The Cybersecurity Suit That's Riveting Boards

"An S.E.C. lawsuit against a software company hacked in 2020 could affect how companies handle cybersecurity risks.

For the last month, an under-the-radar lawsuit has privately been a hot topic of conversation in Fortune 500 boardrooms and corporate security departments.

In October, the Securities and Exchange Commission sued a software company hacked in 2020, accusing it of defrauding investors by not disclosing allegedly known cybersecurity risks and vulnerabilities.

The lawsuit named not just the company, SolarWinds, but also its chief information security officer, Timothy Brown. A year earlier, a former chief security officer at Uber, Joe Sullivan, was found guilty of failing to disclose a data breach to federal regulators. Executives heading up cybersecurity have a sense that their personal risk is increasing.

"I've been doing this for 25 years, and I've always been protecting others," said George Gerchow, the chief security officer and senior vice president of information technology at Sumo Logic, a software company. "Now, all of a sudden, I'm in a weird position where I'm having to protect myself."

Perhaps more alarming to boardrooms is that SolarWinds did disclose some cybersecurity risks -- in the same way that just about all public companies do.

"You can track it across a hundred different companies, that they're all basically using the exact same language," said Josephine Wolff, an associate professor of cybersecurity policy at Tufts University.

Now it seems the S.E.C. no longer considers those boilerplate disclosures to be sufficient if the company knows of more specific risks. The lawsuit is the first in which the S.E.C. has charged a company with intentional fraud related to cybersecurity disclosures, according to the law firm White & Case.

In his first interview since the S.E.C. complaint, the C.E.O. of SolarWinds, Sudhakar Ramakrishna, told DealBook that the company hadn't known about the issue that exposed it to the cyberattack in 2020, and that the lawsuit was "an attempt, we believe, by the S.E.C. to advance policy."

The lawsuit could "actually make CISOs more fearful, not more emboldened to raise their voice," he said.

Most experts agree that, regardless of the lawsuit's outcome, it could affect how companies handle cybersecurity risks. But they're divided over whether it will encourage better or worse practices.

The lawsuit is not the only sign the S.E.C. is paying attention to cybersecurity. In July, the agency adopted new cybersecurity disclosure requirements set to take effect in December. They require companies to report material attacks within four days and to make yearly disclosures about their cybersecurity risk management, strategy and governance. In a June speech, the S.E.C.'s enforcement director, Gurbir Grewal, said it had "zero tolerance for gamesmanship" around cybersecurity disclosures.

Some experts worry that the lawsuit could have a chilling effect. "There were some serious warning signs that he and his team had surfaced," Wolff said of the SolarWinds CISO. "And now that's being used against him specifically to say, 'You knew about this, you didn't disclose it in the S.E.C. filings.' Which I think really does create an incentive to never document or never find any vulnerabilities anywhere." That could make it difficult for the I.T. department to ask for money for cybersecurity, she said.

Ramakrishna, the SolarWinds C.E.O., said that being expected to disclose every potential security vulnerability could make it easier for attackers to abuse them. "For one, it'll be too many for the average investor to understand," he said. "For another, I think we'll be playing into the hands of the threat."

Others argue that the threat of S.E.C. action could empower executives in charge of cybersecurity. Jake Williams, a security expert who consults with companies when they've experienced a data breach, said he regularly saw CISOs being asked to "paint a rosy or maybe rosier-than-aligned-with-reality picture." But he added: "That practice, I think, died the day the SolarWinds lawsuit was filed by the agency. No CISO can now risk basically painting an unrealistically positive picture of cybersecurity."

Harley Geiger is a lawyer who specializes in cybersecurity at the law firm Venable and is part of the team representing a coalition of tech companies including Cisco, Broadcom, Microsoft and Google. He said there were ways for CISOs to react to increased personal risk other than avoiding documentation of concerns and recommendations, including by erring on the side of escalating risks and vulnerabilities.

"They may want to be covered by a company's insurance policy. They may want indemnification in their employment contracts," Geiger said. "I think it would be the wrong message for or the wrong takeaway for CISOs to choose to ignore or not escalate material cybersecurity information."

If generic disclosures aren't enough, what is? Being too specific about vulnerabilities could give attackers valuable information, while being too broad isn't valuable to investors. "The question," Wolff said, "is can the S.E.C. define a clear middle ground." -- Sarah Kessler" [1]

1. The Cybersecurity Suit That's Riveting Boards: [Business/Financial Desk]. Kessler, Sarah.  New York Times, Late Edition (East Coast); New York, N.Y.. 20 Nov 2023: B.2.