December 6, 2023
The US Securities and Exchange Commission's complaint against SolarWinds and its Chief Information Security Officer (CISO) Tim Brown has sent shockwaves through the cybersecurity community. Solarwinds and Brown have been accused of fraud, the details of which can be found in an extensive 68-page document.
This complaint, in itself a bold move, has been particularly jolting to cyber professionals given the SEC’s July 2023 regulations. Although the governing body removed its proposal that cyber expertise must be present in the boardroom, these new rulings demonstrate a pattern of increased transparency expectations from the regulator and an interest to heighten cyber security risk accountability for company executives.
The case against Brown, however, is noticeably void of boardroom accountability. Instead, the SEC is focused primarily on the SolarWinds CISO’s cyber responsiblity and reporting actions, insisting that Brown face, among other consequences of his alleged fraud, civil penalties, and permanent disbarment from corporate positions.
While the intense reactions have ranged from dejected confirmations that CISOs will now become the go-to scapegoat following an inevitable cyber attack to steadfast approvals of accountability, the SEC's charge has nevertheless made one thing clear: At SolarWinds, there was apparently an alarming lack of recognition at the highest levels as to the true nature of the organization's cyber risk.
Consequently, there is now tremendous pressure on CISOs to not only ensure all executives and boards have a clear understanding of the business's cyber landscape but also that their asserts are defensible in a court of law. In this new reality, financial CRQ models serve as an invaluable asset, harnessing millions of data points to generate an accurate risk assessment with high credibility that even non-technical colleagues can understand.
Once CISOs start leveraging this powerful solution, board members will become fully aware of their organization's risk landscape, be compelled to participate in cyber discussions, and emerge as essential, responsible parties in cybersecurity governance and reporting.
On October 30, 2023, Timothy G. Brown was formally accused of materially misleading investors in an incomplete Form 8-K disclosure submitted in December 2020 following the catastrophic cyber attack, Sunburst. The SEC claims that, despite being aware of vulnerabilities that had been exploited on multiple occasions in 2018, Brown neglected to address the issue and failed to alert higher-level executives.
The SEC also contends that, on top of neglecting suitable mitigation plans, Brown knowingly signed off on and published several inaccurate statements about SolarWinds' cyber posture. For example, despite internal documents suggesting otherwise, Brown's SolarWinds' Security Statement states that the company followed cybersecurity best practices when, in reality, it "fell significantly short of those standards." Even now, the Security Statement remains unchanged.
As a result of Brown's overstated security assessments, the SEC argues, SolarWinds' stock prices were driven upwards. Indeed, during the time before the attack was made public, SolarWinds' flagship product, Orion, became an attractive option for managing IT stacks and was adopted by various US federal agencies, as well as major global enterprises such as Microsoft, Intel, Cisco, and Deloitte.
It was amidst this popularity (and stock value) in mid-2020 that Brown, who, according to the SEC, was already aware of the true nature of SolarWinds' risk landscape, sold company stock valued more than $170,000. Once the 8-K was filed in December announcing the Sunburst incident and alerting the public, stock prices dropped more than 16%. By the end of the year, SolarWinds stock value had decreased by 35%.
The SEC's complaint asserts that SolarWinds' CEO, CFO, and other executives signed off on the allegedly fraudulent 8-K and a similarly misleading Form S-1 from 2018 through part of 2020. The SEC also cites evidence that the CIO, CTO, and CEO received a Quarterly Risk Review Presentation that highlighted system control deficiencies.
Nevertheless, the US governing body still holds Brown solely responsible for the charges because the CISO "failed to ensure that other senior executives were sufficiently aware of, or understood, the severity of cybersecurity risks, failings, and issues that he and others knew about." Essentially, the SEC contends that, while the C-suite should bear some level of responsibility, their misunderstandings are inherently a result of the CISO's failure to communicate adequately.
The SEC’s division between Brown and other senior executives is not a new phenomenon. Disconnection from the broader organizational framework has long plagued the CISO. Unfortunately, CISOs are often not considered not true peers to company executives and have little say in high level business strategy.
Likewise, board members often stay away from cyber-related discussions due to the topic’s technical intricacies, remaining unaware of their organization’s cybersecurity landscape. A breakdown of communication and understanding in these situations is almost inevitable, but before the SEC’s civil suit there was little risk of legal consequences specfically for the CISO.
Now, the SEC’s SolarWinds complaint has made it apparent to CISOs across industries that they can no longer remain in the ivory tower as the company’s sole proprietor of cyber risk. This isolated position leaves them vulnerable to legal ramifications. Now, these cybersecurity professionals must take the proper measures to ensure the boardroom fully comprehends the company’s digital vulnerabilities, making them equally liable for mitigation efforts (or lack thereof).
Financial CRQ models have come to be an invaluable resource in the wake of the SEC’s complaint against Brown, serving as an immediate bridge between the technical cyber realm and the business-oriented boardroom.
Armed with the insights a CRQ solution provides, CISOs can ensure board members are not only aware of the cyber posture but also the likely financial consequences the business faces if specific risks are not addressed. By framing cyber risk in broader business terms, the CISO is equipped with a a strong, defensible position that they have effectively communicated this risk to their company, who can then make an informed, accurate disclosures.
CRQ tools offer an effective means of expressing cyber risk in terms most familiar to board members and other C-level executives. By quantifying potential cyber events in likelihoods and their relative impact in financial terms, such as the cost of a data breach or system outage, CISOs can communicate in a language that resonates much more clearly within the broader business context.
For instance, with a financial CRQ solution, a corporate CISO might discover that an organization faces an extremely high probability of experiencing a data breach that would cost aroung $50 million in damages. After communicating these objective business figures to the board, there could be no doubt that everyone in the room understood the scale of this risk. Financial loss is a language all directors and executives understand.
The CRQ approach transforms abstract technical details into concrete financial implications, making it easier for non-technically oriented individuals to grasp the significance of cybersecurity decisions. This level of transparency thus not only enhances collaboration but demonstrates that the executive team and board was made fully aware of the organization's cybersecurity environment in an understandable way.
Financial CRQ is similarly beneficial for facilitating the necessary boardroom discussions, providing a foundation for reporting potential cybersecurity losses or risks. With the quantified knowledge, executive leadership can determine clear financial thresholds that guide the CISO when elevating issues to the appropriate level of company governance, up to and including the board.
Once these risk thresholds are set in place and alerting process are well documented, the CISO has assurance that they have acted according to the company’s cyber governance practices. While determining risk appetite can be initially challenging, financial thresholds serve as a reliable starting point.
Determining materiality of a risk or cybersecurity event is highly complex and requires both quantitative and qualitative impacts to be considers. To help calculate the financial impact, Kovrr has developed the Cyber Materiality Report. This report offers a defensible basis point of revenue that can be reliably incorporated into the materiality determination process for subsequent risk analysis and public disclosure processes.
Another significant advantage of utilizing a financial CRQ solution amid a landscape of SEC disclosures and civil lawsuits is that it produces data-agnostic results. As opposed to other risk assessments that rely heavily on questionnaires and subjective analyses, CRQ models like Kovrr's leverage millions of real-world cyber event data points, including external global threats and insurance loss intelligence, along with an organization's unique cybersecurity posture.
When the CISO presents the calibrated results in board meetings, it minimizes the possibility of misrepresentation or obfuscation. Subjectively collected data can be molded to present a skewed representation of an organization'’s cyber posture. Objective data, on the other hand, is irrefutable, providing a transparent and unbiased overview of the risk landscape to board members.
Moreover, these on-demand CRQ insights establish a foundation of trust between the CISO and the boardroom, fostering a collaborative environment in which decisions can be made with confidence and a clear understanding of the risks at hand.
Although ensuring boardroom accountability with a financial CRQ solution will help CISOs avoid a similar situation to Brown’s, it’s also important to emphasize that it will not be helpful in case of deliberate misrepresentations. A CRQ can provide objective, understandable insights for all stakeholders, but it’s nevertheless crucial for those stakeholders to ensure those details are accurately reflected in disclosures.
Because the financial CRQ assessment provides an organization’s risk metrics in broader business terms, all those who sign off on the relevant paperwork have the capacity to attest to whether the included information is indeed accurate.
While financial CRQ is not a foolproof solution that can protect a CISO from all SEC charges, its undeniable value lies in promoting greater transparency in cybersecurity discussions amongst all executives and providing the CISO with objective evidence of cyber risk transparency.
Transforming technical details into understandable financial implications and leveraging objective data, CRQ solutions ensure that executives and board members are well-informed about the organization's cyber risks.
As CISOs navigate their roles in the wake of the SEC’s increasingly tightening cybersecurity regulations, a CRQ can prove itself to be a powerful ally, guaranteeing everyone is held accountable for the organization’s cybersecurity efforts.
February 15, 2024
Combining traditional cyber risk methods with CRQ turns ambiguity into actionable data for CISOs, driving informed decision-making.
February 12, 2024
Risk Progression feature empowers CISOs and CRQ users to inspect and understand the changes in their cyber risk over time.