Importance of Transparency in Cybersecurity Disclosures

This is significant. I took a few things away from this action: 1. The SEC discovered repeated internal discussions raised to the CISO and from the CISO regarding a rising number of significant vulnerabilities in the SolarWinds software. 2. It is tempting for CISOs to put the best narrative possible in public risk disclosures for investors. In this press release, it says, "SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds' cybersecurity practices as well as the increasingly elevated risks the company faced at the same time." which is at odds with the internal knowledge of its rising vulnerabilities and attempts by threat actors to exploit its software. 3. Cybersecurity risks are business risks, and CISOs must create a security committee with business leaders to manage those risks. They should also advise their Board on the risk decisions made by the security committee. Too often, companies expect the CISO and CIO to find the resources to address these vulnerabilities while at the same time putting pressure on them to continue cutting costs and innovating. That's why the security committee is vital. It's a forum for the CISO and CIO to surface resource constraints like those pointed out in the press release to get additional resources to mitigate these risks. Without governance involving business management and the Board, the stakeholders and shareholders will not get sufficient protection from cyber risk business disruptions. 4. Many security and technology companies today still need a CISO and have yet to create a CISO role in their organizations. When evaluating a vendor, it's a good idea to look at their security program, including if they have a CISO, and get as much data as possible on how they govern product risk. If they don't have a CISO, it is a red flag. In the case of SolarWinds, at least they saw the need for the role. They didn't implement risk governance correctly. At least, that's what I gather from the SEC press release. #cybersecurity #ciso #boardgovernance

SEC is Not Accepting Half-Truths! The U.S. Securities and Exchange Commission has fined four major companies for materially misleading investors regarding cyberattacks. Regulatory actions have been brought against Unisys, Avaya, Check Point Software, and Mimecast for their purposeful decisions to not clearly inform customers and shareholders of the attacks and breaches they suffered as part of the SolarWinds cyberattack. The SEC concluded that these companies were purposely vague by framing their #cybersecurity risk factors hypothetically or discussing them in generic terms, even after knowing the issues were present and material. Reporting material issues to shareholders is a requirement for public companies, so investors will have the same information to make decisions as the insiders of the company. Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit, warned that “downplaying the extent of a material cybersecurity breach is a bad strategy”. The result of this investigation is that Unisys Corporation is fined $4 million as a civil penalty for misleading disclosures and a failure to maintain proper controls over its public statements. Check Point, Avaya, and Mimecast were fined close to $1 million each for similar reasons. The message to boards, C-suites, and especially Chief Information Security Officers (CISOs) is clear – report material breaches as required by the governing regulations. Misleading or false statements are not acceptable. Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, stated “…while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered” Security must be seen as a center of trust. Ethical representations of risks and impacts are the foundation. This includes messages and formal notifications to shareholders and customers. CISOs must recognize their new responsibilities and actively navigate conflicts of interest they experience, and honor their duties. SEC Press Release: https://lnkd.in/geRFcW7N

20 million records, a Teams chat & costs of downplaying cyber threats ⬇️ What began as a small impact incident at the Co-op has escalated into one of the UK’s most serious recent data breaches. The hacking group, DragonForce, claims to have stolen personal data from up to 20 million members - including names, addresses, emails, and more. The hackers even messaged Co-op’s Head of Cyber directly in Teams, “Hello, we exfiltrated the data from your company.” This is not just a headline. This is a sobering a wake-up call. Here's three quick lessons for every business leader to note: 𝗟𝗲𝗮𝘀𝘁 𝗣𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲 𝗶𝘀 𝗻𝗼𝘁 𝗼𝗽𝘁𝗶𝗼𝗻𝗮𝗹 If internal chats, executive comms, and employee credentials are all accessible post-breach, then lateral movement was easy. Granular access controls and network segmentation are your fire doors in a digital fire. 𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 𝗯𝗲𝗮𝘁𝘀 𝗱𝗮𝗺𝗮𝗴𝗲 𝗰𝗼𝗻𝘁𝗿𝗼𝗹 Downplaying a breach erodes trust. In the era of public whistleblowing and direct media outreach by cybercriminals, truth will out. Get ahead of it, fast. 𝗖𝘆𝗯𝗲𝗿 𝗵𝘆𝗴𝗶𝗲𝗻𝗲 𝗶𝘀𝗻’𝘁 𝗷𝘂𝘀𝘁 𝗜𝗧’𝘀 𝗷𝗼𝗯 Ordering employees to “keep cameras on” and avoid recording calls after a breach is reactive. Security must be proactive, baked into culture, and understood from the front line to the boardroom. Cybersecurity isn’t a box to tick or a budget line to squeeze. It’s a board-level imperative. Learn more on how least privilege can mitigate disaster below. https://lnkd.in/gEFkYVeg #CoopHack #DragonForce #LessonsLearned

In a startling new tactic, ransomware gangs are now exploiting the SEC's cyber reporting rules to hold companies hostage. They're capitalizing on a critical vulnerability: many companies struggle to detect and report cyber threats within the SEC's required timeframe. This alarming trend underscores a pressing need for businesses to enhance their visibility and control over their cybersecurity posture. It's not just about identifying threats on a system-by-system basis; it's about understanding and mitigating risks at a broader, macro level across the enterprise. It's also about making sure your internal view of your security posture matches what you're telling the world and filing with regulators. The SEC, FTC, DOJ, and DoD are making it known: lie about your compliance posture and we're coming after you and your C-suite. Just remember SolarWinds. The recent shift in SEC enforcement emphasizes transparency while eschewing obfuscation. Companies can no longer afford to be in the dark about their cybersecurity status, only scrambling to get a clear picture when audits loom or breaches occur. The key to staying ahead of both cybercriminals and regulatory demands lies in continuous control monitoring and real-time compliance. This approach ensures that a company's cybersecurity posture is not just a snapshot taken at audit time, but a continuously updated, comprehensive view. Embracing this strategy means moving away from the traditional siloed approach to risk, security, and compliance. It's about convergence – integrating these functions into a cohesive, dynamic process. This integrated approach not only fortifies a company against the evolving tactics of cybercriminals but also aligns it more closely with the SEC's expectations for timely and transparent reporting. In this era of heightened cyber threats and stringent regulatory demands, the path forward is clear: continuous vigilance and transparency are not just regulatory requirements, they are essential business strategies for risk mitigation and sustained growth. The answer is to close the gap between compliance, risk, and security through the strategy of Convergence. This is the way forward. #compliance #sec #meridianlink #ransomware #audit #security #convergence https://lnkd.in/eiTZhGx8

💥One small step for the SEC… one giant leap for 10Ks. The long-awaited SEC cyber rules have been issued. With a backdrop of 1000+ MOVEit victims and a very public MSFT breach, the SEC couldn’t have timed the release any better. Most importantly: the rules are good for investors. ✅ They’ll also be a tailwind for anyone who cares about improving cybersecurity. 𝗗𝗶𝘀𝗰𝗹𝗼𝘀𝘂𝗿𝗲𝘀 𝗶𝗻 𝘁𝗵𝗲 𝟭𝟬𝗞 𝗼𝗻 𝘁𝗵𝗶𝗻𝗴𝘀 𝗹𝗶𝗸𝗲: ➥ Management’s cyber expertise & roles ➥ Corporate processes to manage & remediate cyber threats ➥ Board committees responsible for cyber oversight & how they’re informed 𝗪𝗶𝗹𝗹 𝗹𝗲𝗮𝗱 𝘁𝗼: ➥ CISOs being appointed in companies that don’t have one today ➥ Execs improving capital allocation for cyber (eg: reasonable cyber budgets) ➥ Boards dedicating more time – more regularly – to cyber risk This is goodness. 🙏 And the main criticisms aren’t show-stoppers: 👌 𝙄𝙩'𝙨 𝙣𝙤𝙩 𝙧𝙚𝙖𝙡𝙡𝙮 "𝙬𝙖𝙩𝙚𝙧𝙚𝙙 𝙙𝙤𝙬𝙣." Yes the board cyber expertise disclosure was removed, but citing the committee responsible for cyber is better anyway. Plus, director profiles are public, so cyber creds are already readily available. 👌 𝙄𝙩 𝙙𝙤𝙚𝙨𝙣'𝙩 "𝙘𝙧𝙚𝙖𝙩𝙚 𝙘𝙮𝙗𝙚𝙧 𝙧𝙞𝙨𝙠." Disclosing a material incident in 4 days is generous compared to others (see: 24hrs). Besides, the DOJ can now extend the timeframe, if appropriate. Look, the rules passed by a vote of 3-2. So this is what compromise looks like. 🤝 What matters is that cyber is unquestionably a top corporate risk today. And the SEC is arming investors with information to help evaluate it. Even more than that, I think these rules will – in time – fundamentally improve the cybersecurity of publicly traded companies. And that’s something to really celebrate. 👏 #technology #cybersecurity #riskmanagement

"The truth is incontrovertible. Malice may attack it, ignorance may deride it, but in the end, there it is." - Winston Churchill Cyber breaches happen, but misleading your investors? That’s where it really gets costly. The U.S. Securities and Exchange Commission has just penalized @unisys corpUnisys, Avaya Avaya, Check Point Software, and Mimecast millions for downplaying the extent of the SolarWinds hack. Instead of being upfront, they framed their cyber risks as "hypothetical" when the reality was much more serious. Under the Securities Act of 1933 and the Securities Exchange Act of 1934, public companies must disclose material information about cybersecurity risks. However, determining what’s “material” can be challenging. Companies often balance transparency against protecting sensitive data or avoiding premature disclosures. The lesson? Transparency in cybersecurity isn’t optional, it’s mandatory. Establishing solid disclosure practices is essential, unless SEC fines and going out of business falls within your risk appetite, which I doubt 😜 . Misleading or downplaying incidents can lead to hefty financial and reputational damages. Want to stay out of SEC crosshairs? Be transparent and keep investors informed. In the age of data breaches, transparency is your best defense against legal consequences and reputational harm. #CISO #SEC #Cybersecurity #Transparency #RiskManagement #DataBreach #Compliance

What is the SEC's bread and butter with respect to cybersecurity? Yes, it is still false statements and omissions. The SEC now wants you to report on the processes you use to assess, identify, and manage cybersecurity risk. But the SEC cares less about how great your cybersecurity program is than how honest you are about your program. If you have a material security incident, expect the SEC and potential civil plaintiffs (e.g., shareholders and customers) to investigate whether any of your cyber disclosures were misleading. Case in point, last week the SEC brought an enforcement against an SEC registered broker-dealer, alleging that it "repeatedly — and falsely — told [its] institutional customers and the public that [it] used 'information barriers' and 'systemic separation between business groups' in order to safeguard these customers'" material nonpublic information (MNPI). See https://lnkd.in/evXt-vWe. In fact, according to the SEC, these statements were false and misleading, because "virtually all employees" of this broker-dealer and its affiliates could access the MNPI of every customer "regardless of whether the employee had a valid business need for such information." BOTTOM LINE: As you prepare to make cybersecurity disclosures, your first priority should be making sure that they are demonstrably accurate and not misleading. #Cybersecurity #Compliance #SEC

Board's Cybersecurity Oversight: Beyond Compliance to Business Resilience 🛡️🔒 As a CTO and board director, Recent SEC actions (https://lnkd.in/gNwdF-3B) underscore a critical mandate for board directors. Key takeaways: ✅ Transparency isn't optional: Accurate breach disclosure is now a regulatory mandate ✅ 12 terabytes of stolen data = massive potential reputational risk ✅ New SEC rules require material cyber incidents to be reported within 4 business days My advice to boardrooms: ✅ Engage and oversee comprehensive attack surface management ✅ Allocate funds to integrated exposure management programs ✅ Leverage AI for vendor risk assessment Critical Focus Areas during CISO Briefs: ✅ Oversee holistic asset registers (identities, applications, cloud services) capabilities ✅ Expand cybersecurity capabilities across digital ecosystems ✅ Seek metrics on security technologies consolidation for comprehensive protection ✅ Leverage the power of managed security providers for actionable remediation The future of corporate governance is proactive, integrated, insight-driven, and foresight-driven. #CEO #KSgems #BoardOversight #CIO #CTO #CISO #AI #CFO #CorporateGovernance #Cybersecurity #BoardLeadership Christopher Hetner James Strock Ravi Hirolikar

4 Charged. The SEC has charged four companies—Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited—with misleading disclosures about cybersecurity risks and incidents. These charges stem from the investigation into the SolarWinds Orion software compromise and associated activities. Key Highlights: 1. Penalties: The companies agreed to pay civil penalties ranging from $990,000 to $4 million. 2. Nature of Violations: The companies were found to have negligently minimized cybersecurity incidents in their public disclosures. 3. Specific Issues: - Unisys described risks as hypothetical despite experiencing two intrusions. - Avaya understated the extent of data access by the threat actor. - Check Point used generic terms to describe known intrusions. - Mimecast failed to disclose the nature and quantity of compromised data. 4. SEC's Stance: The SEC emphasized that companies must provide accurate and comprehensive disclosures about cybersecurity incidents to protect investors. A Note for CISOs CISOs face growing challenges in cybersecurity reporting. Recent SEC charges highlight the need for transparent, accurate disclosures. The future of reporting demands a delicate balance between protecting sensitive information and providing investors with a clear picture of cyber risks. #CyberSecurity #CISO #SECCompliance 🔗 https://zurl.co/DyHp

The SEC has fined four companies a total of $7M for downplaying breaches linked to the massive SolarWinds hack. This enforcement action sends a clear message: transparency and accountability in cybersecurity are non-negotiable. For organizations, it’s a critical reminder to prioritize accurate breach reporting. Attempting to minimize or obscure the impact of a cyber incident can have significant legal and financial repercussions, as demonstrated by these fines. With the rise of regulations focused on data protection and security disclosures, it's essential to ensure that cybersecurity policies, incident response plans, and communication strategies align with compliance standards. Companies need to view cybersecurity not just as a technical issue but as a core part of their business strategy. Whether it’s meeting compliance requirements, protecting customer trust, or safeguarding operations, transparency in the face of a breach is vital. #cybersecurity #infosec #compliance #SolarWindsHack #incidentresponse