By Byron V. Acohido

The compliance variable has come into play in an impactful way.

Related: Technology and justice systems

The U.S. Security and Exchange Commission (SEC) recently laid down the hammer charging and fining four prominent cybersecurity vendors for making misleading claims in connection with the SolarWinds hack.

SEC investigators gathered evidence that Unisys Corp., Avaya Holdings, Check Point Software Technologies, and Mimecast Limited each minimized or obscured the extent of security breaches linked to the SolarWinds Orion hack, impacting investor trust and highlighting the critical importance of clear, truthful communication.

Unisys, for instance, was found to have framed cyber risks hypothetically even though its systems had already been breached, exfiltrating gigabytes of data. Avaya, Check Point, and Mimecast also downplayed the impact, contributing to the SEC’s decision to impose hefty civil penalties.

As organizations continue facing escalating cyber threats, how they communicate multiplying and rapidly morphing cyber exposures – in essence how much they choose to abide by industry standards and embrace ethical practices — remains under intense scrutiny.

With this in mind, Last Watchdog sought commentary from technology thought leaders about what this milestone enforcement action by the SEC portends, going forward. Responses edited for clarity and length:

Kumar

While the SEC has fined the corporations, CISOs are worried that they may be held individually responsible and feel targeted by both attackers and now law enforcement. There should not be any subjectivity on what makes an incident go beyond the threshold of disclosure.

A security incident is often an indication of poor investment in security programs, rather than personal characeteriziation of the security leader. So, we should allow leaders to speak more publicly and ask for more security resources.

Joe Nicastro, Field CTO, Legit Security

Nicastro

Transparency in cybersecurity remains a complex balancing act. In a world of interconnected services, GenAI-driven tools, and continuously new and novel emerging threats, full disclosure is not always practical or even possible. But the SEC’s latest actions underscore that failing to inform stakeholders about material risks and breaches is not an option. Moving forward, companies that establish strong disclosure processes will be better positioned to maintain trust and manage regulatory scrutiny effectively.

Willy Leichter, CMO at AppSOC

Leichter

None of these companies would have stood out if they had come clean about being breached. But the corporate inclination towards minimizing, spinning, or outright lying about an embarrassing incident was too strong for these companies to resist.

The self-inflicted reputational damage now is far worse than it would have been had they been forthright at the outset. Timely, detailed, and accurate communication after a breach is both legally required and the best damage-control strategy.

Stuart McClure, CEO, Qwiet AI

McClure

The SEC’s goal appears to be to hold these companies accountable to investors for any successful cyberattacks and expose the company’s lack of preparation and prevention.

We hope that transparency goals are achieved but these tactics may have the opposite effect given the fine sizes. $1 million for a company the size of Checkpoint is but a slap on the wrist. This action may drive reporting deeper underground. Only time will tell.

Steven Worth, Acting COO, Token

Worth

I’d like to see the industry help regulators and standards setters develop more uniform and consistent recommendations that would become true best practices. This could dovetail with a national information privacy law.

We have the benefit of learning from GDPR in Europe as well as other flavors of privacy laws in Canada, Utah, Virginia and other jurisdictions. The last thing we need is a patchwork of 50 different laws across the States. There should be a common-sense approach that can make it through the federal legislative process.

Jonathan Gill, CEO, Panaseer

Gill

Security professionals have a sword of Damocles over their heads. They’re being asked to provide more accuracy and assurances when reporting. Despite having an army of tools, they have huge visibility gaps over increasingly complex IT environments.

Addressing this root cause must be a priority. Accountability and responsibility in cybersecurity are positives, but they must be a collective effort, where everyone in an organization knows their role.

Joe Evangelisto, CISO, NetSPI 

Evangelisto

I expect these charges to ripple across boardrooms, forcing corporations to have more in-depth conversations on cybersecurity risks and controls. The big question for corporations is the level of transparency they are comfortable with.

Corporations should take steps today to adopt transparency as a core tenant. Implementing this core tenant as part of a cybersecurity program will in turn further mitigate cybersecurity risks, increase security controls, and allow for greater customer trust.

Daniel Lakier, Field CSO, Myriad360

Lakier

Cyber professionals represent the companies they work for and are meant to protect them. Companies have a fiduciary responsibility to protect their investors, employees and the public. However, investor and employee interests may not always align with public interest.

Given that public trust is at a low point, the SEC’s action is timely and needed, even if the precedent makes me feel uncomfortable. The temptation to ‘spin,’ or potentially even outright lie, remains too high.

Richard Bird, CSO, Traceable

Bird

These penalties are hollow.The SEC fixates on time-to-report metrics and vague “materiality” without defining it. This ambiguity has led to a deluge of 8-K filings from companies hedging with, “We’re unsure if this is material, but here’s our report.” Over a decade, the SEC’s enforcement has not improved cybersecurity outcomes but has burdened firms with compliance. Faster breach notifications are like police arriving weeks late to announce you were robbed—ineffective and disconnected from real security improvement.

Dane Grace, Technical Solutions Manager, Brinqa

Grace

I’m generally for radical transparency. Fines are great and all, but until we see executives going to prison, these things are still going to figure into a cost-benefit analysis.

With hyper-interconnected services on the rise and GenAI starting to disrupt things, companies ought to disclose information about all affected parties as early as possible and follow up with findings — up until the conclusion of the incident response investigation.

Antonio Vasconcelos, Customer Engineer, Zero Networks

Vasconcelos

The points raised by SEC in this investigation revealed troublesome practices. For example, reporting overly generic incidents, after disclosing a breach in one’s network, and even “material omission” of vital details.

There is only one path forward: transparency. The more transparent and the more collaborative we are collectively, the more effective we can be in fighting cyber threats, especially those like the supply chain attack on SolarWinds Orion, given how large its scale and impact was.

Redekop

As threats evolve, the lines between transparency and caution will need to be continuously reassessed, with a balance that serves both corporate and customer interests. In some jurisdictions, this line is most-effectively drawn by a government-appointed privacy commissioner who is required to remain neutral and yet ultimately serves the citizens of its country.

Ultimately, organizations should strive for a disclosure approach in layers —sharing enough information to maintain transparency and trust while protecting critical details that could be exploited.

Miracco

These penalties may not result in a cultural shift, but some organizations will begin by prioritizing cybersecurity as a critical component of corporate governance. Other companies may continue to rely on hiding the ball, scapegoating and relying on insurance to cover the losses.

Companies can navigate the challenges of interconnected services while maintaining security and stakeholder confidence. The key is to disclose information that helps stakeholders understand the company’s cybersecurity risk management without revealing sensitive operational details.

 Scott Kannry, CEO, Axio

Kannry

The SEC is serious about companies disclosing the details of an event if it is relevant to investors. This type of thinking really boils down to the impact: Will an investor’s returns be affected by this?

Moving forward, companies can comply with this by shifting more of their risk management practices to include this concept of impact. Want to stay out of trouble? Create a plan, assess the impacts, and disclose the relevant facts honestly.”

Jim Routh, Chief Trust Officer, Saviynt

Routh

These events represent a clear shift in the regulatory landscape. The message to the industry is they must improve the accuracy of the information shared with the SEC specific to security incidents and the enterprise impact.

This enforcement has already had an impact on the sensitivity of CISOs managing their individual obligations. Some have moved away from the CISO role. Other CISOs are changing how they negotiate indemnification coverage before accepting a new position.

Stephen Kowski, Field CTO, SlashNext Email Security+

Kowski

These fines, while modest for large enterprises, send a clear signal that regulators expect precise, timely, and truthful cybersecurity disclosures – especially when public trust and investor interests are at stake.

As threats become more sophisticated, companies need advanced security solutions that enable them to make informed decisions about what to disclose and when. This balance between security and transparency will become increasingly crucial as organizations face more complex cyber threats and stricter regulatory oversight.

Andrew Harding, VP of Security Strategy, Menlo Security

Cyber defense providers need to help prevent breaches and reduce the impact of security events so that incidents are less frequent and have a smaller blast radius. The increasing sophistication of cyberattacks make this harder every day.

More guidance and increased regulatory scrutiny from trusted agencies make sense in such an environment. Such guidance, inspection, and consequences will drive the right solutions and encourage high-integrity operations during a time of rapid change in available technology and the threat environment.

Jeff Margolies, Chief Strategy Officer, Saviynt: 

Margolies

We are still too focused on victim blaming companies that are breached. A far more effective approach would be to help companies that are clearly out-gunned by the adversary.

Set clear standards on what is required by the private sector, and what the government will do to assist with cybersecurity. Bottom line, until government regulators stop blaming companies, they need to be very cautious in disclosures.

Stephen Gates, Security SME, Horizon3.ai

Gates

Due care and due diligence are the CISO’s lifelines. Documenting your actions, constantly assessing the organization’s risks, and proving your teams’ risk reduction efforts have been effective provides the evidence of a proactive, diligent approach that’s defensible under scrutiny.

If companies hired CISOs and/or security leaders who walked this walk, there would never be any reason whatsoever to mislead anyone. Simply put, there would be nothing to hide.

Keith McCammon, CTO of Red Canary

McCammon

One of the best things companies can do to prepare is to clearly define a material cybersecurity incident in the context of their business, where a key component of both the criteria and response plan is the identification of key stakeholders.

We are starting to see more and clearer signals that the U.S. government at-large—via the National Cybersecurity Strategy, CISA, and other agencies—will continue to push for legislation and enforcement as it relates to cybersecurity preparedness, compliance, and reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

November 13th, 2024 | My Take | Top Stories