With the US Securities and Exchange Commission (SEC) having taken legal action against CISOs at both SolarWinds and Uber, security executives feel the pressure to be absolutely precise when writing up security incidents that the company has decided are material. Things get tricky because even if the CISO’s report is perfect, someone up the line-the CEO, the CFO, general counsel, or even a board member-might make a change that the SEC finds problematic and possibly fraudulent.
Here’s the big problem: if the CISO sees the final version and realizes that the filing is misleading the SEC, that CISO can’t just sit back and say, “Well, what I wrote was fine. If the CEO makes a change, that’s on the CEO.” The CISO is legally required to report that fraud to the SEC under federal SEC whistleblower protections. Otherwise, the CISO could face charges of being an accessory after the fact to the fraud.
As bad as that may seem, it’s worse. Whistleblower protections only exist if the CISO is right and there actually is fraud. If the CISO is wrong, there are no protections, and the company can retaliate any way the company wants.
This gets worse yet. The CISO’s task to determine if a filing is truly fraudulent is remarkably complicated. First, enterprises are permitted to not share details in some key areas, such as if the information would reveal too much to potential attackers or the information is preliminary and might be incorrect. Secondly, these rules are brand new, and the SEC is likely to give CEOs and CFOs a lot of leeway-at least initially-in deciding what to share.
The risks to CISOs are not clear but very real
“The SEC has not been clear enough [about] what is required from the CISO and from management. The process is usually owned by legal and never the CISO’s office,” said Michael Oberlaender, a former CISO with Sudzucker AG, Heidelberg Americas, and FMC Technologies, among others.
In short, if the CISO does not report fraud, the CISO could be in legal trouble. If the CISO does report alleged fraud to the SEC and is wrong, the CISO could be in serious corporate trouble.
“This is an extremely sticky situation. For the CISO, it’s absolutely a damned-if-you-do-and-damned-if-you-don’t nightmare,” said Umesh Yerram, a serial CISO who held CISO or similar security titles at AmerisourceBergen, Comcast, and IBM.
Douglas Brush, a special master with the US federal courts and the chief visionary officer for Accel Consulting, adds yet another headache to this equation. Some enterprise CISOs own a non-trivial number of shares of their employer’s publicly traded stock. If that executive knows of a fraud and is a stockholder, “now you have insider trading issues to deal with.”
How CISOs can minimize risk from the new SEC rules
Although the rules are new and enforcement of them uncertain, veteran CISOs and legal experts have advice on how CISOs can protect themselves from liability.
Keep records of original reports and filings in a safe place
Oberlaender advises CISOs to screen capture and otherwise save the CISO-written descriptions to an environment that the CISO directly controls, such as Google Drive, AWS, or DropBox. This move only allows the CISO to later prove what the CISO filed. If someone changes that document and files the revised version, there is little the CISO can do about that.
Obtain D&O insurance
Oberlaender recommends that CISOs have directors and officers (D&O) insurance policies to protect themselves. Ideally, the enterprise should pay for those policies, but if they refuse, he suggests that the CISOs pay for the policies on their own.
Don’t read the final SEC filing document (or maybe do read it)
Oberlaender also offered a controversial suggestion. After filing the security incident write-up, CISOs should not look at what is ultimately filed to the SEC. “That might give the CISO plausible deniability,” he said.
Brush echoed Oberlaender and discouraged CISOs from reading the published report. “Why take on that liability? CISOs only need to know what they need to know. Once the CISO submits that stuff internally, the CISOs do not read what is published.”
That tactic, however, is not going to work, said Mark Rasch, a former federal prosecutor with the US Justice Department and currently in private practice specializing in cybersecurity issues. “Willful blindness is not an option,” Rasch said. “If the editing meaningfully changes what the CISO said, the whistleblower applies. Although the CEO has personal liability if the CEO fails to disclose what the law requires to be disclosed, the CISO has an obligation to report a knowingly false statement that the CISO knows about.”
It’s important to remember, Rasch said, that an enterprise “has broad discretion. They are allowed to couch their disclosures and soft-peddle it to some extent. It may not be black and white. The CISO is also not an expert on SEC disclosure rules. There are no hard-and-fast rules on what must be disclosed.”
Raise fraud concerns through corporate channels first
If CISOs find themselves in this awkward position, step one is to meet with the general counsel and listen to the attorney’s reasoning for the changes, Rasch said. If the CISO is still not satisfied, the next step is to meet with the CEO and listen to the chief executive’s rationale. If the CISO is still not satisfied, Rasch suggests hiring outside counsel to offer an ostensibly objective assessment of whether the filing constitutes legal fraud.
After retaining counsel, all subsequent moves are fraught with danger. “If the CISO believes that there has been a fraud to the SEC, the CISO has an obligation to report it to the board. That may itself be corporate suicide,” Rasch said, adding that the next move-going to the feds-is even more problematic. “Going to the SEC is crossing the Rubicon.”
“The CISO is not an expert on SEC disclosures, but you have an officer who now knows that the company made materially false disclosures,” Rasch said. “There is a legal obligation for the CISO to do so if the CISO is right. And only if the CISO is right.”
Rasch then tempered his comment slightly, as he tried to articulate what an SEC lawyer is likely to consider. “You don’t necessarily have to be right, but you have to be reasonable. It’s going to be a question of degree.” In other words, if the CISO suspects fraud but chooses to not report it to the SEC or to the board, the CISO might not be prosecuted if the SEC concludes that the CISO reasonably assessed that no fraud existed. If the CISO is certain that fraud did exist, there is an obligation to report.
Set expectations for SEC filings when hired
Brush argues that CISOs need to negotiate when they accept the CISO role that they would have final say on SEC filings that deal with cybersecurity matters. At the very least, Brush said, the CISO should insist that the CISO be asked about any changes before they are final so that the CISO has an opportunity to argue why the change may be a bad idea.
Put objections to SEC filings in writing
Beyond that, Brush suggests that CISOs put in writing any objections to filing. “If I have a dissenting view, I want it on the record,” Brush said. That doesn’t mean that it will be included in the filing. It merely means that the document is placed in a personnel folder or some other private location. If things blow up months later and become a legal mess, the SEC can discover the document that makes it clear that the CISO objected.
“If there is any IR [incident response] report that never sees the light of day, I am going to be putting in a dissenting view and making sure that it is filed away somewhere,” Brush said. “That’s an ace in your back pocket.”