CISO SEC Incident Risk: Best Practices Checklist

On Oct. 30, 2023, the SEC charged SolarWinds and its CISO, Timothy G. Brown, with “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” On the heels of the FTC case against Uber’s former CSO Joe Sullivan, these legal cases have generated a lot of discussion and concern among CISOs and cybersecurity professionals.

CISO SEC Incident Risk: Best Practices Checklist

This checklist of best practices is designed to help CISOs and cybersecurity leaders avoid actual or perceived missteps that could lead to allegations of fraud or failure of internal controls. While not a guaranteed approach, these best practices can help improve cybersecurity and be used in audits or investigations to demonstrate diligence in cybersecurity leadership.

Cybersecurity Program Documentation for CISOs

• Review, revise and maintain cybersecurity policies, procedures and playbooks.
• Clearly delineate what is current practice and what is aspirational.
• Avoid the use of superlatives or all-encompassing words such as “all” or “every,” unless there is clear evidence to support it.
• Use data retention to encourage formal documentation and reduce retention of informal conversations.
  • Do not use messaging services such as Slack and Teams as data repositories or sources of truth for decisions.
  • Set data retention to short periods of time for all unregulated data. This is not to hide information, but rather to reduce confusion and eliminate conflicting or casual discussion that could later be taken out of context.
  • Clearly communicate and document sources of truth for information (e.g., architectures are in Visio).

CISO Security Risk Communication

• Develop public-facing (external) descriptions of:
  • How you assess and manage cybersecurity risks.
  • Cybersecurity risks that are likely to materially affect your organization’s operations or financial condition.
  • Your board’s role in overseeing cybersecurity risks.
  • Management’s role in assessing and managing cybersecurity risks.
• Ensure alignment between these public-facing descriptions and your internally documented cybersecurity risks.
  • These lists should not be identical because your internal communication and documentation are likely much more detailed and could provide a blueprint for an adversary to launch an attack.
  • Instead, provide summarized and sanitized versions of cybersecurity risks that a reasonable shareholder would want to know about when making an investment decision. For example, a shareholder and the general public do not need to be informed of a specific vulnerability in a widget received from a supplier. However, public-facing documents should note the organization is “continuing to assess and manage cybersecurity risks in the supply chain to reduce and mitigate vulnerabilities in vendor products.”

    Demand the right to review and edit any public-facing organization communications (SEC filings), marketing materials, website, etc.) that address cybersecurity or cybersecurity-related topics.

• If you disagree with what is being said and cannot change it, document this in the risk register.
• Maintain a detailed risk register.
  • Document to whom, how and when you communicate the risks.
  • Document all dispositions and decisions.
• Take a course in careful communications with your team.
  • This should be tailored to your organization and practice, if possible.
  • This should cover internal communications, as well as those that are public facing.
• Consider that everything you put in a text, email or message, even informal comments, could someday be read aloud in a courtroom.

Download the Report: CISOs as Board Directors, CISO Board Readiness Analysis

CISO Incident Management and Response Process

• Ensure your incident response procedures include specific details around escalation and communication.
• If you are required to file Item 1.05 of Form 8-K, work with your legal and cybersecurity team(s) to ensure it is accurate and comprehensive.
• Edit your incident response procedures (if necessary) to allow for the updating of the 8-K form as new information comes to light during your investigation.
• If your marketing materials overstate or embellish capabilities, it is important to address this and be forthcoming with information that will address the incident, minimize impact and continue to maintain trust with stakeholders. Now is the time for transparency and truth.
  

CISO Personal Risk Management Tips

• If you are an officer, understand what your directors and officers insurance covers and ask when changes are made.
• Inquire with an attorney about personal liability insurance and ensure you are very clear on what is covered and what is not.
  

While it is going to take time to determine the true implications of the SolarWinds legal case, following this checklist will help cybersecurity leaders continue to do their best to protect their organizations and themselves.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.