manage secure and compliant” and another from Brown that asserted that SolarWinds “places a premium on the security of its products and makes sure everything is backed by sound security processes, procedures, and standards.”
The takeaway for CISOs and other high-level spokespersons is that with the new SEC rule in place, general statements about security may be considered puffery and not material to investors, but statements about incidents or the circumstances associated with an attestation that would be made by a CISO that supports, or is included in an 8-K filing, would likely be considered material by the investor, and by the Court. Any statement that is associated with an SEC filing must be carefully considered, as those are the claims that persist in the SEC’s case against SolarWinds and Brown.
The SEC, SolarWinds, and Brown are continuing to litigate (and likely negotiate) given the dismissal of the bulk of the SEC’s claims. That said, what was left in place by the court should not be ignored by CISOs. Litigation continues over whether investors were deceived by the security statement that SolarWinds had on its website, and the SEC’s claim that Brown knew the statement was false and misleading, and thus that SolarWinds knew as well.
The circulation of the security statement and links to its placement in the company’s online Trust Center should be a tactic familiar to many CISOs, because that is a common method of providing security assurance to customers. For CISOs who are asked to develop and circulate security statements or attestations, it is critical that those statements be correct and supported by relevant data inside the company. For concerns about data related to those statements, it may be necessary for CISOs to engage with counsel to consider developing a statement or attestation under privilege first, before it is released to customers or others outside the company.
Cristin is the managing partner of Advanced Cyber Law, a boutique law firm focused on cybersecurity, incident response, threat intelligence, and artificial intelligence. She and her team leverage Cristin’s 17 years as lead cybersecurity counsel at Microsoft, where she was head lawyer for the Microsoft Security Response Center, the Microsoft Threat Intelligence Center, the Government Security Program, cybersecurity law and compliance, and built Microsoft’s Digital Security Unit, fusing threat intelligence with geopolitical analysis, including Microsoft’s seminal Ukraine Report in April 2022. Cristin is also the founder and CEO of Advancing Cyber, a regulatory technology startup.