All Articles

Corporate Policy vs SEC Guidelines by Matthew Rosenquist, Jim Routh &Micheal W. Reese

Posted by Gaya M on May 30, 2024 at 10:19pm in Blog
Corporate Policy vs SEC Guidelines by Matthew Rosenquist, Jim Routh &Micheal W. Reese

Welcome to today’s webinar on the CESA platform. We are exploring the critical and contentious legal implications of the SEC's enforcement action against SolarWinds and its CISO, Timothy Brown. This case has ignited significant debate within the cybersecurity community, splitting professionals into opposing camps. Our expert speakers, Matthew Rosenquist, Jim Ralph, and Michael Rees, will provide insights into the complexities of this case and its broader impact on the industry.

 

 

 

Here is the verbatim discussion:

Well there's there two there's two dimensions of the fundamental this is simplistic but there's two Dimensions to uh the SEC complaint one is the timing of the notification and the second is the content of the notification and you can take it in either order but those are essentially the two things the thing to remember I was a ciso in uh six large public companies uh and every single one of them had a policy that at any time information going to a regulator had to be funneled through the legal department so the general Council was essentially accountable responsible for all filings uh in any kind of regulatory basis and any uh security incident uh in terms of notifying the regulator it had to go through legal it was actually controlled by uh the general council's office uh in every question though qu or clarification on that because you said something that that that kind of raised the hair on on the back of my neck here you said it goes through legal and they're responsible now every law every lawyer corporate lawyer I've talked to has said no we advise we don't take responsibility the content is still yours you're still making the Declaration we will advise you but we don't own it are you saying for the companies you worked for the attorneys were the responsible parties or were they simply a pass through to advise um and and maybe you know make recommendations prior to it being released what I'm saying is that the corporate policies clearly defined the responsibility for when to uh uh offer information to a regulator and uh and to vet that information that goes to a regulator uh so the legal departments controlled the process and were accountable now look were accountable for the process not necessarily for the content so they weren't the ones signing off on the accuracy and legitimacy of the content they were overseeing process getting it from the company to the regulator correct they're also determining when to share information with the regulator like the notification so a ciso independently can't say I'm going to notify law enforcement I'm going to notify a regulator of a particular security incident that is not in the that's you know in at least in my experience that's not uh what the ciso has is accountable for the ciso is accountable for bringing that information to the legal uh organization and there were very frequent times where I as aiso said I think we need to tell a regulator and this is what I think we need to tell them but that was always vetted and edited by the legal department the legal department handled the actual notification my point is that it the ceso is the one in both the Joe Sullivan case Uber case and the SEC actions against Tim Brown the ciso is the one that's bearing the accountability for uh when did notify the regulator and what content of information to provide and that is inconsistent with corporate policy where it clearly states that no one uh in the company ciso or anybody else uh can notify Regulators of uh security incidents without uh going through the you know the the process that's controlled by the legal department so but then that's that's a policy issue then right it is a corpor so what what this is in what this action is enforcing is in a direct contradiction to corporate policies in most major companies so then what takes precedent in your mind does the federal SEC guidelines take precedent and say heyy you should craft your policy to be in alignment with it or does the policy of independent companies take a precedent and say oh no follow the policy ignore even if it's in conflict with the SEC Federal requirement my point is that the SEC action for enforcement against solar winds is inconsistent with the majority of corporate policies today in the notification of a regulator and law.

 

Highlights:

Dimensions of the SEC Complaint:

  • The SEC's complaint against SolarWinds involves two fundamental dimensions: the timing of the notification and the content of the notification. These aspects are central to the SEC's charges and form the crux of the legal debate.

Role of Legal Departments:

  • In many large public companies, corporate policies dictate that any information going to a regulator must be channeled through the legal department. The general counsel's office is responsible for overseeing this process, although they do not necessarily take responsibility for the content's accuracy.
  • The legal department controls the process of regulatory filings and notifications, ensuring they meet legal standards and company policies.

CISO Accountability and Legal Coordination:

  • The CISO's role involves identifying and reporting security incidents, but the actual notification to regulators is managed by the legal department. This distinction is crucial in understanding the accountability and procedural flow within organizations.
  • Despite this, the SEC's actions against Timothy Brown highlight a disconnect, where CISOs are held accountable for decisions typically controlled by legal departments.

Policy vs. Federal Guidelines:

  • There is a tension between corporate policies and federal guidelines. Corporate policies often require that notifications to regulators go through legal channels, whereas federal guidelines, such as those from the SEC, emphasize timely and accurate disclosure.
  • This discrepancy raises questions about which standards take precedence and how companies should align their policies with federal requirements to avoid conflicts.

Industry Implications and Precedents:

  • The enforcement actions set a precedent that could significantly impact the cybersecurity industry, influencing how companies manage and report security incidents.
  • There is concern that such actions could deter skilled professionals from pursuing CISO roles due to increased personal risk and accountability.

 

The SEC's enforcement action against SolarWinds and its CISO, Timothy Brown, underscores the evolving complexities of cybersecurity accountability. The case highlights the crucial role of CISOs in managing security incidents and the challenges they face in navigating corporate policies versus federal requirements. This case will likely have lasting implications for the industry, influencing how organizations structure their policies and manage regulatory disclosures.

As we move forward, it is essential for companies to ensure that their policies are aligned with federal guidelines to avoid conflicts and ensure transparency. Balancing accountability with fair and supportive measures for cybersecurity leaders is crucial to maintaining a robust defense against evolving threats. This case serves as a pivotal moment, emphasizing the need for clear, consistent practices that protect both the organization and its cybersecurity leaders.

 

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

 

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

 

https://www.linkedin.com/in/michael-w-reese/

 

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

 

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

 
Views: 24
Tags: sec enforcement, cybersecurity, ciso, cisoliability
E-mail me when people leave their comments –
Follow

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)