Leadership & Executive Communication , Security and Exchange Commission compliance (SEC) , Standards, Regulations & Compliance

Why CISOs Should Pay Attention to SolarWinds SEC Allegations

Attorney Discusses Impact of Charges Against CISO Tim Brown in Wake of 2020 Breach
Jonathan Armstrong, partner, Cordery Compliance

The fallout from the U.S. Securities and Exchange Commission's charges of fraud and internal control failures against SolarWinds and its CISO has implications for the entire industry. Jonathan Armstrong, an attorney with Cordery Compliance, advises security leaders "take heed and remember that the actions of today can determine your fate tomorrow."

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

SEC regulators filed charges Monday accusing SolarWinds and CISO Tim Brown of misleading investors about the company's cybersecurity practices and risks - disclosing only generic and hypothetical risks even though they knew about specific issues. The SEC charges come nearly three years after Solar Winds in December 2020 disclosed that its Orion network monitoring product had been compromised in an attack that was later attributed to hackers from the Russian Foreign Intelligence Service. Nine federal agencies were compromised.

"Misstatements, omissions and schemes concealed both the company's poor cybersecurity practices and its heightened - and increasing - cybersecurity risks," the SEC alleged in a complaint filed in the Southern District of New York.

"As the SEC and other regulators seek to set examples, it's a stark reminder that the responsibility of safeguarding data and ensuring transparency should never be taken lightly," Armstrong said. "Be vigilant in your role as protectors and guardians of your organization's integrity."

"As security leaders, it's our duty to bridge the gap between resource needs and systemic issues, to communicate clearly with our organizations and to confront the challenging discussions with boards," he said. It's crucial to prioritize not just the protection of our networks but also to emphasize the significance of the CISO's role and expertise, he added. Equally important is ensuring that corporate boards are adequately equipped to accurately assess the risks posed by cybersecurity threats.

In this video interview with Information Security Media Group, Armstrong discussed:

  • A breakdown of the key allegations made by the SEC against SolarWinds and its CISO;
  • The potential consequences Brown may face if the allegations are proven true and what this could mean for other security leaders in similar positions;
  • How security leaders can strike a balance between reassuring investors and being transparent about their organization's cybersecurity challenges.

Armstrong, an experienced lawyer with Cordery in London, is an expert on data protection and data security law. He advises multinational companies on risk, compliance and technology.


About the Author

Anna Delaney

Anna Delaney

Director, ISMG Productions

An experienced broadcast journalist, Delaney conducts interviews with senior cybersecurity leaders around the world. Previously, she was editor-in-chief of the website for The European Information Security Summit, or TEISS. Earlier, she worked at Levant TV and Resonance FM and served as a researcher at the BBC and ITV in their documentary and factual TV departments.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.