The CISO in the dock — Peter Bassill

The SEC's charges against Tim Brown over the SolarWinds disclosures, alongside Joe Sullivan's conviction over Uber a year ago, signal a regime change in personal accountability for security leaders. What it means for UK CISOs and the boards that employ them.

On 30 October, the US Securities and Exchange Commission filed civil fraud charges against SolarWinds Corp and its Chief Information Security Officer, Tim Brown, in connection with the cyber attack disclosed at the end of 2020 and the company's public statements about its security posture before and after the breach. The charges allege that the SEC was misled by overstatements of security controls in the company's public filings.

Brown is the first CISO in the US to face personal SEC fraud charges relating to cyber security disclosures. He is not the first to face personal consequences in the role. A year ago, Joe Sullivan, the former Chief Security Officer of Uber, was convicted of federal crimes relating to his handling of the 2016 Uber breach — specifically, paying the attackers $100,000 as a bug bounty in exchange for non-disclosure, and not informing the FTC, which was already investigating Uber. Sullivan was sentenced in May this year to three years' probation. He avoided prison.

Together, these two cases mark a regime change in personal accountability for security leaders. I want to write about what UK CISOs and the boards that employ them should be taking from this — because the UK is not far behind, and the Cyber Security and Resilience Bill signalled in the King's Speech earlier this month is likely to import some of the same accountability expectations.

What the Brown charges allege

The SEC's complaint focuses on public statements SolarWinds made about its security practices — both routine disclosures and a security statement published on the company's website — which the SEC alleges materially overstated the company's controls and misled investors. The charges also relate to internal communications in which SolarWinds employees, including Brown, expressed concerns about the company's security posture that, in the SEC's view, contradicted the public picture being presented.

The SEC is alleging two things in combination: that the public statements overstated reality, and that the CISO knew or should have known they overstated reality. Whether the SEC can prove this in court is a separate question. The case will, regardless of outcome, change how CISOs sign off public statements about security.

What the Sullivan conviction established

Sullivan's case is older but the principle is the same with sharper edges. The 2016 Uber breach was real. Sullivan's defence was, in essence, that the payment to the attackers was a legitimate bug-bounty arrangement and that the breach did not require disclosure under the rules in force at the time. The jury did not accept this. The judge described it as a cover-up. Sullivan, a former federal prosecutor himself, became the first US executive convicted of crimes relating to incident handling.

The Sullivan case is the procedural one. The CISO must not, under regulatory inquiry, take actions that conceal a breach. The Brown case is the substantive one. The CISO must not allow the company's public statements about security to be materially inaccurate. Together they bracket the legal exposure of the role in the US.

Why this matters for UK CISOs

The UK is not the US, but the direction of travel is the same. Three reasons.

The Cyber Security and Resilience Bill, announced in the King's Speech this month, will widen the perimeter of regulated cyber security activity, sharpen incident-reporting obligations, and is widely expected to introduce, over time, greater personal accountability for senior officers. The drafting is not yet public. The direction is.

The ICO's enforcement posture has hardened through 2023. The fines against Tuckers Solicitors, Interserve, and others have focused increasingly on the controls in place before the incident and on the documentation around senior decision-making. The pattern is consistent with the SEC's stance: the regulator wants evidence of what the senior responsible person knew and decided.

The FCA and PRA are paying closer attention to cyber resilience for regulated firms, and personal SMCR responsibilities already include the senior manager accountable for IT and operational resilience. A CISO who is also a Senior Manager Function holder in a regulated firm has personal regulatory exposure today, before any new Bill.

What CISOs should do this quarter

Three pieces of work to start now, not later.

Read your public security statements and your last three annual reports' cyber risk disclosures. Are they still true? Are the controls described still in place at the level described? If something has slipped — a project paused, a control degraded, a vendor change — is the public statement still accurate? If not, the choice is to update the statement or to update reality. The choice that is not available is to leave both alone.

Audit your incident-handling decision log. For any material incident in the past 24 months, can you reconstruct the decision tree: who knew, when they knew, what was decided, what was reported externally, what was not, and why? If the answer is not really, the records are partial, this is the work to do this quarter.

Make sure the directors and officers liability insurance covers you personally for civil regulatory exposure relating to cyber. Many CISO policies do not. Check, before you need to.

What boards should do

Two things.

Provide air cover for honest reporting. The pattern the SEC is pursuing — public overstatement of controls — usually originates not in the CISO's office but in the marketing and investor relations functions, which want the security posture to sound strong. The CISO is asked to bless statements that they would not have written. Boards that protect the CISO's right to push back on optimistic phrasing produce more accurate disclosures. Boards that do not, produce Tim Brown-shaped outcomes eventually.

Ensure the CISO has a direct line to the audit committee that is not mediated by the executive team. The audit committee is the natural venue for the things we cannot fix this quarter and should be on the record about. The CISO who has that channel can, when it matters, escalate. The CISO who does not, cannot.

One sentence

The CISO role has been escalating into the C-suite over the past decade, and the Brown charges are the moment the legal exposure escalates to match. The firms that respond by writing honest disclosures and documenting decisions will be fine. The firms that respond by buying the CISO better D&O cover and changing nothing else will not be.

This is the year that calculation changed.