While the outcome of the Security and Exchange Commission's complaint against SolarWinds remains to be seen, infosec experts say the charges are likely to have a major impact on the role of the CISO going forward.
In late October, the SEC charged SolarWinds and its CISO Timothy Brown with fraud and internal failures related to the massive supply chain attack that was discovered in late 2020, which affected federal government agencies that used SolarWinds' Orion IT management software.
The SEC alleged SolarWinds and Brown misrepresented the company's cybersecurity posture to shareholders in public statements.
SolarWinds issued a rebuttal statement a week later denying the charges, though the statement did not mention Brown.
Transparency challenges were further underscored in August when the SEC implemented a four-day reporting rule for publicly traded companies.
Jake Williams, an infosec professional and faculty member at IANS Research, also addressed the scapegoating issue but in relation to SolarWinds omitting Brown from its counterargument.
Mark Bowling, vice president of security response services at ExtraHop Networks, also did not expect SolarWinds to back Brown.
Instead, the rebuttal statement emphasized that SolarWinds did not commit fraud, which Bowling interpreted as the company only looking out for itself.
Based on the facts laid out in the indictment, Williams believes the charges are warranted and agreed that SolarWinds and Brown took steps to mislead investors.
Based on the complaint and press release from the SEC, Marler said SolarWinds has a long road ahead of them to respond to those specific charges against Brown.
In 2022, SolarWinds agreed to a $26 million settlement in a shareholder lawsuit over the data breach.
The SEC charges could potentially lead to further financial losses for the company.
TechTarget reached out to SolarWinds regarding any updates since the SEC announcement and subsequent rebuttal statement.
One of the biggest disputes between SolarWinds and the SEC pertains to cybersecurity standards.
The SEC's complaint accused SolarWinds of misleading investors by claiming it adhered to the NIST Cybersecurity Framework.
SolarWinds said the SEC's accusation is inaccurate, which was based on a preliminary self-assessment for a completely different set of NIST standards.
It took a large corporation like SolarWinds several months to track the attack timeline to early 2019, though the company still hasn't determined how the attackers first gained access to the network.
Marler said a key issue for SolarWinds is that the SEC claimed the company did not have an adequate plan in place that prioritized the most significant risks facing the company.
Discussions will focus on SolarWinds and other emerging cases in this space.
James Turgal, vice president of cyber risk, strategy and board relations at Optiv, also observed aggregated worry from CISOs following the SEC's announcement.
This Cyber News was published on www.techtarget.com. Publication date: Wed, 17 Jan 2024 17:13:05 +0000