The US regulators are scaring me! This is important for all of us, especially in the US.
First, we had the Wells Fargo case, where the CRO and CAE have both been charged with negligence or worse, a crime for not reporting risk management deficiencies to the board and the regulators. I discussed it earlier.
Now the SEC is charging a CISO with fraud!
Their press release says, with my highlights:
The Securities and Exchange Commission today announced charges against Austin, Texas-based software company SolarWinds Corporation and its chief information security officer, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. The complaint alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.
As the complaint alleges, SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”
In addition, the SEC’s complaint alleges that multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks. For example, according to the SEC’s complaint, in June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient;” and a September 2020 internal document shared with Brown and others stated, “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”
The SEC’s complaint alleges that Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company. As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.
SolarWinds made an incomplete disclosure about the SUNBURST attack in a December 14, 2020, Form 8-K filing, following which its stock price dropped approximately 25 percent over the next two days and approximately 35 percent by the end of the month.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
The SEC’s complaint, filed in the Southern District of New York, alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.
I don’t know the details in either the Wells or Solar Winds cases. I am not an attorney.
But…
This is what I conclude from this latest SEC action. We should consider all of these carefully, and I would discuss them with my company’s legal counsel:
- It is vital for the CRO, CAE, CISO, CCO, and those with similar positions to ensure that they assess and share their opinion on the adequacy of their organization’s processes around risk and compliance.
- Consideration should be given to doing this annually.
- The results of their assessments must be formally communicated to the board and to top management.
- Nobody (in real life) has a perfect set of risk or compliance processes and systems, with related controls, so none of us should be reporting that they are without fault. Deficiencies need to be clearly reported and explained.
- We need to revisit the risk disclosures included in regulatory filings to make sure they include necessary discussions of weaknesses in risk and compliance processes. The SEC wants details, not generalized disclosures.
- The CAE should provide a formal (macro) assessment every year of the system of internal controls over the more significant risks to enterprise objectives.
- Limits to and constraints on these assessments should be clearly stated in the reports to the board.
- All of the above should be discussed with the board and/or appropriate committee(s) of the board.
- Those responsible for standards and frameworks for risk management, internal auditing, information security, cyber, etc. need to consider how the new regulatory environment and the threat of charges against practitioners should be addressed in their guidance.
- We should continue to watch for further regulatory actions and the results of these charges by the regulators.
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
If you don’t know about something and you should have known, that’s incompetence. If you know about something, report it appropriately, and the organization doesn’t take action, were you diligent enough in pursuing the issue? If not, that’s a dereliction of duty. If you know about about something and look the other way, that’s being complicit. And, if you know about something, look the other way, and benefit by it personally, that’s fraud. (Assuming materiality, of course.)
Agree. But were your aware of your responsibility to report to the board deficiencies in something you are responsible for? No practitioner has perfect processes, but do they realize the need to report that?
Do risk practitioners realize that the production of a list of risks is insufficient, and that lack of effective risk management needs to be reported?
Do CISOs realize that reporting risks to information assets is insufficient, and that lack of effective reporting in business terms needs to be reported?
I think the responsibility to disclose such flaws is a fundamental legal obligation of any Officer and a professional obligation of an audit or risk executive. It seems alarming because it’s new, and has little precedent, but the obligation of a professional originally was to the public. It should be a game changer.
Obligations to find or identify, and to report, and to take action have changed. But it is not always easy to determine exactly what the legal obligations are in the particular circumstance. Law is not black and white. For example, and I mean this with respect, terms such as “dereliction of duty” and “incompetence” are rather harsh or extreme, whereas very often required standards of care and duties are not entirely clear. Nevertheless, a risk professional or internal auditor, etc., might be found in hindsight to not have sufficiently performed her or his duties. I would also argue that the duty of a risk professional is different than the CRO, and the the duty of an internal auditor is different than the CAE, etc. There are more and more standards that may apply in a particular situation (see, for example, the relatively new NOCLAR pronouncements). Still, how far up the ladder, and how vehemently, is the risk professional or internal auditor supposed to report the situation, and is she or he supposed to risk her or his own job security in reporting. By the way, other professionals within business organizations (such as in the legal function) are also looking at increased finding, identifying, reporting, and taking action responsibilities. This changing landscape needs to be understood and discussed by and between the professionals, officers, the board, audit committee, etc. In one of my blog posts (April 2023) I also discussed the Delaware case In Re McDonald’s Corporation Stockholder Derivative litigation in which the Court discussed who is an “officer” – the discussion is quite interesting and is based on work and decision-making authority and discretion.
When a retail store gets robbed, we don’t hold the head of store security responsible for malfeasance or fraud. Why not? Certainly, he or she had risk analysis reports documenting that the store could be robbed along with potential scenarios. And likely during audits, there were deficiencies documented around the store’s physical security controls. And also likely, the store publicly states they have strong security measures in place because I mean who would shop at a store that doesn’t claim to have good security?
One store? Small potatoes? Well according to the National Retail Federation, losses from retail crime accounted for $112B in 2022. In comparison, the FBI reported that ALL cybersecurity losses in 2022 only came to about $10B.
I don’t agree with this SEC action. Ultimately, it is the CEO who bears responsibility for informing investors on the state (including cybersecurity) of the company.
There is also a fine line in how material cybersecurity deficiencies are discussed with investors absent an actual attack. Too much information can provide a roadmap for the attacker. Too little.. and well now we know, that you might get sued by the government!