Stay informed with free updates
Simply sign up to the Cyber Security myFT Digest — delivered directly to your inbox.
The first cyber chief to fight an effort by the US Securities and Exchange Commission to hold him personally responsible for a massive Russian hack has called on global regulators to pass tougher cyber security laws.
Tim Brown, chief information security officer at SolarWinds, faced a landmark lawsuit that accused him and the company of misleading investors by not disclosing “known risks” and inaccurately representing the company’s security measures.
Speaking to the Financial Times in his first interview since the complaint was largely thrown out by a federal court in July, Brown warned that global cyber regulations are still “in flux”, which “absolutely adds stress across the globe” on cyber chiefs.
“When you don’t have rules to follow, it’s very hard to follow them,” said Brown. “Very few security people would ever do something that wasn’t right, but you just have to tell us what’s right in order to do it,” he added.
SolarWinds was a little known Austin-based IT supply chain company until it was breached by Russian hackers as part of a sprawling espionage campaign in 2020.
The SEC’s lawsuit came amid a push by the body to more aggressively target cyber risks under the tenure of chair Gary Gensler, as well as strong signals by itself and other authorities that individuals could be held liable for hacks.
Last year, Uber’s former chief security officer, Joe Sullivan, was sentenced by US authorities to three years of probation and fined $50,000 for covering up a data breach from 2016. It was the first criminal prosecution of a company executive over the handling of a data breach.
The SEC introduced new cyber rules last year around the disclosure of data breaches, as well as forcing public companies to outline elements of their cyber risk management processes, strategies, and governance in their annual reports.
Brown said he was hopeful that global cyber regulations were heading in the right direction. He said security professionals would benefit from a cyber equivalent of the Sarbanes-Oxley Act, passed in 2002 after the Enron scandal.
“You have to remember, the cyber issues are 20 to 30 years old. Other regulatory issues are hundreds of years old . . . So we’re just kind of catching up on the maturity of that model,” he added.
The lawsuit, which cited internal communications between Brown and other employees at SolarWinds, has been seen as a watershed for the industry. Lawyers representing security professionals have warned it risked “chilling” cyber professionals’ internal efforts to improve company security out of fear that their comments could later be taken out of context and used against them.
District judge Paul Engelmayer ruled in July that the SEC’s attempt to apply accounting rules to cyber security processes was “not tenable”. He threw out most of the claims against SolarWinds and Brown, but upheld one claim of securities fraud based on a statement published by SolarWinds on its corporate website.
A SolarWinds spokesperson said in a statement the company planned to fight the remaining charge, which they said was “factually inaccurate”. The SEC declined to comment.
Brown said the lawsuit, although personally uncomfortable, had helped to give corporate security professionals a voice at the executive level.
“It puts pressure on, but it’s also an inflection point,” he said. “It has elevated the [chief information security officer] position and made sure that boards are having these conversations.”
Brown this month joined the advisory board of Israeli crisis management firm Cytactic but said he was still committed to staying in his role at SolarWinds.
“As far as the incident at SolarWinds: It happened on my watch. Was I ultimately responsible? Well, no, but it happened on my watch and I want to get it right,” he said.
The company reported $193mn in revenue in the three months to June, down from $246mn in the same period in 2020, before the hack was disclosed. Shares have begun to recover from their lows in 2022, but are still down more than 40 per cent since the so-called Sunburst incident.