Solarwinds CISO Wants Global Cyber Laws After Winning Case

Share
This move by the SEC was part of a broader push to more aggressively address cyber risks
Solarwinds CISO Tim Brown, after beating charges from the SEC case against him, is calling for governments across the globe to create cyber laws

SolarWinds CISO Tim Brown come out of the stocks following his victory over the US Securities and Exchange Commission (SEC) court case by calling for more robust global cyber security laws. 

The case, now largely dismissed, was following a unprecedented lawsuit filed by the US which sought to hold Tim personally responsible for a massive Russian hack that compromised the company's systems in 2020.

Speaking to the Financial Times, Tim highlighted the current state of flux in global cyber regulations. "When you don't have rules to follow, it's very hard to follow them," he remarked, emphasising the stress this regulatory uncertainty places on cyber chiefs worldwide.

Tim Brown is CISO at SolarWinds

SolarWinds and the SEC

The SolarWinds incident, which came to light in 2020, sent shockwaves through the IT industry and government circles. 

The Austin-based IT supply chain company found itself at the centre of a sprawling espionage campaign attributed to Russian hackers. The breach's far-reaching consequences prompted the SEC to take unprecedented action, targeting not just the company but also its CISO personally.

This move by the SEC was part of a broader push to more aggressively address cyber risks. It also signalled a potentially alarming trend for cybersecurity professionals: the possibility of being held personally liable for data breaches.

The gravity of this shift is underscored by the case of Uber's former chief security officer, Joe Sullivan, who in 2023 received a three-year probation sentence and a US$50,000 fine for covering up a 2016 data breach. This marked the first criminal prosecution of a company executive over the handling of a data breach, setting a precedent that sent ripples through the cybersecurity community.

In response to these developments, the SEC introduced new cyber rules in 2023. These regulations mandated the disclosure of data breaches and required public companies to outline their cyber risk management processes, strategies, and governance in annual reports. 

Brown's call for a cyber equivalent of the Sarbanes-Oxley Act - a law that mandates certain practices in financial record keeping and reporting for corporations - reflects a growing recognition of the need for clearer guidelines in the rapidly evolving digital landscape. 

"You have to remember, the cyber issues are 20 to 30 years old. Other regulatory issues are hundreds of years old,” Tim explained. “So we're just kind of catching up on the maturity of that model.”

The dismissal of most claims against SolarWinds and Tim in July of this year marked a significant moment for the industry. The judge ruled that the SEC's attempt to apply accounting rules to cybersecurity processes was "not tenable," effectively limiting the regulatory body's reach in this domain. 

However, one claim of securities fraud based on a statement published on SolarWinds' corporate website was upheld.

Demand for greater government intervention 

This statement by Tim, although relating to security legislation, aligns with recent developments in the insurance industry

Major players in the industry, Marsh McLennan and Zurich Insurance Group, have called for government support in securing cyber risk. 

In a whitepaper titled "Closing the cyber risk protection gap," these insurance giants compared the severity of some cyber attacks to terrorism and flooding, arguing that government oversight is needed to control the increasing "uninsurable" cyber risks. 

Yet, pressure is piling up for the sort of regulation Tim is calling for. The recent global IT outage caused by a faulty update from cybersecurity firm CrowdStrike in July of this year has seen the company brought before Congress for a hearing. Such hearings have often resulted in regulation, including the SECs 2023 reporting requirements.

Youtube Placeholder

The dismissal of claims against SolarWinds and Tim Brown represents a temporary reprieve for CISOs, but it also highlights the urgent need for clearer regulations and guidelines. As the industry navigates this complex terrain, the balance between regulatory oversight, personal liability, and effective risk management remains a pressing challenge. 

The call for public-private partnerships and innovative solutions underscores the recognition that industry is asking from governments in order to secure the cyber sphere. 

******

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Cyber Magazine is a BizClik brand

Share

Featured Articles

AI-Native Edge: Juniper Networks Vision of Networking

Juniper Network is aiming to offer visibility across network and security operations with its new Secure AI-Native Edge solution

DNV & CyberOwl Join to Give Shipping Huge Cyber Offering

This partnership brings compliance management and cybersecurity protection to the increasingly digitally operated shipping industry

Why is Active Directory a Concern for CISOs?

Jim Doggett, CISO at Semperis, explains why Active Directory is worrying CISO’s, the consequences of it and how it can be secured to prevent cyber attacks

Palo Alto Networks, Deloitte and The Push to Platformization

Cyber Security

Insurers Now Spotlighting Identity and Privilege Compromises

Cyber Security

Trend Micro Address AI Threat to Mobile Users with New App

Hacking & Malware