Our company Our leadership Our values Events News Contact Us

Careers overview Current vacancieshiring Early Careers Benefits

Blogs Case studies Webinars White papers

Contact sales

Your priorities
The Platform
our solutions
- Audit & risk Audit and risk
  External Audit
  Improve the accuracy and efficiency of audits and build trust with clients.
  
  Internal Audit
  Gain total oversight and control of internal audit activity.
  
  Risk Management
  Centralize data for a holistic and strategic view of risk.
  
  Audit and risk solutions
  Audit and risk solutions that help you protect your business, engage with clients and have more strategic influence.
  Latest Gartner® Market Guide for EHS Software
  Download now
- DOCUMENT COLLABORATION DOCUMENT COLLABORATION
  Huddle
  Flexible and highly secure document collaboration for regulated industries.
  
  Mail Manager
  Email add-in for Outlook to boost productivity and improve document management.
  
  OnePlace Solutions
  Connect, simplify and personalize business systems built on Microsoft 365
  
  PleaseReview
  Real-time document review, co-authoring and redaction for regulated industries.
  
  Document collaboration solutions
  Bring teams and customers together with our document collaboration solutions to securely manage emails and documents.
  Latest Gartner® Market Guide for EHS Software
  Download now
- E-Learning and Content E-Learning & Content
  CompliSpace
  Policy, learning and assurance management to meet GRC obligations.
  
  WorkRite
  Workplace training and e-learning management system to meet regulatory requirements.
  
  E-learning and content solutions
  Meet regulatory requirements, bring policies to life, and keep employees safe with e-learning and content solutions.
  Latest Gartner® Market Guide for EHS Software
  Download now
- Environmental, Health and Safety Environmental, Health & Safety
  EHS
  A unified EHS solution that enables employers to report incidents, identify risks in real-time and automate safety processes across your organization.
  
  Maritime safety
  Extensive experience and specialized product suites that specifically address the unique needs of the maritime industry. Manage all aspects of health, safety and incident management.
  
  Environmental, health and safety solutions
  Improve safety, reduce risk and enhance environmental, health and safety performance across your business.
  Latest Gartner® Market Guide for EHS Software
  Download now
- quality quality
  Coruson
  Aviation safety management for complete control and reporting of operational risk.
  
  Quality Control
  Automate quality inspections and documentation to satisfy regulators and customers.
  
  Quality Management
  Digitalize your quality management processes for complete organizational insight.
  
  Smartforms
  Improve mobile incident and event reporting for real-time situational awareness.
  
  Quality solutions
  QMS solutions to help take control and ensure quality in every step of the process to unlock your full potential.
  Latest Gartner® Market Guide for EHS Software
  Download now
- A-Z Products

Our company Our leadership Our values Events News Contact Us

Careers overview Current vacancieshiring Early Careers Benefits

Blogs Case studies Webinars White papers

Contact Sales

Contact sales

2024 Resilience nation report • Download now

Home
Thought Leadership
Blog
Risks responsibilities cybersecurity oversight

From CISO to Boardroom: Navigating the risks and responsibilities in cybersecurity oversight

Reassessing cybersecurity risk management

The audit committee often is the center of risk management oversight for public company boards. According to CAQ’s 2023 Audit Committee Transparency Barometer, 59% of S&P 500 companies disclose that the audit committee is responsible for oversight of cybersecurity risk, an increase from 54% in 2022. CEOs and Boards have been citing cybersecurity as a top risk for years. However, in 2022, only 12% of public companies reported having separate risk committees.

Lessons from SolarWinds

The stakes are high, as the SEC has illustrated in their complaint filed on October 30, 2023, against SolarWinds and their Chief Information Security Officer (CISO). The complaint alleges that SolarWinds distributed software that had known vulnerabilities and misrepresented the level of risk. Hackers added malicious code to their software that led to breaches at customer sites. These customers included government agencies and the majority of the S&P 500.

This case is groundbreaking, first, in that it names the Chief Information Security Officer (CISO) as well as SolarWinds. Second, much of the case against the CISO relates to the assertions he made publicly about their cybersecurity — despite him reportedly having a level of awareness of vulnerabilities in their software that had apparently existed for several years. These vulnerabilities included an allegedly fraudulent security statement prominently displayed on their website. Additionally, the CISO gave interviews and authored blogs and reports discussing cybersecurity best practices but, it’s alleged, failed to implement the same at SolarWinds. Thirdly, some of the vulnerabilities were around basic security, including poor password security and uncontrolled granting of administrative rights.

Accountability, oversight and board responsibilities

The CISO is accused of signing sub-certifications for internal controls and making false and misleading statements in the 8-K that disclosed the issues. If there was ever a doubt, the SEC has removed all questions. As an officer or board member of a public company, you are responsible for false and misleading statements. This is regardless of whether disclosed in a filing, on your website, or in public interviews or blogs.

Interestingly, there was no mention in the complaint of the Board of Directors oversight. This led me to look at the disclosures made by SolarWinds.

In 2019, malicious code was embedded into a SolarWinds software update. In 2020, there were three different customers who suffered repercussions from the attack and reported it. It appears that SolarWinds and Brown were aware of the multiple attacks on their products and customers – including several government agencies – during 2020 but failed to disclose them until December 2020.

Enhancing cybersecurity governance

As the SEC states:

“At no point between the time of its IPO in October 2018 and the disclosure of Sunburst in 2020 did SolarWinds disclose the numerous risks, vulnerabilities, and incidents affecting its products in its SEC filings or elsewhere.

“Instead, in each periodic disclosure and registration statement during the period, SolarWinds disclosed the same hypothetical, generalized, and boilerplate description that had appeared in its October 2018 Form S-1.”

In their 10Q’s filed during the relevant period in 2020, they stated there had been no material changes to their risk factors. On December 14, 2020, the Company filed their 8-K publicly disclosing the attack but the SEC alleges that was also materially misleading regarding the Company’s prior knowledge of the attacks and vulnerabilities.”

What about the Board’s risk oversight? The disclosure from the DEF 14a proxy filed in April of 2020 (emphasis added):

“Our nominating and corporate governance committee is responsible for our general risk management strategy, monitoring and assessing the most significant risks facing us and overseeing the implementation of risk mitigation strategies by management. Our nominating and corporate governance committee also monitors and assesses the effectiveness of our corporate governance guidelines and our policies, plans and programs relating to cyber and data security and legal and regulatory risks associated with our products and business operations.”

It could be argued, these risk disclosures are surprisingly light for a software company, even three years ago. As of their 2023 proxy, they have established a technology and cybersecurity committee. This is likely a new best practice for the Board of a software company. Other improvements included posting the committee’s charter on their investors portion of the website. They have now disclosed multiple Board members with cybersecurity experience. Additionally, they have expanded and improved their disclosures including in part:

“Our technology and cybersecurity committee is responsible for overseeing our information technology systems and cybersecurity risks” and: “Our internal cybersecurity risk management team, headed by our Chief Information Security Officer, oversees compliance with applicable laws and regulations and coordinates with subject matter experts throughout the business to identify, monitor, and mitigate risk including information security risk management and cyber defense programs. These teams maintain rigorous testing programs and regularly provide updates to the Company leadership as well as our Board.”

“Secure by Design is our IT guiding principle for how we approach security and cyber resiliency. Consisting of several key tenets, we work to create a more secure environment and build a system centered around transparency and maximum visibility.”

Key action steps for preparing regulatory scrutiny

With the new cybersecurity rules, we can expect this to be a hot topic for the SEC in the coming year. Since the SEC was kind enough to provide us with an excellent example of what not to do, it’s time to:

Review your boilerplate language in risk factors and consider whether it represents the Company’s actual risks and experiences.
Reconsider whether the audit committee is the best place for cybersecurity risk oversight.
Review the qualifications of your cybersecurity “expert.”
Most importantly - Ensure your cybersecurity procedure documentation is accurate and up to date!

For up to the minute data and on disclosures and impacts of data breaches affecting public companies registered with the SEC, then take a look at our cybersecurity database.