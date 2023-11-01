The SEC prosecution of SolarWinds and its Chief Information Security Officer for alleged fraud and internal control crimes is already being seen as a game changer for how cybersecurity will be handled and reported by listed businesses. It’s rare for cybersecurity news to live up to the hype surrounding it, but, in my view, the praise for Game Changer is rightly justified, as I’ll try to explain.

The background to this case is the infamous Orion cybersecurity breach, which was, or, rather, should have been, a clear wake-up call to the need to improve supply chain security. This caused a “chain reaction” that has led SolarWinds and its CISO to its current situation.

Document and report cybersecurity concerns to the top

First and foremost is the impact this case will have on the perspective of the information security community, coming on the heels of the Uber case. I’ve talked to many CISOs over the years about their sense of risk and vulnerability within their corporate structures. Due to a perceived lack of empowerment, many fear being “thrown under the bus” after a serious incident, which leads to mental concerns of operational security due to the 24/7/365 constant battle against threats and threat actors. Increases; The knowledge that a serious breach is only a matter of time; And the recognition that we live in a culture of blame, including in the office and the press and social media. These concerns are often compounded by the perception that “the board makes no compromises for safety”. Now this is a very serious risk of exposure to criminal law, which increases the concern to a great extent.

The trajectory the SEC has placed CISOs on is clear and unambiguous: In companies with US legal duties, CISOs must thoroughly document their concerns about security and ensure they are escalated to the top of the business. Let us go, let every obstacle be broken. Standing in their way. However, if the CISO is already sitting at the top of the business, they will be subject to much greater scrutiny by their fellow executives. The board is going to buy now, that’s for sure.

This will lead to significant organizational changes in the role of CISOs, their position in the organization and how their performance, skills and abilities are evaluated, with domino effects outside the US. There is no way on Earth that CISOs outside the US would guide themselves by a judicious, comparative law analysis of their legal risks compared to SolarWinds. They will be guided by their own interests, which means covering their backs and not taking any personal risks.

I would not be surprised if this case promotes further “professionalization” of the CISO community, even if only to provide collective bargaining power over issues such as the provision of director and officer liability insurance cover for CISOs and access to full Why not to be. Funded, independent legal advice.

Security reporting needs an overhaul

Second, there will be a paradigm shift in the dynamics of corporate reporting of security issues across the entire continuum of information production. The SEC has rightly addressed IPO reporting issues, internal risk management reporting, and violation reporting, but they are just the tip of the iceberg. Everything needs to be reconsidered, including business proposals, sales documentation and marketing collateral.

Organizations should keep in mind that there are other regulators on deck who are very interested in the accuracy of what is said about cybersecurity issues, not just the SEC. The FTC in the US has powers to take strong enforcement actions for deceptive and misleading practices, which have already been used in very high-profile cases.

Risk averse and more litigation inevitable

Third, when a shock of this nature is injected into a system, it will take a long time for a new equilibrium to form, so there will likely be excessive risk regarding legal duties in the interim period. For example, expect breach reports to be more detailed, with more penalties than we have seen to date. A higher level of post-breach transparency will encourage more disputes and litigation and therefore the post-breach legal environment is likely to be more contentious. This will include litigation by investors and shareholders, not just cases brought by people and organizations who are affected by a breach, or regulation litigation, or the kind of criminal litigation we have been discussing.

Insecurity will destroy value

Fourth, commercial values ​​are likely to decline in many places. Don’t forget that the SEC is prosecuting a fraud case, which means it is of the view that economic gain has been obtained, or sought, by committing fraud on cybersecurity. This means that honest positions on cybersecurity will reduce economic benefits, insofar as honesty means that cybersecurity weaknesses, vulnerabilities, and incidents are exposed. Apart from IPO prices, an obvious place to look at the erosion of financial value would be stock market prices following security breaches.

I recently wrote about the issue of share price volatility in the Okta case. Perhaps SolarWinds will be the beginning of new dynamics in the stock market?

Legal advice quality – the need for revolution

Fifth, cybersecurity requires a quality-revolution in the nature of legal services provided to organizations. I have noticed that some of the legal advice provided in breach situations has not been very accurate. In the ransomware area, I have seen advice that is clearly legal advice given by non-lawyers, possibly copied from Google or borrowed from other attachments. I have seen hackers disguised as security-researchers getting paid for legal advice in ways that are completely inconsistent with the principles of responsible disclosure. Organizations need to understand that operational security and safety law and security are inseparable twins and as the holistic thinking and approach to operational risk evolves, so too must legal advice.

no matter what happens there will be change

In conclusion, I note that everyone is innocent until proven guilty. The SolarWinds defendants are entitled to this presumption as a matter of right and should receive a fair and impartial trial. Therefore, I have no comment on the strengths or weaknesses of the parties’ positions. In fact, I don’t think the actual outcome of the case matters in the slightest for the broader issues I have identified.

If you’re a CISO, you’ll think of Uber, SolarWinds, but not me. Change is inevitable.