In case you haven’t heard, the SEC is charging SolarWinds with fraud over its response to the devastating Sunburst cyberattack. And it’s a landmark case.
For the first time in history, a government agency isn’t only pointing a finger at a company for alleged criminal conduct regarding cybersecurity. They’re going after an individual too. Timothy Brown, CISO (chief information security officer) at SolarWinds, is named in the suit.
So what does this mean for companies that aren’t publicly traded?
Quite a bit, actually. Here’s everything you need to know.
The basic facts of the SEC’s case against SolarWinds
For 8-9 months in 2020, Russian hackers secretly perpetrated the Sunburst cyberattack against Orion, an IT performance and monitoring system sold by SolarWinds. Over 30,000 organizations were compromised, including US government agencies. The attack was part of a larger effort that also targeted Microsoft and VMware, but the SEC’s suit focuses on SolarWinds’ response to the supply-chain attack on their proprietary software.
On October 30, 2023, the SEC announced charges against SolarWinds and Brown, the company’s CISO, “for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.”
Notably, the suit claims that between 2018 and the December 2020 announcement of the attack, “SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.”
In 2018 and 2019, Brown shared in presentations that the “current state of security leaves us in a very vulnerable state for our critical assets.” He also said that “access and privilege to critical systems/data is inappropriate.”
This is truly an unprecedented case in the cybersecurity industry. It’s alarming for many reasons—and it doesn’t only affect publicly traded companies.
Here are 4 lessons from the case that apply to every company doing business today.
1. It’s not enough to raise the alarm
When we look at Timothy Brown’s warnings, we see a CISO doing what many perceived as the right thing. Regardless of what was communicated publicly, and what control Brown had over that communication, he at least raised the alarm internally. Without all the evidence, it’s impossible to say whether he did enough to draw attention to vulnerabilities.
However, the point is clear. You have to do more than raise the alarm.
In fact, your cybersecurity resources need to mitigate threats, not just tell stakeholders about them.
But if your cybersecurity experts are going to mitigate threats, they need buy-in from the entire organization. True mitigation may have wide-ranging implications for network design, end user permissions, internal processes, and much more.
In this case, raising the alarm is only one piece of the puzzle. If you’re going to avoid a devastating attack like Sunburst, cybersecurity must be deeply integrated into your processes, technology, and company culture.
2. There’s no silver bullet for cybersecurity
The SEC’s finger-pointing at Brown has some strange overtones. It’s almost as if the SEC has adopted an old-school front office attitude that looks at cybersecurity and says, “That’s a technology problem. You should’ve bought the right product to protect us. You didn’t, Mr. Technology Guy, and you didn’t tell anybody, so you’re responsible for this.”
This is especially concerning. Cybersecurity is not a product you can buy, but a holistic way of operating. There’s no silver bullet that will plug all your holes and give you a nice green checkmark.
Rather, cybersecurity takes a commitment from the entire organization—not only the C-suite, but every employee who has access to sensitive information and systems.
If the SEC is going after individuals, and not just the corporation, where are the other C-level execs in this suit? We see Brown raising the alarm internally. Whether he ultimately signed off on public communications that contradicted his internal warnings, or whether his warnings were simply ignored, we really don’t know. Doubtless the lawsuit will bring out these details.
Regardless, the takeaway is clear. There’s no silver bullet for cybersecurity.
3. It’s alarming to see internal resources being held personally liable
Time will tell whether the SEC’s case against Brown has legs. However, the SEC singling out Brown sets a sobering precedent. When an organization collectively neglects its cybersecurity risks, which individual employee will wind up in the crosshairs?
Think about this from the perspective of a cybersecurity professional. If they’re going to face personal liability, what does that negotiation look like as they interview for an internal role? How far will companies have to go to attract top CISOs? We expect D&O (directors and officers) liability insurance will become basic table stakes for any CISO who’s evaluating a new position.
In the final analysis, this precedent could make it even harder to run cybersecurity effectively in-house. Since MSSPs (managed security service providers) take this burden off the organization, we may see even large enterprises turning to an expert partner for cybersecurity.
Also note that you’re not going to get a Service Guarantee from an internal team. However, you can get one from a trusted partner.
Here at Corsica Technologies, we offer a robust Service Guarantee that covers services for containment, eradication, and recovery following a cybersecurity incident—all at no additional cost. We even cover legal liability related to a cybersecurity incident, up to $250k.
It’s hard to beat that with in-house cybersecurity.
4. We need to move the cyber conversation to the front office
Since there’s no silver bullet, and since cybersecurity isn’t merely a technology problem, then a big implication arises.
Cybersecurity isn’t a back-office problem. It’s a front-office problem.
But the front office doesn’t understand cybersecurity, which it views in terms of technology systems. If something is “just a technology problem,” it’s far too easy to drop it on IT’s doorstep—without providing any support across the entire organization.
In reality, cybersecurity is far more than a technology problem. It’s a P&L problem.
IBM says the average cost of a data breach is $4.45M—a figure that has risen 15% in the last 3 years.
Pingdom says the average cost of downtime is $9,000 per minute. The math wizards among us know that’s $6.48M for a 12-hour outage.
Clearly, cybersecurity has massive implications for P&L. It’s time we help the C-suite understand just how devastating a breach can be—and how cost-effective it is to implement controls before something happens.
The takeaway
Cybersecurity risk isn’t going anywhere. Sadly, the SEC case against SolarWinds sets a new legal precedent of holding staff responsible for burdens that the entire organization should bear.
That’s not a great development for in-house cybersecurity.
For organizations that don’t want to deal with the cost, complexity, and ambiguity of running cybersecurity in-house, an MSSP offers a welcome opportunity. Here at Corsica Technologies, we work round the clock to keep our clients secure, informed, and healthy. Reach out today to learn more.
