A Tale of Two CISOs (or, How to Keep Yourself From Being Indicted)

Chief Information Security Officers (CISOs) have a hard job defined by enormous responsibility and insufficient resources.  Now, authorities are targeting CISOs directly for data security issues.  Recently, two CISOs handled these pressures in different ways, resulting in significantly different outcomes.

CISOs as Targets

On October 30^th, 2023, the Security and Exchange Commission (SEC) filed a complaint against both SolarWinds and SolarWinds’ CISO, Timothy Brown (technically, Mr. Brown was the Vice President of Security and Architecture at the time of the alleged activity and appointed CISO in 2021, but at all times he was responsible for information security).  The SEC alleged that SolarWinds and Mr. Brown defrauded SolarWinds’ investors and customers “through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened— and increasing—cybersecurity risks.”[1]

Of particular note, Mr. Brown wrote on an internal presentation that “SolarWinds’ ‘current state of security leaves us in a very vulnerable state for our critical assets.’”  SolarWinds’ public statements, including around its IPO, used “only generic and hypothetical cybersecurity risk disclosures.”  There were numerous other internal communications either made by Mr. Brown or known to Mr. Brown that indicated SolarWinds’ public statements on its cybersecurity posture were, at best, grossly misleading.

Mr. Brown was individually named as a defendant for several reasons.  First, he “signed sub-certifications attesting to the adequacy of SolarWinds’ cybersecurity internal controls, which SolarWinds’ executives relied on in connection with SolarWinds’ periodic reports that were filed with the SEC.”  Second, he exercised stock options while SolarWinds’ stock price was allegedly inflated by those public statements.  Third, Mr. Brown posted blog posts, including ones discussing how important it was for developers to follow cybersecurity protocols and that businesses shouldn’t give their business or data to companies that did not follow cybersecurity protocols.

The SEC backed up these claims with numerous alleged facts.  Some of these allegations were aggressive: e.g., “Claiming to ‘follow’ the NIST framework, without disclosing just how poorly the Company was doing in following the framework, was misleading and deprived investors of material information necessary to make the claim that SolarWinds followed the framework not misleading.”  But there were enough facts that the SEC was willing to make an example of both SolarWinds and Mr. Brown.

This isn’t the first time a federal agency has gone after a CISO.  The Department of Justice was able to get a conviction of Uber’s CISO for not reporting a data breach while under investigation by the Federal Trade Commission.

Both of these CISOs are alleged to have made public statements—or at least statements to regulators—that were false.  But what should a CISO do if her organization is going to make a public statement on security that the CISO knows is false?  There are several options, including continuing to work inside the organization but say nothing publicly, resign, or in some cases, blow the whistle.

CISOs as Whistleblowers

The most high-profile example of a CISO blowing the whistle is Aerojet Rocketdyne.  The case settled for $9 million, with the CISO, Brian Markus, receiving $2.61 million of that for his role in blowing the whistle under the False Claim Act.

Aerojet admitted no liability as part of its settlement, so all of the facts are allegations.  But allegedly, Mr. Markus was brought in to assess cybersecurity in the wake of a 2014 data breach and was fired when he refused to sign documents claiming compliance with cybersecurity obligations.

With increased requirements for CISOs to make public statements on cybersecurity, either by custom or regulation, companies will either have to be honest about their cybersecurity posture or put pressure on their CISOs to misrepresent that posture.  That pressure will cause at least some CISOs to become whistleblowers.

Lessons

There are a lot of lessons to learn from these two CISOs.  First, regulators will continue to target CISOs as the senior executive at organizations with the in-depth knowledge to validate statements regarding security posture—statements that are more and more required.  Second, CISOs should be empowered to accurately evaluate and report on that security posture.  Third, senior management and boards of directors must respect those reports and challenge them appropriately.  Finally, all organizations need to improve their cybersecurity before their CISO or other responsible executive finds themselves in this situation.

If you have concerns about your cybersecurity posture, obligations, or management, reach out to one of our experienced cybersecurity attorneys.

[1] The facts alleged in the complaint all pre-date the SEC’s recent cybersecurity risk management rule, so the legal risk is much higher now.