- Analysts who say it could become more common for executives to face liability for their handling of cybersecurity incidents had that view reinforced this week when the former head of cybersecurity for software company SolarWinds was charged along with the company by the Securities and Exchange Commission for his role in what the agency calls deliberate misinformation about the company’s security vulnerabilities.
- “SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks,” the SEC said, referring to Timothy Brown, the company’s former chief information security officer. “Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced.”
- A representative for Brown said in a statement reported by CRN that the charges against him are based on inaccuracies. “Tim Brown performed his responsibilities at SolarWinds as Vice President of Information Security and later as Chief Information Security Officer with diligence, integrity, and distinction,” the statement said. The company also denies the charges and says it’s prepared to fight back. “We believe [the complaint is] a misguided and improper enforcement action against us,” Sudhakar Ramakrishna, SolarWinds CEO, said in a statement. “The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls.”
The idea that an executive could be held personally liable for cybersecurity risks was largely unheard of before 2020, when Joseph Sullivan, at the time the chief security officer at Uber, was criminally charged for actions he took after he learned hackers had infiltrated the company’s system. He lost his case and was sentenced last year. He’s appealing.
“It wasn't that long ago that it was pretty rare for senior leaders even to be fired in the aftermath of a breach,“ Scott Shackelford, a professor of business law and ethics at Indiana University, said last year after Sullivan lost his case. “This could be the first of many criminal prosecutions.”
The SolarWinds and Uber cases are very different but they both involve criminal exposure of the company’s top cybersecurity executive for their response to incidents.
The SEC announced its charges against SolarWinds earlier this week for what the agency alleges is a deliberate effort to mislead investors by repeatedly using boilerplate language about its cyber risks at a time when it knew it had already been hacked and its systems infiltrated, posing risks to its clients, including a federal agency.
“SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments,” the SEC said.
When the company did disclose a big breach it had discovered, called SUNBURST, it downplayed it in its public filings.
“SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices,” the agency said.
The agency singled out Brown, the court filing shows, because he had allegedly been told numerous times of the company’s system weaknesses and knew of the breaches that had occurred without taking action that was proportionate to the problems, downplaying the company’s security risks and overseeing the language in public filings that the SEC says was misleading.
“Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” the agency said.
In the Uber case, when he was made aware of an infiltration by hackers, Sullivan tried to turn the incident into part of the company’s security program by paying the hackers in the same way it pays hackers as part of its bug bounty program. In that program, friendly hackers try to breach the system to help the company identify and close vulnerabilities.
According to court documents, Sullivan succeeded in moving the hackers into the bug program, which he contended saved the company from an actual ransom incident and helped it close vulnerabilities. But the Department of Justice, which brought the charges, said Sullivan had a responsibility to report the incident as a hack as part of a settlement it was under with the Federal Trade Commission stemming from a previous cyber incident.
By moving the incident into the bug program, not reporting it as a breach, and not disclosing that the hackers at one point had possession of data, among other things, Sullivan was charged with, and then convicted for, obstruction. In announcing Sullivan’s appeal, his attorney said he “used tools and strategies that all CISOs utilize … and was prosecuted for doing his job," Law.com reported.
Although the cases are different, the cybersecurity executives in both instances were hit with individual charges, suggesting increasing exposure even before taking into account the sweeping cybersecurity disclosure rules the SEC passed in July, heightening risk to companies and executives.
Among other things, the rules require companies to disclose a cyber incident within four days after they determine it’s material to their operations.
“The [chief information security officer] role has never been easy, and it looks a lot less appealing when you add liability and criminal responsibility to the pressure,” Ryan Witt, vice president of industry solutions at cybersecurity company Proofpoint, told Cybersecurity Dive in an email.
Research by Proofpoint released earlier this year indicated 62% of CISOs are concerned about liability in connection with incident response.
“There is growing concern that the SEC cybersecurity reporting rules will expose CISOs to personal liability,” William Candrick, director analyst at Gartner, told Cybersecurity Dive.
That liability exposure isn’t hypothetical; Brown’s charges, following Sullivan’s conviction, show it’s real.
[A previous version inadvertently called Brown’s charges criminal. They’re civil.]