In a move that has caught the attention of the tech industry, regulatory bodies, and investors alike, the Securities and Exchange Commission (SEC) has announced charges against Timothy G. Brown, the Chief Information Security Officer (CISO) of Austin, Texas-based software company SolarWinds.
This is a significant development that could have far-reaching implications for how companies disclose cybersecurity risks and how executives are held accountable for them. It’s also one of the rare instances where a CISO is directly held accountable for cybersecurity lapses that allegedly misled investors, making it a case that could set new precedents.
Who is the SEC?
The Securities and Exchange Commission (SEC) is an independent federal agency responsible for regulating the securities industry and enforcing federal securities laws. Established by the Securities Exchange Act of 1934, the SEC’s primary mission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation. The agency has the authority to bring civil enforcement actions against individuals and companies found to be in violation of securities laws, including those related to disclosure and fraud.
The SEC’s action against SolarWinds and its CISO is part of a broader trend of increased scrutiny on companies and their cybersecurity practices. In recent years, there have been numerous high-profile cyberattacks that have led to significant financial losses and eroded investor confidence. This has prompted regulatory bodies like the SEC to take a more active role in ensuring that companies are transparent about their cybersecurity risks and are taking adequate measures to protect their assets and data.
The SEC’s complaint alleges that SolarWinds and its CISO, Timothy G. Brown, engaged in fraud and internal control failures related to known cybersecurity risks and vulnerabilities. Specifically, the SEC claims that from October 2018 through December 2020, SolarWinds and Brown defrauded investors by overstating the company’s cybersecurity practices and failing to disclose known risks.
The SEC alleges that SolarWinds’ public statements about its cybersecurity were inconsistent with its internal assessments. For example, a 2018 internal presentation prepared by a company engineer stated that SolarWinds’ remote access setup was “not very secure,” a fact that was shared with Brown. Despite this, the company continued to make public statements that downplayed or failed to disclose these known vulnerabilities.
In response to the SEC’s charges, a spokesperson for SolarWinds shared the following statement with The National CIO Review: “We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”
The Role of the CISO
Traditionally, the role of the CISO has been to oversee the organization’s information security program, ensuring that data is protected from unauthorized access and cyber threats. However, the SEC’s action against Brown suggests that the responsibilities of a CISO may extend beyond internal management to include a fiduciary duty to investors. This could set a precedent for future cases, where CISOs may find themselves under increased scrutiny for their role in maintaining cybersecurity standards and disclosing risks.
A Debate on Regulatory Overreach
While the SEC’s action against Timothy G. Brown and SolarWinds has been lauded by some as a necessary step in holding executives accountable for cybersecurity lapses, others argue that this could be an example of regulatory overreach. Critics of the SEC’s action point out that the role of a CISO is complex and fraught with challenges that are often beyond the control of a single individual. They argue that holding a CISO personally accountable for organizational cybersecurity issues could set a dangerous precedent, potentially making it more difficult for companies to attract top talent for this critical role.
The SEC’s charges against Brown could have far-reaching legal implications for CISOs and other executives responsible for cybersecurity. If the SEC is successful in its case, it could lead to stricter regulations and higher standards for cybersecurity disclosures, affecting how companies and their executives approach risk management and investor relations.
Investor Relations and Trust
Following the disclosure of the SUNBURST cyberattack in a December 2020 filing, SolarWinds’ stock price dropped approximately 25 percent over the next two days and around 35 percent by the end of the month. This had a significant impact not just on SolarWinds but also sent shockwaves through the tech industry, causing investors to reevaluate the cybersecurity practices of other companies in the sector.
One of the most critical aspects of this case is the erosion of investor trust. When a company’s public statements do not align with its internal assessments, it can lead to a loss of investor confidence, which can be difficult to rebuild. This case serves as a reminder to companies that transparency in disclosing cybersecurity risks is not just a regulatory requirement but also a crucial element in maintaining investor relations.
The SEC’s action against Timothy G. Brown is a significant development in cybersecurity governance and federal oversight. It serves as a cautionary tale for CISOs and other technology leaders, emphasizing the need for transparency and diligence in disclosing cybersecurity risks to investors. As regulatory bodies like the SEC continue to focus on cybersecurity, CISOs may need to reevaluate their roles and responsibilities to ensure they are in compliance with evolving legal standards.
This case could very well serve as a reference point for future actions against companies and executives who fail to adequately disclose cybersecurity risks, thereby setting the stage for a new era of regulatory oversight.