Solarwinds CISO Wants Global Cyber Laws After Winning Case
SolarWinds CISO Tim Brown come out of the stocks following his victory over the US Securities and Exchange Commission (SEC) court case by calling for more robust global cyber security laws.
The case, now largely dismissed, was following a unprecedented lawsuit filed by the US which sought to hold Tim personally responsible for a massive Russian hack that compromised the company's systems in 2020.
Speaking to the Financial Times, Tim highlighted the current state of flux in global cyber regulations. "When you don't have rules to follow, it's very hard to follow them," he remarked, emphasising the stress this regulatory uncertainty places on cyber chiefs worldwide.
SolarWinds and the SEC
The SolarWinds incident, which came to light in 2020, sent shockwaves through the IT industry and government circles.
The Austin-based IT supply chain company found itself at the centre of a sprawling espionage campaign attributed to Russian hackers. The breach's far-reaching consequences prompted the SEC to take unprecedented action, targeting not just the company but also its CISO personally.
This move by the SEC was part of a broader push to more aggressively address cyber risks. It also signalled a potentially alarming trend for cybersecurity professionals: the possibility of being held personally liable for data breaches.
The gravity of this shift is underscored by the case of Uber's former chief security officer, Joe Sullivan, who in 2023 received a three-year probation sentence and a US$50,000 fine for covering up a 2016 data breach. This marked the first criminal prosecution of a company executive over the handling of a data breach, setting a precedent that sent ripples through the cybersecurity community.
In response to these developments, the SEC introduced new cyber rules in 2023. These regulations mandated the disclosure of data breaches and required public companies to outline their cyber risk management processes, strategies, and governance in annual reports.
Brown's call for a cyber equivalent of the Sarbanes-Oxley Act - a law that mandates certain practices in financial record keeping and reporting for corporations - reflects a growing recognition of the need for clearer guidelines in the rapidly evolving digital landscape.
"You have to remember, the cyber issues are 20 to 30 years old. Other regulatory issues are hundreds of years old,” Tim explained. “So we're just kind of catching up on the maturity of that model.”
The dismissal of most claims against SolarWinds and Tim in July of this year marked a significant moment for the industry. The judge ruled that the SEC's attempt to apply accounting rules to cybersecurity processes was "not tenable," effectively limiting the regulatory body's reach in this domain.
However, one claim of securities fraud based on a statement published on SolarWinds' corporate website was upheld.
Demand for greater government intervention
This statement by Tim, although relating to security legislation, aligns with recent developments in the insurance industry.
Major players in the industry, Marsh McLennan and Zurich Insurance Group, have called for government support in securing cyber risk.
In a whitepaper titled "Closing the cyber risk protection gap," these insurance giants compared the severity of some cyber attacks to terrorism and flooding, arguing that government oversight is needed to control the increasing "uninsurable" cyber risks.
Yet, pressure is piling up for the sort of regulation Tim is calling for. The recent global IT outage caused by a faulty update from cybersecurity firm CrowdStrike in July of this year has seen the company brought before Congress for a hearing. Such hearings have often resulted in regulation, including the SECs 2023 reporting requirements.
The dismissal of claims against SolarWinds and Tim Brown represents a temporary reprieve for CISOs, but it also highlights the urgent need for clearer regulations and guidelines. As the industry navigates this complex terrain, the balance between regulatory oversight, personal liability, and effective risk management remains a pressing challenge.
The call for public-private partnerships and innovative solutions underscores the recognition that industry is asking from governments in order to secure the cyber sphere.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand
- Lazarus Group: Microsoft Patch Exploit Infamous Hackers UsedHacking & Malware
- FBI, NSA and GCHQ Warn Organisations of Hack ThreatHacking & Malware
- SolarWinds: IT Staff Dubious on Organisation's AI ReadinessTechnology & AI
- Mandiant's Analysis Unveils Cause of Snowflake Data TheftOperational Security