It was a legal decision heard within the offices of CISOs worldwide.
U.S. District Court Judge Paul A. Engelmayer for the Southern District of New York issued an opinion [.pdf] in the Securities and Exchange Commission (SEC) vs SolarWinds Corp. and Timothy G. Brown case, dismissing most of the government's claims against SolarWinds and Brown, its chief information security officer (CISO).
The claims against SolarWinds and Brown stemmed from cybersecurity-related disclosures and the 2020 SUNBURST attack. The claims alleged that SolarWinds and Brown misled customers and the public about the security of SolarWinds’ Orion platform, which was exploited in the SUNBURST attack.
"There is no doubt that CISOs concerned about their jobs shared a sigh of relief upon hearing the ruling, but the devil is in the details," says Rick Holland, CISO at security operations platform provider ReliaQuest.
Engelmayer ruled that the law regarding controls within the Exchange Act (Exchange Act of 1934) applies only to accounting controls. If public companies have reasonable processes and technological defenses in place, a lapse in those controls doesn't meet the threshold for a violation.
Despite the setback to the SEC's hopes of expanding the use of the Exchange Act to oversee cybersecurity controls, significant risks remain for CISOs, boards of directors, and other officers for potential securities fraud violations.
"Engelmayer's ruling was more of a win for SolarWinds than for CISOs at large," adds Holland. "CISOs won a battle but not necessarily the war. CISOs remain at risk for potential securities fraud charges as public ‘security statements’ can still be used against them. CISOs must assess all public-facing security documents to ensure accuracy and look for anything that could mislead investors. CISOs must also push for Directors and Officers liability insurance," Holland adds.
David Shargel, partner at the Bracewell law firm, warns companies that if they lie or make material misrepresentations about their financial results, environmental initiatives, cybersecurity, or something else material, there's a good chance that the company will be hearing from the SEC.
"And even if the SEC doesn't come after you, it's a good bet that your shareholders will file a private lawsuit against you," says Shargel.
Mark Rasch, an attorney with the law firm Kohrman, Jackson & Krantz and a former federal prosecutor, says that while the court dismissed a number of the charges, the SEC's security fraud charges stuck and that it remains clear that neither public companies nor CISOs are off the legal hook there. It means that SEC laws allow investors to sue officers and directors in certain circumstances, and a CISO is a director as a C-suite officer.
"They have some liability, whether directly or indirectly, through the board of directors, to ensure that public statements and the SEC filings of a publicly traded company adequately reflect the company's actual risk and security posture," says Rasch.
"[Judge Paul A.] Engelmayer's ruling was more of a win for SolarWinds than for CISOs at large. CISOs won a battle but not necessarily the war."
—Rick Holland
The legal experts we spoke with advised that companies need to work with legal, technology, security teams, and communication teams so that public statements remain aligned with the reality of the security controls and processes they have in place.
Rasch offers a company that owns a nuclear power plant in Malaysia, and they unknowingly (at the time) built that plant on an undisclosed fault line. "You need to disclose that, just like you need to disclose risks from a tornado, hurricane, civil war, or cybersecurity risks. If not, you will have issues with the SEC and potentially shareholders," says Rasch.
Shargel advises companies to remain vigilant. "For what it means going forward, the SEC just happened to have not met its burden in this case. I don't think that means there may be other cases, or there won't be other cases where the SEC can meet its burden based on allegedly fraudulent misrepresentation by a company or its officers and directors. While this outcome is a good result for SolarWinds and the individuals in the complaint, I don't think anybody dealing with cybersecurity and making public-facing statements should let their guard down."
Holland agrees and sees the judge declining to dismiss all of the SEC's claims, potentially benefiting CISOs going forward.
"The SEC still has some enforcement teeth. Savvy CISOs can leverage this alongside the SEC's 8K breach disclosure requirements to garner more attention and resources for their security programs, just as they have done with PCI compliance or Sarbanes Oxley in the past," advises Holland.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
