SEC Enforcement Risk: Mitigation for Companies and Chief Information Security Officers
Publication | 05.14.24
With stronger rules requiring disclosure of cyber risk and cyber breaches, 2023 has seen heightened SEC enforcement of companies’ obligations in cyber breaches and, notably, enforcement charges brought directly against Chief Information Security Officers (CISOs).
Charges the SEC filed on October 30, 2023, against SolarWinds and its former CISO, Timothy G. Brown, are a key illustration of this risk. The SEC charges alleged fraud and internal control failures related to allegedly known cybersecurity vulnerabilities and risks. The SEC asserts that the defendants defrauded investors by overstating SolarWinds’ cybersecurity protections and failed to disclose known risks, violating the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934, and that Brown aided and abetted the company’s alleged violations.
Given the environment of increased enforcement activity, companies must be aware of potential exposures to themselves and their CISOs related to cyber disclosure, and they should be taking steps to mitigate those risks. Protection for CISOs is particularly important given that they may be individually targeted by the SEC in the aftermath of a cybersecurity incident, as shown in the recent example of Brown at SolarWinds.
Companies should implement rigorous training programs that will put them in the best position to avoid enforcement actions for failures to detect and disclose cybersecurity weaknesses. Part of that training should include educating CISOs on the mechanism for promptly reporting cyber incidents to those who need to know and information on how to interact with the company’s disclosure committee. Taking these steps will not only protect CISOs when it comes to SEC enforcement activity, but it will increase their effectiveness and performance in protecting their employers against cyber catastrophes.
Along with cybersecurity training, another way companies can protect their CISO is by ensuring that their Directors and Officers (D&O) insurance programs cover CISOs, just as they protect other company officers, including CEOs and CFOs. While cyber liability insurance is important, cyber coverage typically protects against unauthorized access to a company’s computer system or data loss or theft, but does not safeguard CISOs against enforcement actions that may arise from decisions and actions taken as part of their duties. Ensuring that CISOs are protected under the company’s D&O coverage can provide executive officers with valuable peace of mind and the critical funds needed to defend against what could be very costly enforcement actions following a breach, as well as for indemnity against potential judgments or settlements.