The Dangers of Fraud Charges for CISOs

Sudip Roy 01 November 2023

The SEC recently charged software firm SolarWinds and its CISO Timothy Brown for allegedly misleading investors about cybersecurity risks and the 2020 SUNBURST hack. According to the SEC, SolarWinds claimed strong security in public filings while knowing of specific deficiencies. Internal documents showed SolarWinds' systems were "very vulnerable," per a 2018 engineer's presentation. But SolarWinds still used generic risk disclosures, overstating practices while aware of growing threats.

The SEC alleges Brown knew of vulnerabilities but failed to fix them or fully escalate them. This left SolarWinds unable to protect critical assets like its Orion platform. SolarWinds disclosed SUNBURST incompletely in a December 2020 filing, prompting a stock drop. The SEC charged the company and Brown with securities fraud for the misleading cybersecurity claims.

This case highlights CISO's liability for concealing risks from investors and regulators. Experts say rigorous internal controls can help avoid charges:

- Require CISO approval and review for all cybersecurity statements made in external filings or communications.

- Formally escalate all critical vulnerabilities to the CEO and Board.

- Log all cybersecurity risk discussions, assessments, and dissenting views to show transparency.

- Let legal and compliance teams vet cyber incident disclosures before release.

- Conduct ongoing training so security staff understand disclosure duties.

- Maintain honest dialogue about cyber risks with C-suite and directors.

- Disclose incidents promptly, fully, and accurately to affected parties. Avoid incomplete or misleading reports.

- Balance transparency with security by disclosing the breach itself initially while delaying some technical details.

- Empower CISOs to prioritize defense, while relying on governance structures for proper public transparency.

CISOs have a complex balancing act around breach transparency. "Releasing certain details aids attackers while limited disclosure risks misleading investors,” said attorney Elad Dinur. “CISOs must thoughtfully navigate how much to disclose when." ?

“But concealing known risks and incidents crosses too many ethical and legal lines,” added lawyer Ben Tomhave. “CISOs should focus on doing their cybersecurity jobs fully, then work with counsel to meet disclosure requirements properly."

With breaches rising, scrutiny of CISO conduct will increase. SolarWinds exemplifies the liability risk of disconnects between internal knowledge and external claims. But as Virginia Tech’s former CISO Randy Marchany said, “If CISOs focus on security first and sound governance second, legal risks will follow.” With the right structural checks and balances, organizations can empower CISOs to manage growing threats without inviting fraud charges.