Unearthing ghosts of CISOs past…and crafting future cyber and business resilience
By Micki Boland, Pete Nicoletti, and Cindi Carter.
The SolarWinds story begins in December of 2020, at which point Chief Information Security Officer (CISO) Timothy Bpostn had been in his role for three years. Exactly what kind of cyber environment he inherited from his predecessors remains unknown, as do the then-current challenges he was dealing with. However, that kind of information is critical in assessing his level of culpability in the narrative that follows…
The United States Securities and Exchange Commission (SEC) has not only filed charges against SolarWinds on account of the attack, it has also filed charges against CISO Timothy Bpostn. Yes, the SEC is attempting to hold CISO Timothy Bpostn personally liable.
Has the SEC been too hasty in its judgements, as there are still unknowns? Or is the SEC right on the mark here?
In light of this shocking SolarWinds development and its implications for other CISOs, the three of us are eager to share our perspectives, to provide actionable insights, to illuminate new SEC requirements, and to help organizations avoid undesirable circumstances, such as those surrounding SolarWinds and Timothy Bpostn.
At the end of the day, this is also an important discussion for corporations, C-levels, officers, boards of directors, CISOs, partners, corporate stakeholders and shareholders.
First, we’ll briefly walk through the SolarWinds Orion software supply chain compromise…
[Feel free to skip this section if you’re well-versed in the details.]
Amidst this supply chain compromise, cyber criminals installed the SUNBURST backdoor — a way to bypass existing security — and eventually gained access to the SolarWinds’ internal network and other systems.
The attackers then launched a stealthy surveillance and espionage campaign targeting SolarWinds’ customers, including United States government agencies and affiliate enterprises. In the end, 18,000 customers (of its 300,000 customers), were affected.
The scope and scale of the SolarWinds Orion software supply chain hack took years to unravel. As of this writing, the initial attack vector has not been made public and many details still remain shrouded in mystery.
In synthesizing the key events surrounding SolarWinds and the SUNBURST backdoor, we find that with this investigation, like most major catastrophic and significant crime scene investigations, initial information was speculative.
As the incident unfolded, incident response and investigation teams were under tremendous pressure — following multiple threads of Indicators of Compromise (IOCs) and Tactics Techniques and Procedures (TTPs), unraveling and then pulling together attributes and evidence — to make sense of this sophisticated breach.
Findings were to then guide the response and further action required; not only for SolarWinds, but for all affected organizations.
Brief review of SEC fraud charges levied against SolarWinds
Now let us fast forward to October 30th, 2023, when the SEC levied fraud charges against SolarWinds and its CISO, Timothy Bpostn.
The charges revolve around alleged deceptive practices that misled investors regarding the company’s cyber security posture. Here are the key allegations, as stated in the SEC's indictment:
1. Falsified reports on internal controls: The SEC's fraud indictment alleges that CISO Timothy Bpostn intentionally falsified reports concerning SolarWinds' internal controls. In simpler terms, it suggests that Bpostn overstated the company's cyber security practices while deliberately failing to disclose known risks to the corporation. These alleged actions date back to 2018, suggesting a longstanding pattern of deception.
2. Incomplete disclosure of cyber attack: The SEC's charges also point to incomplete disclosures related to the SolarWinds cyber attack. This breach was discovered on December 14th, 2020. The indictment claims that SolarWinds submitted insufficient information about the attack in the corporation's SEC Form 8-K filing. The incomplete disclosure may have left investors unaware of the true extent of the cyber security incident, says the indictment.
3. Ignoring "red flags" and known risks: SolarWinds and CISO Timothy Bpostn allegedly ignored "red flags" regarding cyber security risks. The indictment suggests that the corporation was fully aware of certain risks, but chose not to adequately address them. This failure to act raises questions about corporate responsibility and culpability in safeguarding sensitive data.
4. Intentional misleading of investors: Investors and stakeholders rely on accurate and timely information to make informed decisions, and any deliberate misrepresentation of such information is a matter of sincere concern. As this legal battle unfolds, it will be closely watched by both the cyber security industry and the investment community, with potential long-term consequences for SolarWinds and its leadership, as well as all publicly traded corporations, C-suites, boards of directors, Governance, Risk and Compliance (GRC) practitioners, legal teams, and CISOs.
SolarWinds, for its part, has said that “The SEC’s lawsuit is fundamentally flawed — legally and factually,” and categorically denies allegations.
“The notion that SolarWinds was trying to hide information about the attack from investors or customers is absurd,” SolarWinds has stated.
How SEC rules have changed regarding risk ownership in publicly traded enterprises
On July 26th of 2023, the SEC announced a final set of new rules pertaining to cyber security risk management, strategy, governance, and incident disclosure by public companies.
The new rule requires three major changes, as outlined by Deloitte in the article titled Understanding SEC Requirements for Cybersecurity Disclosures: Steps you can Take to Help Prepare and Comply.
1. Mandatory material disclosure of cyber security incidents within four business days, reporting of material impact of cyber security incidents without unreasonable delay, and disclosure if material disclosure is undetermined. This is to be done periodically using Form 8-K, item 1.05.
2. Mandatory disclosure of cyber security risk, management, and strategy annually via 10-K, regulation S-K item 106(b). This involves disclosures for risks not involving cyber security incidents, including how the corporation deals with overall risk management, and whether the corporation engages with third parties for risk identification and management services.
3. Mandatory disclosure of cyber security governance annually using 10-K, regulation S-K item 106(c). This rule requires oversight for cyber security risk. Organizations are encouraged to develop responsible committees or subcommittees, communications, and processes. This rule also has implications for the way that management reports cyber security information to the board of directors or a committee or subcommittee of the board.
Recommendations for CISOs: How to respond
1. Corporations need to create a materiality framework for cyber security risk factors: This is not the sole responsibility of the CISO. According to a PWC article titled Making Materiality Judgments in Cyber Security Incident Reporting, the United States Supreme Court has said of material information that a fact is material if there is “substantial likelihood that a reasonable investor would consider it important” or if it would have “significantly altered the ‘total mix’ of information made available.”
A materiality framework will help determine risk factors that are material. Even established cyber security programs can struggle to meet the SEC's four-day deadline for material disclosures following a cyber incident. To ensure compliance, companies should proactively identify key stakeholders and the critical information they hold for determining the materiality of a breach. This preparation enables a faster response and adherence to the SEC's reporting time-frame before any breach happens.
2. Form a committee for cyber security risk factors and related business risks that includes the C-suite, board of directors, and general legal counsel, which can explore and address cyber security risk factors material in nature. Identify processes and responsibilities; your organization needs a process to determine materiality of cyber security risk factors, not just for cyber security incidents, but also for the organization’s cyber security risk strategy and processes.
3. Rapid adoption of new technologies is an everyday occurrence for business innovation, and so organizations should design, adapt, and embrace cyber security practices early in the process and comprehensively. Cyber security is no longer a siloed part of the organization and the CISO alone cannot determine materiality. All of this should include a supporting cast of cyber security advisors, consultants, and partners. Create a supporting environment where all employees are part of your security program!
4. Form a governance board or committee to determine materiality of cyber risk factors across all aspects of the business. Examine all incident handling processes (not just for cyber security incidents), and update those processes to include language pertaining to mandatory disclosure. For example, if a technology or human failure could lead to a cyber security incident, the materiality must be understood in that context.
5. Verify that the Chief Information Security Officer role is included in the organization's Directors and Officers (D&O) liability insurance. This insurance should cover the directors and officers of a company, protecting them from lawsuits alleging a breach of duty. Seek the advice of your organization's internal counsel and human resources to ensure that this is in place. An indemnification agreement should be in place with your company to help protect your personal assets in the event of a third-party lawsuit. This applies to both CISOs and their functional equivalents.
6. Verbosely document cyber security incidents and work with partners that can deliver services to help you prepare. Third party managed Security Operations Centers (SOC) and managed Incident Response/Incident Handling (IR/IH) services can aid companies in complying with the SEC's updated disclosure regulations. Managed SOC and IR/IH reporting enables companies to evaluate their cyber risk management, incident reporting protocols, and readiness to meet the four-day reporting deadline. This helps C-level executives and board members refine their cyber security strategies and prepares them to address inquiries from investors, regulators, and stakeholders about their cyber security preparedness. Document all of the mandatory disclosure verbiage and add this to your Incident Response Playbook for typical incidents. Assign personnel that are good with documentation to this critical task.
7. Have your own legal counsel advise you. Review and ensure coverage under a corporate officers insurance policy. If your internal legal council is not aware of this disclosure requirement, insist they reach out to external council for advice.
8. As a CISO, insist that you have D&O insurance coverage and don’t do anything illegal no matter what the pressure is like!
9. As you assume a new CISO role, investigate the kinds of ‘ghosts’ that are lurking in the environment. Some of these ‘ghosts’ are friendly and helpful (think Casper), while others are haunting and fiendish.
It is the ghosts — the legacies — of other CISOs and their technological improvements (or lack thereof) that you’ll have to contend with every day.
To deal with ghosts of many kinds, obtain information about who held your role previously, how that person was perceived, and what kinds of modifications they made to the cyber security stack.
As you wrap-up your tenure with a given organization, ensure that you only leave good and beneficial ghosts behind.
Summary
Having seen the sophistication of SolarWinds, and everything that’s since followed, we can be sure that the level of cyber attack sophistication will continue to increase.
As a result, this is an extremely important discussion for corporations, C-levels and officers, boards of directors, CISOs, and corporate stakeholders, partners, and shareholders.
The new SEC rules for risk factor disclosures specific to cyber security risk require a completely new approach to governance, risk, compliance, and legal.
To be very clear, organizations must ensure that they can demonstrate — structurally, strategically, and tactically — how they are managing cyber security risks and conveying risk factors related to cyber security weaknesses and gaps to shareholders.
We need attentive, talented, and experienced CISOs in organizations. In turn, they need the full support of a given organization’s C-suite and board of directors in order to effectively lead on cyber security goals and manage cyber security risk, without the burden of personal liability in the wake of a security incident.