The CISO As Personally Liable
Whoo-boy. There is a lot to unpack today. Here I am working on a couple different blog ideas (stay tuned!) and the SEC slaps down a lawsuit against SolarWinds and its former CISO, Timothy Brown, on a variety of claims that can basically be represented as “fraud” (false and misleading statements made to investors and the SEC). The complaint paints an extreme picture of a company that knew it was doing many things wrong while continuing to publicly state that everything was just peachy and no materially unusual cyber risk was present.
So, while all my CISO friends freak out a bit, let me put on my “calm the heck down” lawyer hat (former clients know this hat well) and take a critical analysis of this claim. Excuse the typos though - my brain is outpacing my fingers.
Keep Calm and CISO On
First, remember that this claim is just that – a claim. It is designed to present the case against SolarWinds and Brown from one side only. It does not include information that can and will be used in the defense. That will happen later. But you know what I am going to do? I am going to treat you to my years of experience advising cybersecurity clients and give you an idea of what a defense might look like. IMHO, a defense (at least in some areas) might stand a pretty good change, provided that juries and judges understand the business operations of cybersecurity. Of course, that’s a BIG HECKIN “if” and a failure of that assumption could upend cybersecurity as the business function we all currently know.
So, let’s pick apart the claim in a few areas. The claim relies heavily on email communications among the CISO and security team, and to other executives such as the CFO and CIO (neither of whom, interesting, was named in this suit, despite being arguably closer to the SEC filings…more on that in a bit). These communications were quoted with scary sayings like “critical assets were very vulnerable” and “access and privilege is inappropriate” and noting “significant deficiencies” in various security systems, including pointing out where documentation was incorrect about those security problems. But the entirety of the communications was not provided. There is no context given. And who among us hasn’t seen similar statements made and presentations given – usually in a meeting or email begging/demanding that they be fixed, cobbling together programs to address gaps, and begging for more resources or to have the security programs prioritized in the software deliverables. “Even if we started to hire like crazy, which we will most likely not, it will still take years.” Ever thought that? Ever write that?
CISOs everywhere have these challenges. They are begging and pleading with the C-suite for money, resources, people, tools to address as many gaps as possible (preferably in a measured and documented risk-based way). The mere fact that a CISO knew there were deficiencies in the program should not cause them personal liability for security failures - it is the CISO's job to find these issues and work to get them fixed. Nor are gaps in a security program de facto evidence that general warnings typically used on SEC filings regarding cybersecurity risks were not appropriate – because having more problems than can be fixed is usually the situation that companies are in. Setting aside disclosure about material breaches after the breach was known (a claim that SolarWinds will definitely need to address – that defense is not so clear to me), then we have to ask whether SolarWinds truly had a materially deficient security program or if the SEC simply has an unrealistically high expectation of what is a typical cybersecurity program subject to generic risk statements. SolarWinds getting popped doesn’t mean no one else had the same risk – it could just mean others were lucky.
The SEC Rules & Good Old Fashioned Fraud
But here is where I will caveat that I barely know how to spell SEC, much less have expertise in the area of law governing SEC disclosure rules. So I am going to pivot to an area that I do know: marketing law and what it means to make false or misleading statements. The SEC allegations – while made under the jurisdiction of the SEC and are solely related to the claims made in SEC filings – sure look a lot like what attorneys general and competition law authorities make when it comes to good old fashion false marketing and fraud. If I were SolarWinds counsel (which I am not, nor is this legal advice to them or anyone else….including you, dear reader), I would also be concerned about claims regarding unfair competition, false advertising, and fraud. I can only assume that these claims are soon to be pouring in from around the world or lying in wait, eager to use the evidence discovered through this SEC suit. Why is that? Because the SEC suit doesn’t just refer to the public company filings of SolarWinds, but also their Security Statement and Trust Center.
Ah yes… the Trust Center. Security Statements. Questionnaires (good god, the questionnaires). If your marketing materials – your Trust Center, Security Statements, Questionnaire responses, etc. – promise policies and practices designed to ensure security, but you have no enforcement or accountability mechanism in place to ensure those practices are followed, have you made misleading statements that could lead to fraud? What if you have hired an independent third party to assess, audit, or certify your management systems, policies, and processes so that you even have “proof” that these things are required? Would it matter if you also had hundreds of documented exceptions to processes (which were allowed under policy)? Must you also have an accountability system – monitoring and enforcement – in place to ensure you were not misleading customers, investors, and the maybe even the U.S. government* with your security marketing? In my mind, these are the even greater risks that come to mind when reading this claim.
So, for the motivated CISO who is looking for ways to protect their company and themselves** might I suggest you start with the marketing? Because I already hear the C-suite breathing a sigh of relief because “we’re not a publicly traded company” or maybe even “we’re not subject to U.S. jurisdiction”. Guess what, though? “False advertising”, “unfair competition” and “fraud” are legal claims that exist in a whole bunch of jurisdictions – probable in those where you or your customers operate – and may be enforced by government regulators who don’t give two hoots about your contract limitations of liability (and let’s ignore for now the jurisdictions that will throw out the contract – including the LOL – if the contract was shown to be fraudulently induced).
Reasonable Course Correction
The takeaway is clear to me: if you cannot get the resources to implement and enforce your security program, you MUST change your public statements to match your actual program. Will sales and marketing hate you? Maybe (probably). Could it negatively impact sales? Maybe. But could it keep you from being personally named in a lawsuit??? Hmmm…..
Asterisks
* Oh, yes, the claim even hints at potential False Claims Act issues here. But since I also barely know how to spell Qui Tam, I’ll let other smart lawyers seek the bounty…plus I have a day job.
** It is still not entirely clear to me why Mr. Brown is called out individually here. There is one accusation that he traded stock during the alleged time of insider knowledge of the data breach, but that does not seem to be the focus on the personal liability. If anyone in my network can further explain why his actions are not attributable to the company while other execs’ actions are, please educate me.
Hozzászólások