Security leaders fear liability risks as regulators target cyber defense failures

Top security executives are preparing to face higher stakes and more red tape in their jobs as regulators increasingly crack down on security failures.

Driving the news: The Securities and Exchange Commission filed fraud charges against software company SolarWinds and its top security executive, Timothy Brown, for misleading investors about the state of the company's cyber defenses in the years leading up to a massive 2020 Russian cyberattack.

• It's extremely rare for the SEC to sue a company over its cyber practices, especially years after the company faced an attack.
• These charges come a few months after a jury found former Uber security executive Joe Sullivan guilty of obstructing an active Federal Trade Commission investigation into Uber's security practices and concealing a 2016 data breach.

Why it matters: Regulators are showing a new willingness to hold chief information security officers liable for the cybersecurity challenges they or their companies face.

• Some security executives worry that charges like those against SolarWinds' executive could become much more frequent after new SEC cyber disclosure rules go into effect next month.

The big picture: Under the new SEC rules, publicly traded companies will need to disclose material cyber incidents within four business days in a public filing, as well as share details each year about their internal cybersecurity strategies.

• Now, executives are worried that any statements they make early in their incident response, or even in the years before an attack, will lead to legal problems years later — as it has for SolarWinds.
• Sullivan, the ex-Uber executive, penned an op-ed Thursday about the SolarWinds' charges, arguing they will lead "the private sector to become afraid to work closely with the government" after an attack.

What they're saying: "I'm worried that ... you can't know what you don't know, but in hindsight, people are going to blame you for not knowing something," Dave Stapleton, chief information security officer at cyber risk company ProcessUnity, told Axios.

• "There's just no one in any position in the world that just knows every single thing that's possible about whatever their domain is."

Yes, but: Both SolarWinds' and Joe Sullivan's cases stem from rare, extenuating circumstances that most executives won't face, said Jake Williams, a faculty member at IANS Research.

• For instance, according to the SEC's complaint, SolarWinds consistently opted to say it had certain security practices in place that actually weren't in place yet or properly enforced.
• In one example, SolarWinds claimed publicly that it was adhering to the NIST Cybersecurity Framework. Meanwhile, in internal audits, the company estimated it didn't have a plan in place to adhere to at least 60% of the standards in the framework, per the complaint.
• "The commonality between these two is lots of people reading a headline saying, 'CISO indicted for doing their job,' but that's not what was in the Joe Sullivan case," Williams said. "It's not what's in [the SolarWinds] case either."

Between the lines: Security executives have long struggled to get their company boards and CEOs to prioritize necessary yet costly cybersecurity upgrades.

• Sometimes those upgrades can be at odds with the company's other business plans, Stapleton said, and CEOs will choose to "roll the dice" and put off those investments.
• But that choice ends up putting CISOs in a tough position if one day their company faces a cyberattack that those upgrades could have prevented.

The intrigue: Renewed liability risks are also now likely to discourage prospective security leaders from taking the top roles, Michael Sikorski, chief technology officer and vice president of engineering for Palo Alto Networks' threat intelligence team, told Axios.

• "Who would want to do that if they know they're personally liable and one day they could be fired?" Sikorski said. "Those two things are now on the radar — what more do you need to discourage that role?"
• People considering top security roles should now ask questions about where the CISO sits inside a company's governance structure and whether they'll have access to liability insurance that's offered to other top-level officers, Williams said.

The other side: SolarWinds and an attorney representing Brown have disputed the claims made in the SEC's complaint.

• "The SEC's allegation that SolarWinds didn't follow the NIST Framework is confused on a number of levels," attorney Serrin Turner, who represents SolarWinds, told Axios in a statement. "They are mischaracterizing technical documents they don't seem to understand — which just goes to show why they're not competent to regulate cybersecurity for public companies in the first place, and why we're fighting their charges."
• Sullivan is also currently appealing his guilty verdict.

Sign up for Axios' cybersecurity newsletter Codebook here.

Editor's note: This story has been updated with additional comment from SolarWinds.