SolarWinds was issued Wells Notices by the SEC in June 2023 based on the disclosed breach of the Orion platform (or simply the SolarWinds Platform) in December 2020. The notices name the CISO and CFO specifically. While the SolarWinds Orion incident is ancient news in the tech and security industries, legal processes and regulatory enforcement take time. Many parties must collaborate to gather (digital) evidence to determine the extent of damage and business impact. Organizations must also determine if the incident had material impact and disclose relevant details in the appropriate SEC forms.
It’s an interesting time for cybersecurity as litigation around the SolarWinds incident is playing out, and last month, the SEC finalized cybersecurity disclosure rules. The finalized rules mandate that publicly traded companies must disclose material cybersecurity incidents within four business days in a Form 8-K starting in December 2023. Smaller companies can gain an exception until June 2024. These SEC rules aren’t entirely new. They’ve been re-stated and refined in 2011, 2018, and now again in 2023, which is why SolarWinds is in the hot seat for not complying. The tighter disclosure window and mandate to submit within a Form 8-K as opposed to quarterly or annual filings are the newer requirements.
What went wrong for SolarWinds
The position expressed recently by SolarWinds is that these types of regulatory enforcement actions taken by the SEC inhibit responsible disclosure. A similar stance was expressed by a few parties during the feedback on the proposed SEC cybersecurity disclosure rules, but the arguments don’t hold water with the SEC. The regulatory body has been clear that proper risk management and timely cyber incident disclosures protect investors and other stakeholders. Roles like the CEO and CFO are directly accountable, per the SEC rules. It is likely that the SEC will make an example out of SolarWinds and its leadership at the time of the Orion incident to set the tone for how important software supply chain security is to investor risk and ultimately national security.
According to the final SEC disclosure rules, the CFO is responsible for directly submitting or delegating the submission of the necessary digital forms with supporting evidence to the SEC. That includes details of their cybersecurity program, relevant technology expertise in the organization, and disclosure of any prior cyber incidents. CISOs play a critical role since they are privy to those details and on the hook for relaying the proper info to the CFO.
This enforcement action by the SEC will be the first of many. Software security, or lack thereof, elevates risk, which creates amplifying effects in software supply chains. The SEC is aimed at protecting investors. If organizations aren’t doing the appropriate things to build, deliver, and protect their software throughout its lifecycle, then investors should be aware of that. Regulations often leave the definition of “software” purposefully broad so it is also broadly enforceable. It’s not just about the application code itself but also the infrastructure that powers it and the network connections that enable services to talk. Effectively, software has pervasive impacts.
All roads lead to the clouds which leads to supply chain
Cloud and cloud-native are inherently intertwined. If you’re operating in cloud environments, you’re consuming cloud-native technology, which may be partially or fully abstracted from you. Many organizations are also pursuing cloud-native designs as they modernize their applications to gain benefits such as greater elasticity and auto-scaling. And DevOps practices are necessary to build and deliver more quickly and efficiently. Frequently, organizations label this collection of processes and technology as digital transformation.
If you’re delivering systems in the cloud or consuming cloud services, you’re likely making use of newer technologies like containers or serverless technologies. Microservices architectures amplify the number of things you’re dealing with. The footprint changes rapidly and is much too ephemeral to document using traditional (read:checkbox compliance) and manual (read:time-consuming) methods. Cloud security is a fundamental component of software supply chain security. Cloud service providers (CSPs) are also a type of supplier and partners, not just resources you consume. Transparent and timely disclosure are key.
Visibility in the cloud is inherently reduced, which regularly challenges your ability to audit those environments effectively for cybersecurity.
The compliance mapping exercise is too manual or too time consuming for organizations. “Continuous compliance” becomes necessary to know real-time whether your environments are satisfying all security controls defined in all sets of compliance, regulations, standards, and best practices. No single policy can be used to govern all types of environments and assets. However, you must start somewhere, address security in all aspects of the software and workload life cycle (not shift-left or shield-right alone), and document that you are doing all these in order to defend the security program itself.
In a separate but relevant effort designed to promote cybersecurity, the US government published the US National Cybersecurity Strategy in March 2023. It states that the United States will use all of the tools in its arsenal to further the principles described in the strategy. The SolarWinds incident is called out explicitly, further underlining the far-reaching impact of the incident. The strategy encompasses security and resiliency of critical infrastructure, preserving privacy, promoting equity and equality, combatting nation-state threat actors, addressing weaknesses in supply chains, and more. In many cases, the industry an organization does business in, the data it handles, or the customers and citizens it interacts with makes it subject to regulation. Directly, the SEC governs for all types of financial risk (and cybersecurity risk) as it pertains to investor risk. Indirectly, the SEC is helping further the goals of the US National Cybersecurity Strategy when it comes to publicly traded companies, which we are now seeing play out with repercussions to SolarWinds.
While the SEC cybersecurity disclosure rules were undergoing public review, many entities expressed concerns around the dilemma of communicating the security impacts of partners and suppliers and how this complicates incident disclosure. The SEC did not budge on this with the final rules, and security issues related to suppliers must still be disclosed. It’ll be interesting to see this play out in practice. A material incident such as what happened with SolarWinds would theoretically need to be disclosed by all companies that made use of the vulnerable SolarWinds Orion software in their environments, not just SolarWinds itself. Coordination would likely be handled by one or more federal agencies such as CISA, DOJ, or the FBI to reduce duplication of efforts depending on the stage of investigation, response, or enforcement.
Sources:
- https://www.bankinfosecurity.com/sec-alleges-solarwinds-cfo-ciso-violated-us-securities-laws-a-22367
- https://www.bankinfosecurity.com/solarwinds-may-face-sec-investigation-over-hack-disclosure-a-20416
- https://www.csoonline.com/article/3700654/sec-notice-to-solarwinds-ciso-and-cfo-roils-cybersecurity-industry.html
- https://www.darkreading.com/operations/solarwinds-execs-targeted-sec-ceo-fight
- https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/02aed9ff-6065-4158-8efd-6b5e31f7eb89.pdf
- https://www.reuters.com/legal/us-sec-considering-action-against-solarwinds-over-cyber-disclosures-2022-11-03/
