By in Persepective May 7, 2025

New risk management framework helps with SEC mandate compliance

The authors of the new Cyber Risk Management Program framework explain how it can set an organization up to better comply with SEC and other disclosure and reporting regulations.

In a landmark enforcement action that has become a transformational moment for CISOs and corporate cybersecurity practices, the US Securities and Exchange Commission (SEC) charged the SolarWinds Corporation and its CISO, Timothy Brown, with fraud and financial disclosure failures related to their cyber risk management practices. This case, stemming from the infamous SUNBURST cyberattack, highlights the grave consequences of inadequate cybersecurity risk management and disclosure practices. The development and implementation of a defined cyber risk management program will be necessary to protect against this new liability.

The SUNBURST attack, attributed to Russian state-sponsored hackers, exploited vulnerabilities in SolarWinds’ network to insert malicious code into the company’s Orion software, affecting over 18,000 global customers. Internal communications revealed that Brown and SolarWinds employees were aware of significant cybersecurity deficiencies, including issues in developing secure products and access control failures. Despite this knowledge, SolarWinds posted what the SEC said were misleading statements about its cybersecurity practices, suggesting a more secure environment than what existed internally.

The SEC’s complaint alleges that from at least October 2018 through January 2021, SolarWinds and Brown engaged in a series of misstatements and omissions, painting a false picture of the company’s cybersecurity controls, and exposing investors to undisclosed risks. The SEC’s action against Brown marks a significant shift, holding individuals personally liable for cybersecurity-related disclosure deficiencies. Unlike other cases based on claims of negligence and bad security hygiene, the fundamentals of this case revolve around risk management – in particular the ability to properly identify risks, escalate those risks, and meet mandated disclosure obligations. This case underscores the critical need for CISOs to move beyond ad-hoc risk practices and implement clearly defined cyber risk management programs to navigate these heightened regulatory expectations effectively.

Current cyber risk management practices often lack a systematic approach and instead rely on ad-hoc risk tools and processes. These are supported by governance structures that function merely as informed bodies, failing to fulfill their intended purpose of providing effective oversight for a cyber risk management program. This absence of a standalone and clearly defined cyber risk program exposes executives, board members, and now CISOs to emerging obligations.