SEC Issues Wells Notice to SolarWinds, Including CISO: Implications for Information Security and Cybersecurity Governance

Last week, the SEC sent out a Wells Notice to SolarWinds former employees, their CFO, and their CISO related to the breach in 2020. Here is a link to a great summary of the Solarwinds attack and its impact. The CISO being on the list is a first and an absolute game changer. Wells Notices are a really big deal, here is a quick summary:

A "Wells Notice" is a letter sent by a securities regulator to a prospective respondent, notifying him of the substance of charges that the regulator intends to bring against the respondent, and affording the respondent with the opportunity to submit a written statement to the ultimate decision maker. - Cornell Law Legal Information Institute

A Wells Notice happens after the SEC has finished their review to an event, and after they have typically found legal and/or regulatory issues and infractions have been found either of the company or, in this case, the individuals on the notice. Usually, Wells Notices are used for embezzlement and fraud (investor, wire, fraud, etc), but to this point, a CISO has never had a Wells Notice. This is a game changer for Information Security Officers.

We don't have the details around the facts the SEC found in the Wells Notice, just the fact that they were served. So at this point, we can't jump into the details around why and how the notice happened, but it does open some really challenging items to review.

First, let's jump in if you are a publicly traded company (if you are a community bank, don't leave me yet, more to come below). This is a precedent case, something that you want to watch. If you are CISO, this may open the door to more personal risk for you, and it would be wise to think about the implications. If you are a SEC traded company, it opens up a couple of pretty significant items, we haven't seen teeth in regulations like this for information security and cybersecurity, and it is clear that there is a regulatory shift and expansion happening. As a governing body from the board down, it is time to take a step back and consider how you manage and oversee information security. Here are a couple of key questions to think about:

1. How independent is the information security and cybersecurity governance function in your organization? Does that put the business and the information security officer at risk?
2. How does the organization support the CISO? How will your CISO view this new risk, does it make them a flight risk? What items can be put in place to protect them and your institution?
3. How manual and laborious are the existing processes? This is a big one. Time and time again, organizations tend to create processes that require acts of heroism of their team. How efficient and effective are the existing processes in your organization for managing information security and cybersecurity governance?
4. Focus on the most important. Make sure that you have updated policies that guide the organization, a risk assessment with a list of standardized controls (CIS, NIST, FFIEC, etc) followed by an updated risk assessment that addresses today's remote / cloud systems (note: watch out for asset-based risk assessments).
5. Ensure that incident response plans are well-defined and that the individuals involved are fully engaged during testing exercises. Notifications and breach planning are paramount, this Wells Notice is after a breach, and the focus should be on clarity and speed of notifications. I had an executive that was "involved" I was in an incident response test years ago, I was in the conference room, with several other leaders at the headquarters, and the executive called into the incident response test via their cell phone while they were duck hunting, that can't happen. There is a real business risk in how incident response is managed, and it is time to make sure that operationally the business is running as not "if" we get compromised, but "when" we get compromised. Action item - Check your last incident response test; who was included? How involved are they?
6. One of the challenges with cybersecurity is that we tend to make it way too complicated for leaders that don't have a cyber background. One area to focus on is streamlining processes to improve efficiency. Identify tasks that consume the most time and pose the greatest challenges for the team. It is not uncommon to have processes that are extremely labor intensive for your team, a great question to ask your team is: What are the items that take the most time and are the hardest for the them related to information security and cybersecurity governance?
7. Lastly, it is time to prioritize spending in information security and cybersecurity. Budgeting is a challenge, especially with all of the Fear Uncertainty and Doubt (FUD) that software and technology companies try to instill. Here are some questions that should open up some great dialogue internally: What wasn't approved in the budget last year? and perhaps the most important question is "How are these decisions made internally?" Is the information security and cybersecurity budget separate from IT? Should it be?...?

For my community banking network, this is yet again another example of regulations in information security and cybersecurity expanding, and these questions above are items that should be reviewed by your senior leadership team.

It opens questions like,

What happens when Information Security Officers are held accountable by the regulators for overseeing the soundness of the bank's information security program?

If you are the Information Security Officer at the bank this moves the needle on you being held accountable personally for your role as the ISO. What would you be more adamant about implementing if you were held personally responsible? Do your board and senior management team know these items? If not, this could be a great time to start a meaningful, transparent conversation.

The recent Third Party Risk Management Guidance from the Federal Reserve, FDIC, and OCC, along with the cybersecurity standards issued by the OCC, highlight the increasing regulatory expectations in information security and cybersecurity. I will be having articles on both of these in the coming weeks; make sure to hit subscribe, and as always, let me know your thoughts on the content and areas that you would like for me to focus on in the comments.