CISO Liability in Focus: SEC Enforcement, Insurance, and [Personal] Risk Mitigation

The Securities and Exchange Commission (SEC) is ratcheting up the pressure on chief information security officers (CISOs)—and it’s entirely deliberate. In this post, I’ll discuss the litigation landscape against SolarWinds, the recent SEC charges filed against the SolarWinds CISO, and what companies can do to protect their CISOs.

The SEC Is Done Fooling Around—and Now It’s Personal

After years of relatively gentle guidance when it came to disclosing cyber risk and cyber breaches, the SEC signaled that the kid gloves had come off when it proposed and ultimately adopted its new cyber disclosure rules.

The SEC had also already been signaling its changing enforcement posture, including a 2021 penalty of $500,000 it imposed on American Title Company and a $1 million penalty on Pearson plc for disclosure issues related to cyber events.

After all of this, no one should be surprised that the SEC is now making enforcement personal. It’s typical for the SEC to look for a particularly strong case to make its point. SolarWinds fits the bill.

SolarWinds Shareholder Litigation

By now, the facts of the SolarWinds situation are pretty familiar. As I noted in an earlier post on the SolarWinds cyber breach this year:

As a brief recap, the Texas-based company develops software for businesses to manage their networks, systems, and IT infrastructure.

Russian cyberterrorists successfully hacked into SolarWinds’ Orion platform and planted malicious code that was then deployed to all SolarWinds customers in a software update. That code installed a backdoor to each of those customer’s operating systems, which granted further access to cybercriminals to all of those companies.

SolarWinds shareholders sued the company for securities fraud and settled for $26 million. Another set of shareholders sued the directors of SolarWinds for failing in their oversight responsibilities so egregiously to have been a breach of the fiduciary duty of loyalty, but their case was dismissed.

Enter the SEC.

The SEC Makes Things Personal

Readers of the D&O Notebook will recall that both the SolarWinds CFO and CISO received Wells notices from the SEC on June 23, 2023. As a reminder, a Wells notice is essentially an invitation from the SEC to tell the SEC why it should not bring an enforcement action against you.

On October 30, 2023, the SEC filed charges against the former CISO of SolarWinds, Timothy G. Brown. The charges are numerous and serious. As the SEC’s press release summarizes:

The SEC’s complaint, filed in the Southern District of New York, alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.

The SEC believes it has a strong case, as illustrated by its decision to charge Brown not just as an aider and abettor of violations of the securities law—it also charged him as a primary violator of the securities laws. And, on top of potential monetary penalties, the SEC is asking the court to prohibit Brown from serving as an officer or director of a publicly traded company in the future.

As serious as these charges are, the matter is still a civil enforcement action brought by the SEC—which means going to jail is not a possibility. For jail to be a possibility, the Department of Justice would have to bring a criminal action, as it did in the case of a former CISO for Uber relating to his attempts to cover up a massive cyber breach. 

What about the CFO, who had also received a Wells notice? The SEC can still bring charges, but it seems unlikely it will do so later. The more natural move would have been to bring charges against the CFO at the same time it brought charges against the CISO.

It is certainly interesting to speculate as to why the CFO received a Wells notice in the first instance. Woodruff Sawyer corporate securities law expert Lenin Lopez opines:

SolarWinds’ internal controls may be the primary reason that the staff sent the CFO a Wells notice. In 2018, the SEC issued a report on an investigation relating to nine public companies that lost nearly $100 million as a result of cyber threats. In that report, the SEC cautioned public companies to consider cyber threats when implementing internal accounting controls. To the extent that SolarWinds’ internal accounting controls and disclosure controls and procedures did not appropriately address cyber threats (in the SEC’s view), it isn’t difficult to imagine why SolarWinds’ CFO, an individual who must certify the effectiveness of those internal controls, received a Wells notice.

Internal Communications Look Like Smoking Guns

In fairness to all defendants in SEC enforcement actions, the public does not know the defendant’s side of things when the SEC files its charges. However, the facts outlined by the SEC look pretty bad.

In its filing against the SolarWinds CISO, the SEC delineates numerous instances of public statements about SolarWinds’ excellent cybersecurity posture. The SEC contrasts this with what seem to be numerous internal reports and statements by knowledgeable insiders that SolarWinds’ security posture was, in fact, anything but excellent. Naturally, the SEC has highlighted some of the juicier quotes from internal documents, for example, this one from an instant message sent by a SolarWinds security employee to an information security manager:

Even if we started to hire like crazy, which we will most likely not, it will still take years [to fix the vulnerabilities]. Can’t really figure out how to unf**k this situation. Not good.

The SEC is laser-focused on internal company communications that seem to confirm serious, known security shortcomings since they appear to be smoking guns.

However, it’s worth asking how a corporation can take steps to remediate issues if it’s afraid to have any internal documentation that concludes remediation is needed. The SEC will likely say it’s focused on the failure of the company and its CISOs to respond appropriately to numerous red flags as well as the failure to be candid with investors. That sounds right in theory, but it’s also easy to see how tricky and nuanced this sort of situation can be, particularly in hindsight.

Tension in this area will continue to intensify given the SEC’s newly released rules on cyber disclosure. The new rules put companies under tremendous pressure to report cyber breaches very quickly. Companies will have a shot at doing this well only if they have put a team and a prescribed escalation process in place before a cyber breach takes place.

Finally, and back to the “innocent until proven guilty” point: SolarWinds and Brown are fighting the SEC case. So, what happens if the SEC loses? According to Woodruff Sawyer securities litigation expert Walker Newell:

If the SEC loses, the risk to CISOs arguably diminishes somewhat. The government doesn’t like to lose in court and tends to calibrate future enforcement activities accordingly. But the facts on paper are tough ones for the defendants to overcome. In any event, even a victory in court for SolarWinds and Brown wouldn’t mean that CISOs are categorically off the hook. Now that the cat is out of the bag, the risk will remain.

Protecting CISOs

The problem for CISOs, of course, is that not all cyber catastrophes are their fault. Rather, most CISOs are sincere actors who are honestly doing their best when it comes to identifying and addressing cyber vulnerabilities in a timely way. Nevertheless, CISOs certainly make an easy target after something goes wrong.

So, just like CEOs and CFOs, CISOs should now be asking for personal indemnification agreements as well as confirming that they are covered by their company’s directors and officers (D&O) insurance programs.

Indemnification agreements and D&O insurance policies are designed to ensure that the indemnified parties will have funds to pay for what will be a very expensive legal defense. Remember too that the SolarWinds CISO, in addition to being charged by the SEC, was named as a defendant in the $26 million securities class action lawsuit. Personal indemnifications agreements and D&O policies are both also designed to pay for these types of settlements.

One more thing: Many companies are incorporated in Delaware, and the Delaware courts have made it very clear that individual officers—like CISOs—can be personally sued for breach of loyalty claims. This is still a very difficult case for shareholder plaintiffs to win. Nevertheless, the possibility of having to defend against such claims is yet another reason why CISOs will want to ensure they have the protection of a personal indemnification agreement and their company’s D&O insurance policy.

Would cyber liability policies respond to claims like these brought against a CISO? Not likely. Cyber liability policies are intended to insure against events like loss or theft of data and unauthorized access or use of an insured’s computer system. When it comes to SEC enforcement actions or shareholder litigation, it’s a company’s D&O insurance policy that is the most likely to respond on behalf of a CISO.

Make no mistake, however: Cyber insurance policies are still extremely important, providing both resources and a financial backstop when a cyber breach occurs. According to Woodruff Sawyer cyber expert David Anderson:

Regulators like the SEC and other potential third-party litigants are more likely to target individuals and companies that have calamitous, visible cyberattacks. Insurance is the last line of defense, which means that the cyber policy is there to help “put the fire out” and provide required notice to victims. D&O policies, on the other hand, are there to indemnify against suits alleging negligence (or worse) in the decisions pertaining to running a company. With the right amount of prevention and practice—things that also will help you obtain better cyber insurance policies at better prices—hopefully, your company never has to file a claim on either policy.

Finally, consider some fundamental corporate governance issues. Companies will want to consider providing CISOs with a briefing on things like the importance of identifying vulnerabilities and ensuring that the right people at the company know about issues in a timely way. A company that is not training its CISOs on topics such as the meaning of sub-certifications and how to interact with the company’s disclosure committee is a company that is letting down its CISO.

Training across the entire department on how to avoid writing emails, instant messages, and other communications that will look terrible after a cyber event would also not be amiss.

CISOs Deserve to Sleep at Night

Being a CISO is hard enough; these folks need to be able to sleep at night. Indeed, companies that take steps to protect their CISOs will, in the long run, have the most effective CISOs. Training a CISO on relevant corporate governance issues, making sure you have appropriate cyber insurance, and especially providing a CISO with an indemnification agreement and protection under the company’s D&O insurance program will increasingly become table stakes for talented CISOs. And these are, after all, exactly the people companies need to lead the charge when it comes to avoiding and mitigating devastating cyber catastrophes in the first place.