For possibly the first time ever, a CISO may face an enforcement action from the U.S. Securities and Exchange Commission (SEC) following the 2020 supply chain attack on SolarWinds.
SolarWinds, in a June 23, 2023, SEC filing, disclosed that the SEC staff has recommended the commission take civil enforcement actions against “certain” current and former executives and employees of the company, including its CFO and CISO. A civil enforcement would allege violations of U.S. federal securities laws, although the SolarWinds filing doesn’t disclose which laws could be implicated.
This is likely the first time that a company CISO has received a so-called SEC Wells Notice, Jamil Farshchi, CISO at Equifax, wrote on LinkedIn. In most cases, Wells Notices target CEOs and CFOs for violations like accounting fraud or market manipulation, he wrote.
The SolarWinds filing seems to suggest that additional people received Wells Notices beyond the CISO and CFO. However, if the SEC didn’t also send notices to the CEO and the company’s board of directors, CISOs at other public companies should be worried about the SEC targeting them, said Mark Bowling, Senior Vice President and Chief Information Security and Risk Officer at ExtraHop.
Members of the board of directors are ultimately responsible for protecting company shareholders, Bowling noted. Board members, CEOs, chief risk officers, and other executives should have a firm understanding about the security measures their companies have taken; otherwise they may be guilty of fiduciary malpractice.
”Why is the CISO receiving a Wells Notice, while every single member of the board of directors at the time is not receiving one?” Bowling said. “If they don’t send Wells Notices to the board of directors, the CEO, and everyone between the board and the CISO, the message from the SEC is that the CISOs are the fall guy.”
By notsending Wells Notices to board members, the SEC is “empowering” them to not take their responsibilities seriously, he added. But if all the board members and the executives between the board and the CISO also received Wells Notices, then Bowling is less concerned about the CISO getting a notice.
“But if all those people don’t get the same notice, it’s a message for me to go coach high school football,” he said. “The CISOs are out there dangling, knowing they’re the sacrificial lamb.”
SolarWinds has defended its response to the attack as appropriate, and it said it plans to “vigorously” defend itself against any enforcement actions.
"SolarWinds has acted properly at all times by following long-established best practices for both cyber controls and disclosure," a company representative told Reuters.
If the SEC brings enforcement action, it could fine the targeted people or bar them from serving as an executive or director at other public companies, SolarWinds noted in its filing with the agency.
Failure to Disclose
Farshchi also called the targeting of the SolarWinds CISO a huge statement from the SEC.
“The implications are immense: Wells Notices are no joke,” he wrote. “They create massive career hardships—especially if one plans to work for a publicly traded company.”
While a potential enforcement action against a CISO may seem “odd,” one possible enforcement action that could fit is “failure to disclose material information,” Farshchi wrote. The SEC has been debating new regulations about disclosure of data breaches, but it hasn’t approved a final rule yet.
“Things like failing to disclose the gravity of an incident… or failing to do so in a timely manner, could conceivably fall into this category,” he noted. “But *if* this is about disclosure, it shows the SEC isn’t sitting around waiting for cyber regs to be issued. They’re taking action today.”
CISOs need to take notice, Farshchi added. “For all of us in security, it means the light is shining on us brighter than ever before.”