In a landmark enforcement action that has become a transformational moment for CISOs and corporate cybersecurity practices, the US Securities and Exchange Commission (SEC) charged the SolarWinds Corporation and its CISO, Timothy Brown, with fraud and financial disclosure failures related to their cyber risk management practices. This case, stemming from the infamous SUNBURST cyberattack, highlights the grave consequences of inadequate cybersecurity risk management and disclosure practices. The development and implementation of a defined cyber risk management program will be necessary to protect against this new liability.
The SUNBURST attack, attributed to Russian state-sponsored hackers, exploited vulnerabilities in SolarWinds’ network to insert malicious code into the company’s Orion software, affecting over 18,000 global customers. Internal communications revealed that Brown and SolarWinds employees were aware of significant cybersecurity deficiencies, including issues in developing secure products and access control failures. Despite this knowledge, SolarWinds posted what the SEC said were misleading statements about its cybersecurity practices, suggesting a more secure environment than what existed internally.
The SEC’s complaint alleges that from at least October 2018 through January 2021, SolarWinds and Brown engaged in a series of misstatements and omissions, painting a false picture of the company’s cybersecurity controls, and exposing investors to undisclosed risks. The SEC’s action against Brown marks a significant shift, holding individuals personally liable for cybersecurity-related disclosure deficiencies. Unlike other cases based on claims of negligence and bad security hygiene, the fundamentals of this case revolve around risk management – in particular the ability to properly identify risks, escalate those risks, and meet mandated disclosure obligations. This case underscores the critical need for CISOs to move beyond ad-hoc risk practices and implement clearly defined cyber risk management programs to navigate these heightened regulatory expectations effectively.
Current cyber risk management practices often lack a systematic approach and instead rely on ad-hoc risk tools and processes. These are supported by governance structures that function merely as informed bodies, failing to fulfill their intended purpose of providing effective oversight for a cyber risk management program. This absence of a standalone and clearly defined cyber risk program exposes executives, board members, and now CISOs to emerging obligations.
SEC focuses on risk management disclosures to protect investors
The SEC over the last few years has been consistent with its expectation that enterprises develop and implement mature cyber risk management programs. In 2018 it said “We believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”
The commission has since codified this guidance into the new cyber risk disclosure rules. On July 26, 2023, the SEC adopted final rules that fundamentally reshape how public companies approach and disclose their cybersecurity practices. International securities regulators have established similar oversight obligations that have become common expectations with burdening accountability.
Security as a strategic business imperative
At the heart of these new rules is a recognition that cybersecurity is no longer just an IT issue; it’s a strategic business imperative and a central pillar of corporate governance. Public companies are now required to report material cybersecurity incidents within four business days and to include detailed cybersecurity risk management disclosures in their annual reports. This seismic shift underscores the need for a clearly defined and robust cyber risk management program. A program that is defined, defendable, and supported by authoritative sources: standards, case law, regulatory guidance, and reputable organizations like the National Association of Corporate Directors (NACD).
Understanding the SEC mandates
The final SEC rules, effective on December 18, 2023, require companies to disclose material cybersecurity incidents promptly and to articulate their cybersecurity risk management strategies, governance, and processes in their annual reports. The SEC’s shift from encouraging to mandating these disclosures reflects an evolving understanding of the systemic risks that cyber threats pose to each entity and investor.
The final rules emphasize not just the need for incident reporting for material incidents but also the necessity to take a holistic view of how companies manage cyber risks. This includes board oversight of cybersecurity risks, the role of management in handling these risks, a clear articulation of processes for managing risks, and timely escalation and disclosure of material risks — the basis of the SolarWinds civil action. A defined program which operates on a standalone basis, with trusted and repeatable outputs, is what is being demanded.
Cyber Risk Management Program (CRMP) framework
The Cyber Risk Management Program (CRMP) framework, as detailed in our book published by O’Reilly Media, “Building a Cyber Risk Management Program,” offers a structured and comprehensive approach to cybersecurity. This framework is particularly relevant for complying with regulatory requirements like those from the SEC and other oversight bodies. We have provided a detailed mapping of this framework to existing authorities.
The CRMP framework offers a structured, comprehensive, and defendable approach to building a cybersecurity risk management program aligned to a variety of authoritative sources. This framework is designed to help companies define a program that is not just compliant with regulatory mandates but also strategically positioned to help organizations find the right balance of risk and reward through their digitization and business transformation.
The CRMP Framework is built on four core components:
- Agile Governance
- A Risk-Informed System
- A Risk-Based Strategy and Execution
- Risk Escalation and Disclosure
Supporting these core components are 23 principles that provide further guidance on implementing the CRMP Framework effectively. These principles cover a wide range of topics, from technical aspects of cybersecurity to organizational culture and stakeholder engagement. These are four core components explained:
Agile Governance: Defining roles and responsibilities for oversight, managerial, and operational governance
Agile governance is the first core component of an effective cyber risk management program. This refers to the flexible and adaptive management structures aligned with other risk frameworks in the organization, capable of responding quickly to evolving cyber threats. It provides guidelines for establishing governance structures that involve not only IT departments but also engage board members and executive management, ensuring a top-down commitment to cybersecurity.
Risk-Informed System: Understanding and reporting threats at the right level of governance
A risk-informed system is crucial for establishing a process to define appetite and tolerance as well as processes for identifying, assessing, and prioritizing cybersecurity threats. The SEC mandates that public companies must report cybersecurity incidents and disclose their overall risk management strategies. This requirement highlights the need for a system that continuously informs the organization about its cyber risk exposure. It also enables a capability of identifying material risks, based on appropriate considerations, in a timely manner – a necessary capability to meet the SEC obligations.
Risk-Based Strategy and Execution: Finding balance and executing to business-defined risk thresholds
A risk-based strategy is about developing cybersecurity measures that align with the organization’s defined risk appetite and tolerance to meet business objectives. This strategy must be clearly articulated in the company’s annual disclosures as per the SEC’s new rules. The CRMP framework assists companies in developing a risk-based cybersecurity strategy by providing a structured approach to aligning cybersecurity initiatives with business goals. It emphasizes the importance of understanding the business context of cyber risks, which allows companies to allocate resources more effectively and make strategic decisions that balance risk with business objectives.
Risk Escalation and Disclosure: Transparency and accountability
Risk escalation and disclosure involve the processes for escalating cybersecurity risk, not just incidents, but risks that fall outside a tolerance in a programmatic way. It provides clear guidance within the organization and the mechanisms for reporting these incidents to external stakeholders, including regulators. The SEC’s mandate for reporting material cybersecurity incidents within four business days exemplifies the importance of having robust escalation and disclosure protocols.
The CRMP framework provides clear guidelines on how to establish effective risk escalation and disclosure processes. This includes defining thresholds for what constitutes a material cybersecurity risk and incident, establishing clear lines of communication within the organization, and developing protocols for timely external reporting.
A programmatic approach is critical to meet these new obligations and effectively manage risks in this digital environment. Approaches to risk management have historically revolved around a tool-based or ad-hoc risk process that would not satisfy the maturing obligations. The basis of the SolarWinds civil action can fundamentally be aligned with not having a programmatic cyber risk management program, nor outputs or reporting, escalation, and transparency that were mature enough for the services they provided and responsibilities they bore.
Implementing the CRMP framework: Steps for compliance
Building and implementing a defined cyber risk management program is a journey. Most organizations have risk tools and processes in place. Shaping these into a program takes intention and time. Here is a recommended approach for using the framework, its four core elements, and 23 supporting principles:
Initial assessment: Companies should start by conducting a thorough assessment of their current cybersecurity risk management program, including assessing if their risk practices are a program that can stand on its own, with basic policies and processes operationalized, not simply ad hoc risk tools.
Gap analysis: Compare the current cybersecurity risk management practices against these new requirements. The CRMP framework and the SEC’s new rules should be used as a baseline for consideration. Of course, identify gaps and areas needing to be developed or improved.
Framework integration: Integrate a CRMP framework into existing cybersecurity practices and other risk frameworks the organization may have in place, such as enterprise risk management (ERM) platforms, ensuring that all aspects of the SEC’s mandates are addressed. This includes establishing clear protocols for incident reporting and developing comprehensive risk management processes.
Training and awareness: Conduct training and awareness programs for all employees, especially those involved in cybersecurity and risk management. Ensure that the board and management are well informed about their roles and responsibilities under the new framework.
Continuous monitoring and improvement: Establish mechanisms for continuous monitoring and assurance of cybersecurity risk management practices, providing regular updates to the cyber risk management program, in line with the CRMP framework’s guidelines. This is separate from other cyber protection efforts. The program itself needs monitoring and third-line audit plays a critical role in this.
Documentation and reporting: Document all processes, incidents, and management actions. Prepare for annual disclosures as per SEC requirements, ensuring that all aspects of the cybersecurity risk management program are clearly articulated and transparent.
The SEC’s new rules mark a watershed moment in corporate governance, placing cybersecurity at the forefront of regulatory and investor scrutiny. The CRMP framework, with its structured and comprehensive approach to cybersecurity risk management, offers a viable solution for companies looking to comply with these new mandates.
We’re in a transformative moment, needing an intentional transformative approach. By adopting the CRMP framework, companies can not only meet their regulatory obligations and protect themselves and their executives from budding liability but also engage the security department strategically with the business as it finds an evolving balance of risk and reward in this digitized economy.