The first cyber chief to fight an effort by the US Securities and Exchange Commission (SEC) to hold him personally responsible for a massive Russian hack has called on global regulators to pass tougher cyber security laws. Tim Brown, chief information security officer at SolarWinds, faced a landmark lawsuit that accused him and the company of misleading investors by not disclosing “known risks” and inaccurately representing the company’s security measures.
Speaking to the Financial Times in his first interview since the complaint was largely thrown out by a federal court in July, Brown warned that global cyber regulations are still “in flux”, which “absolutely adds stress across the globe” on cyber chiefs. He emphasized that having clear rules is crucial for cybersecurity professionals to effectively do their jobs.
SolarWinds was relatively unknown until it fell victim to Russian hackers as part of a large-scale espionage campaign in 2020. The SEC’s lawsuit reflects its increased focus on targeting cyber risks under chair Gary Gensler’s leadership, as well as signaling that individuals could be held accountable for hacks.
Last year, Joe Sullivan, Uber’s former chief security officer, received probation and a fine for covering up a data breach from 2016. This marked the first criminal prosecution of an executive over mishandling a data breach. The SEC introduced new cyber rules last year regarding data breach disclosure and requiring public companies to outline their cybersecurity risk management processes in annual reports.
Brown expressed hope that global cyber regulations were moving in the right direction. He suggested that cybersecurity professionals would benefit from legislation similar to the Sarbanes-Oxley Act enacted after Enron’s scandal in 2002.
The lawsuit against SolarWinds has been seen as significant within the industry. Lawyers representing security professionals have cautioned about its potential impact on internal efforts to enhance company security if comments made during those efforts could later be used against them out of context.
District judge Paul Engelmayer ruled in July that applying accounting rules to cybersecurity processes was not feasible. While most claims against SolarWinds and Brown were dismissed, one claim of securities fraud based on a statement published by SolarWinds on its website was upheld.
A spokesperson for SolarWinds stated they planned to contest this remaining charge due to factual inaccuracies. Brown acknowledged that although uncomfortable personally, this lawsuit has given corporate security professionals more influence at executive levels and prompted important conversations within boards about cybersecurity issues.
Despite joining Cytactic’s advisory board this month, Brown remains committed to his role at SolarWinds while acknowledging his responsibility regarding the incident but emphasizing his determination to rectify any shortcomings.
In terms of financial performance, SolarWinds reported $193 million revenue between April-June 2022 compared with $246 million during the same period last year before disclosing the hack incident. Although shares have started recovering from their lows earlier this year following what is known as Sunburst incident; they remain down over 40% overall.