{"id":2807,"date":"2023-12-14T14:13:07","date_gmt":"2023-12-14T19:13:07","guid":{"rendered":"https:\/\/seci.wpenginepowered.com\/?p=2807"},"modified":"2023-12-14T14:13:12","modified_gmt":"2023-12-14T19:13:12","slug":"cybersecurity-enforcement-and-chief-information-security-officers","status":"publish","type":"post","link":"https:\/\/seciblog.pli.edu\/index.php\/cybersecurity-enforcement-and-chief-information-security-officers\/","title":{"rendered":"Cybersecurity Enforcement and Chief Information Security Officers"},"content":{"rendered":"

SolarWinds Corporation, a provider of IT infrastructure management software products, completed its IPO in the fall of 2018.\u00a0 In its IPO registration statement and periodic reporting, the company disclosed lengthy cybersecurity risk factors.\u00a0 For example, in its December 31, 2019 Form 10-K<\/a>, the company included this risk factor:<\/p>\n

If we sustain system failures, cyberattacks against our systems or against our products, or other data security incidents or breaches, we could suffer a loss of revenue and increased costs, exposure to significant liability, reputational harm and other serious negative consequences.<\/strong><\/p>\n

We are heavily dependent on our technology infrastructure to sell our products and operate our business, and our customers rely on our technology to help manage their own IT infrastructure. Our systems and those of our third-party service providers are vulnerable to damage or interruption from natural disasters, fire, power loss, telecommunication failures, traditional computer \u201chackers,\u201d malicious code (such as viruses and worms), employee or contractor theft or misuse, and denial-of-service attacks, as well as sophisticated nation-state and nation-state-supported actors (including advanced persistent threat intrusions). The risk of a security breach or disruption, particularly through cyberattacks or cyber intrusion, including by computer hacks, foreign governments, and cyber terrorists, has generally increased the number, intensity and sophistication of attempted attacks, and intrusions from around the world have increased.<\/strong> In addition, sophisticated hardware and operating system software and applications that we procure from third parties may contain defects in design or manufacture, including \u201cbugs\u201d and other problems that could unexpectedly interfere with the operation of our systems.<\/p>\n

Because the techniques used to obtain unauthorized access or to sabotage systems change frequently and generally are not identified until they are launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period and, therefore, have a greater impact on the products we offer, the proprietary data contained therein, and ultimately on our business.<\/p>\n

The foregoing security problems could result in, among other consequences, damage to our own systems or our customers\u2019 IT infrastructure or the loss or theft of our or our customers\u2019 proprietary or other sensitive information.<\/p>\n

(Note:\u00a0 Balance of the risk factor is omitted.)<\/p>\n

This risk factor provides a general discussion of cybersecurity risk.\u00a0 It does not address the nature and extent of actual cybersecurity risks facing the company, any specific steps the company is taking to address cybersecurity risk, or the strengths and weaknesses of the company\u2019s cybersecurity defenses.<\/p>\n

After the company experienced a major cybersecurity breach, these issues were at the center of the SEC\u2019s charges against the company and, interestingly, the company\u2019s Chief Information Security Officer (\u201cCISO\u201d).\u00a0 According to the SEC\u2019s Press Release<\/a> and the related Complaint<\/a>, the company was aware that its defenses against cybersecurity attacks were weak and that the company was extremely vulnerable to cyberattack.<\/p>\n

The Press Release<\/a> states:<\/p>\n

\u201cSolarWinds\u2019 public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown (The CISO), that SolarWinds\u2019 remote access set-up was \u2018not very secure\u2019 and that someone exploiting the vulnerability \u2018can basically do whatever without us detecting it until it\u2019s too late,\u2019 which could lead to \u2018major reputation and financial loss\u2019 for SolarWinds.\u201d<\/p>\n

Similarly, as described in the Press Release<\/a> and Complaint<\/a>, in 2018 and 2019 the CISO made presentations that stated the \u201ccurrent state of security leaves us in a very vulnerable state for our critical assets\u201d and that \u201c[a]ccess and privilege to critical systems\/data is inappropriate.\u201d<\/p>\n

SolarWinds\u2019 public statements about its cybersecurity practices and risks were very different from its internal discussions and documentation.\u00a0 As companies implement the SEC\u2019s new cybersecurity disclosures, there are clear lessons in this case.<\/p>\n

The Press Release<\/a> and Complaint<\/a> provide more details and discussion.<\/p>\n

As always, your thoughts and comments are welcome!<\/p>\n","protected":false},"excerpt":{"rendered":"

SolarWinds Corporation, a provider of IT infrastructure management software products, completed its IPO in the fall of 2018.\u00a0 In its IPO registration statement and periodic reporting, the company disclosed lengthy cybersecurity risk factors.\u00a0 For example, in its December 31, 2019 Form 10-K, the company included this risk factor: If we sustain system failures, cyberattacks against … Continue reading Cybersecurity Enforcement and Chief Information Security Officers<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_wpas_customize_per_network":false},"categories":[261,143],"tags":[],"coauthors":[154],"class_list":["post-2807","post","type-post","status-publish","format-standard","hentry","category-enforcement","category-hot-topic"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts\/2807","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/comments?post=2807"}],"version-history":[{"count":0,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts\/2807\/revisions"}],"wp:attachment":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/media?parent=2807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/categories?post=2807"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/tags?post=2807"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/coauthors?post=2807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}