On October 31, 2023, in federal court in Manhattan, the United States Securities and Exchange Commission (SEC) filed a landmark lawsuit against SolarWinds and its CISO for securities fraud. The lawsuit reflects the SEC’s opinion that a company’s data security policies, practices and conditions are not only “material” to the potential investing public—and, therefore, must be accurately disclosed—but also suggested that “pablum” comments in public disclosures, such as “We take security seriously,” or that products or services are subject to a “secure development lifecycle [that] follows standard security practices including vulnerability testing, regression testing, penetration testing, and product security assessments,” can give rise to liability for securities fraud.

While SolarWinds itself suffered a massive attack that caused significant harm to those who depended upon its services, another significant aspect of the SEC filing against both the company and its CISO is that the securities liability for potentially false or misleading statements to investors exists irrespective of whether there ever was a data breach. Thus, a company and its CISO could be held civilly liable to investors in a shareholder derivative action or to the SEC itself merely for not providing full and accurate information about the potential for harm or damage—even if no harm or damage ever occurs. If a company chooses to use words like “state of the art” or “industry standard” in describing its security posture, then that company will be held to that standard.

In the 68-page civil complaint against the software company SolarWinds and its former chief information security officer (CISO), Timothy G. Brown, the SEC specifically focused on disclosures the company made (and the CISO approved) in a security statement, which the commission alleges was materially misleading because it touted the company’s supposedly strong cybersecurity practices. For example, the SEC alleges that the security statement asserted that SolarWinds created its software products in a “secure development lifecycle [that] follows standard security practices including vulnerability testing, regression testing, penetration testing, and product security assessments.” And the security statement claimed that SolarWinds’ “password policy covers all applicable information systems, applications, and databases [and we] enforce the use of complex passwords.” It also stated that SolarWinds had “[a]ccess controls to sensitive data in our databases, systems, and environments [that are] set on a need-to-know/least-privilege-necessary basis.” The SEC asserted that “All those statements were materially false and misleading,” and pointed to an internal presentation delivered by CISO Brown in October 2018 where Brown noted that SolarWinds’ “current state of security leaves us in a very vulnerable state for our critical assets.”

The lawsuit also alleged that SolarWinds’ disclosures regarding its state of security were insufficient to alert the investing public about the true nature of its cybersecurity status, or about the threats to its infrastructure, observing that the public disclosures “… contained general, high-level risk disclosures that lumped cyberattacks in a list of risks alongside ‘natural disasters, fire, power loss, telecommunication failures…[and] employee theft or misuse.’” The cybersecurity risk disclosure was generic and hypothetical, allowing for negative consequences “[i]f we sustain system failures, cyberattacks against our systems or against our products, or other data security incidents or breaches.”

However, this kind of “generic” disclosure is common in the marketplace—although new SEC-proposed regulations attempt to force companies to make more meaningful (and therefore more specific) disclosures about cybersecurity risk and status.

This charge is not only significant for SolarWinds but serves as a crucial development for CISOs and the cybersecurity community at large. It demonstrates the SEC’s commitment to holding CISOs accountable for the cybersecurity representations they make to the public and the actions they take—or fail to take—in the face of known risks.

The importance of this case lies in its potential to redefine the role and responsibilities of a CISO. Traditionally, CISOs have been seen primarily as the guardians of their companies’ cybersecurity, responsible for implementing strategies to defend against cybersecurity threats. However, with the SEC’s recent actions, it’s clear that the role also encompasses a legal and fiduciary duty to accurately disclose cybersecurity risks and incidents to investors and the public.

This expanded scope of responsibility is underscored by the SEC’s proposed new requirements to address cybersecurity risks. Released in March 2023, the SEC’s draft proposal outlines that a range of market entities would need to develop, implement and annually review comprehensive policies and procedures reasonably designed to address their cybersecurity risks. The proposal also introduces new requirements for these entities to disclose significant cybersecurity incidents to the SEC and, in some cases, to the public, enhancing transparency and accountability.

For CISOs, the message is clear: Cybersecurity is no longer just a technical issue but a strategic one that carries significant legal implications. The SEC’s charge against Brown and the proposed cybersecurity rules call for a reassessment of how cybersecurity leaders operate within their organizations. They must now ensure that their cybersecurity programs are not only effective but also accurately represented in public disclosures. This includes maintaining detailed records of cybersecurity risks and efforts taken to mitigate them, as well as establishing clear communication channels with other corporate leaders to ensure that cybersecurity risks are reflected accurately in corporate reporting.

The case against SolarWinds and its former CISO signals a shift toward greater regulatory scrutiny of cybersecurity practices and highlights the need for transparent, accurate reporting of a company’s cybersecurity posture. For the CISO community, this development may necessitate a reevaluation of the role’s scope, particularly in terms of legal and regulatory compliance. It also emphasizes the need for CISOs to work closely with legal, compliance and executive teams to align cybersecurity strategies with corporate governance and public disclosures.

The SEC has just made it much more risky to be a CISO. A typical CISO may advise the board of directors, the CIO, the risk officer or other internal players about certain risks, vulnerabilities or incidents. Now, doing so may actually increase the liability of the company—and the CISO personally—if those same risks, vulnerabilities and incidents are not also disclosed to the investing public.