COMMENT
In a previous article, I explained what the Securities and Exchange Commission (SEC) SolarWinds charges and the four-day rule mean for DevSecOps. Today we ask a different question: where do cyber disclosures go from here?
Before entering the cybersecurity industry, I was a securities attorney. I have spent a lot of time exploring SEC rules and have worked regularly with the SEC. This article is not legal advice. It’s practical advice from someone who has real, if distant, familiarity with the SEC.
The SEC’s indictment in a nutshell
On October 30, 2023, the The SEC filed a complaint against SolarWinds and its chief information security officer, alleging “fraud and internal control failures” and “misrepresentations, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its elevated – and growing – cybersecurity risks “, including the impact of an actual attack on its systems and customers.
Putting the “should” question aside.
I want to put aside whether the SEC should have acted. There are already many rumors on this topic. Some argue that SolarWinds’ public statements about cybersecurity were aspirational, not factual. Others argue that the CISO should not be targeted because his department is unable to provide the required defenses. He relied on others to do this. Finally, amicus briefs filed in support of SolarWinds and its CISO argued that the case will have a chilling effect on hiring and retention of CISO rolesinternal communication, efforts to improve cybersecurity and more.
The problem of computer disclosure
The SEC began its complaint by pointing out that the company filed its IPO registration statement in October 2018. That document contained boilerplate text and a hypothetical disclosure of cybersecurity risk factors. The same month, the SEC complaint reads, “Brown wrote in an internal presentation that SolarWinds”the current state of security leaves us in a very vulnerable state for our critical assets.””
This discrepancy is notable, and the SEC said it has only gotten worse. While SolarWinds employees and executives were aware of the increasing risks, vulnerabilities and attacks against SolarWinds products over time, “SolarWinds’ cybersecurity risk communications did not disclose them in any way.” To illustrate its point, the SEC listed all public SEC filings following the IPO that included the same, hypothetical, hypothetical cybersecurity risk disclosure.
To paraphrase the SEC complaint: “Although some of the individual risks and incidents discussed in this complaint did not rise to the level of requiring disclosure on their own… collectively they created such a high risk…” that the disclosures of SolarWinds became “materially misleading.” .” Worse, according to the SEC, SolarWinds repeated standard generic disclosures even as a growing number of red flags accumulated.
One of the first things you learn as a securities lawyer is that disclosures, risk factors, and changes to risk factors in a company’s SEC filings are extremely important. They are used by investors and financial analysts to evaluate and recommend purchases and sales of stocks. I was surprised to read in one of the amicus briefs that “CISOs are generally not responsible for drafting or approving” public disclosures. Maybe they should be.
Propose a safe harbor for cleanup
I want to propose something different: a safe harbor for remediation of cybersecurity risks and incidents. The SEC was not blind to the cleanup issue. In this regard he said:
“SolarWinds also failed to remediate the issues described above prior to its IPO in October 2018, and for many of them, in the months or years that followed. Therefore, threat actors were able to later exploit the vulnerability of the still unresolved VPN to access SolarWinds’ internal systems in January 2019, avoiding detection for nearly two years and ultimately inserting malicious code that resulted in the SUNBURST cyberattack.”
In my proposal, if a company fixes the deficiencies or attack within the four-day period, it should be able to (a) avoid a fraud claim (i.e., nothing to talk about) or (b) use the standards 10Q and 10K process, including Management Discussion and Analysis section, to disclose the incident. That may not have helped SolarWinds. When it disclosed the situation, its 8K claimed that the company’s software “contained malicious code that had been inserted by threat actors” without any reference to remediation. However, for countless other public companies facing the never-ending battle between attacker and defender, a remediation safe harbor would allow them a four-day window to assess and respond to the incident. So if you settle, take the time to properly disclose the incident. The other benefit of this “remediate first” approach is that there will be more emphasis on cyber response and less impact on a company’s public actions. 8K could still be used for unsolved cybersecurity incidents.
Conclusion
No matter where we come out on the question of whether or not the SEC should have acted, the question of how, when and where we disclose cybersecurity incidents will be an important issue for all information technology professionals. For my part, I think the CISO should review or, at the very least, approve company statements when cybersecurity incidents occur. Additionally, the CISO should look for platforms that provide a single pane of glass to “see it and fix it” quickly, with as few dependencies as possible. If we can encourage the SEC to adopt a remediation-focused mindset, we could open the door to better cybersecurity disclosure for everyone.