Go-To Guide: |
|
In a
SolarWinds Incident
In
Complaint Allegations
The
The
The
With respect to
With respect to the incident itself and statements in SolarWind's 8-K filing concerning the incident, the
- It said the cyberattack “could potentially allow” a data compromise, when
SolarWinds allegedly knew this was not theoretical but rather the attacker had already compromised the server and had already utilized the vulnerability with three different customers sinceMay 2020 ; -
It said
SolarWinds was doing an investigation including “whether a vulnerability in the Orion monitoring products was exploited,” when in factSolarWinds knew it had been exploited at least three times. -
It said
SolarWinds was “still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited,” when theSEC claimsSolarWinds and its CISO had specific knowledge that had already happened.
The
The
Takeaways
- The
SEC's complaint puts public company CISOs directly in the crosshairs. Therefore, CISOs in their employment agreements will likely seek to get companies to agree to pay for legal fees and indemnify them (if possible) from any such actions. Companies may need to review their D&O insurance coverage to determine if they would provide protection for CISOs in the event of a regulatory investigation or litigation. - Companies should consider reviewing all public statements about their security posture to make sure they are supported by the evidence; this includes any security statements provided in customer agreements. Because there is sometimes a disconnect between the employees who draft these documents, which are often more sales/marketing in nature, and those who handle security, there should be clear lines of communication across functional areas and business units.
- Companies will need to make sure that the CISO reviews 10-Ks and 10-Qs to ensure they do not omit or understate known risks. Because every company has some security gaps, it could create risk for a company if they publicly disclose those gaps (threat actors read public filings too).
-
If a company has an incident and needs to file an 8-K - which is now expressly required under the recently finalized
SEC cybersecurity rules for public companies - it is important to be specific about what the company actually knows at the time. TheSEC has fined investment advisors for similar misstatements. The new rule requires public companies to file an 8-K within four business days of determining materiality in the event of a cybersecurity incident (an analysis itself sure to cause heartburn). Although theSEC has acknowledged that companies may still be investigating an incident, and therefore many facts may not yet be known, the allegations againstSolarWinds suggest a more aggressive approach. Companies may find themselves stuck between a rock and hard place - if they are too definitive in their disclosures and facts change, or if they aren't definitive enough, they could be accused of misleading investors. Regardless, an updated 8-K should be filed to disclose any information unavailable or later found to be incorrect at the time of the initial filing. -
Companies need to have more transparent communication between the CISO and executive leadership and the board. The complaint suggests that the CISO wasn't keeping management appropriately informed of the risks. Whether this is a fair assessment of what was happening is to be determined, but the new
SEC cybersecurity rule explicitly requires companies to disclose in their 10-Ks how management and the board are overseeing cybersecurity risks. -
Companies must be careful when hiring third-party consultants to do security assessments. The reports of these assessments often read like a roadmap of where a company is falling short - in the consultant's view - of a fulsome cybersecurity program. Those can be later used against a company in an investigation of their public disclosures.
- Prior to obtaining a written report from the consultant, companies should ensure that they agree with the identified gaps and/or can provide additional information that might impact the findings.
- If the information security team disputes any report findings or if they have compensating controls not reflected in the report (i.e., the finding is accurate, but the impact is blunted by a different security measure), they should prepare a rebuttal memo contemporaneously documenting that additional information. An ex post facto review may be too late to be of benefit.
- Any critical or high vulnerabilities should be remediated immediately. While this may obvious, companies sometimes complete an assessment but never follow through with a remediation plan. Any such plan and its completion should be documented.
- Involvement of legal counsel can result in a privileged and focused analysis of improvements companies can make to their cybersecurity posture to reduce liability for similar investigations and litigation.
-
Companies should consider regular training around what is appropriate to say in an email or on a Teams chat. Multiple statements cited in the
SEC's complaint came from informal discussions over email or chat where employees may have felt it was a “safe” channel of communication. - Companies should consider creating a reporting chain where lower-level employees feel empowered to share concerns with someone in management who isn't the CISO. That way management can learn of identified risks without relying on a single person to be the gatekeeper for those communications.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
4 Embarcadero Ctr, Ste. 3000
CA 94111-5983
Tel: 415655 1300
Fax: 415707 2010
E-mail: contentteam@gtlaw.com
URL: www.gtlaw.com
© Mondaq Ltd, 2023 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source