SEC Compliance and the Evolving Responsibilities of CISOs

 Welcome to today’s webinar on the CESA platform. We're exploring the legal and professional implications of the SEC's enforcement action against SolarWinds and its CISO, Timothy Brown. This discussion has ignited significant debate within the cybersecurity community, splitting professionals into opposing camps. Our expert speakers, Matthew Rosenquist, Jim Ralph, and Michael Rees, will provide insights into the complexities of this case and its broader impact on the industry.


Here is the verbatim discussion:

Question though qu or clarification on that because you said something that that that kind of raised the hair on on the back of my neck here you said it goes through legal and they're responsible now every law every lawyer corporate lawyer I've talked to has said no we advise we don't take responsibility the content is still yours you're still making the Declaration we will advise you but we don't own it are you saying for the companies you worked for the attorneys were the responsible parties or were they simply a pass through to advise um and and maybe you know make recommendations prior to it being released what I'm saying is that the corporate policies clearly defined the responsibility for when to uh uh offer information to a regulator and uh and to vet that information that goes to a regulator uh so the legal departments control the process and were accountable now look they were accountable for the process not necessarily for the content so they weren't the ones signing off on the accuracy and legitimacy of the content they were overseeing process getting it from the company to the regulator correct they're also determining when to share information with the regulator like the notification so a ciso independently can't say I'm going to notify law enforcement I'm going to notify a regulator of a particular security incident that is not in the that's you know in at least in my experience that's not uh what the ciso has is accountable for the ciso is accountable for bringing that information to the legal uh organization and there were very frequent times where I aiso said I think we need to tell a regulator and this is what I think we need to tell them but that was always vetted and edited by the legal department the legal department SEC for those who don't know is an independent federal administrative agency with the mission of protecting investers and their rights and that includes making sure there is not unfair Market manipulations this is part of their role in Mission and we're going to be talking about the complaint that the SEC has published now the full 68 page complaint is available on their website and it provides details on all the different claims especially going to be a new president um you know Jim mentioned the whole Uber case with Joe Sullivan that was a a fact that they said hey we're going to hit you with a three-year probation and there's their statement that were made is we're going to go after and we're going to do harsher penalties in the future and so I think this is a chance for the sec to step up and say now we're going to implement those harsher punishments and we're really going after solar winds and and Timothy Brown on this um I I think we need to be careful and not just what I'm going to call check the boxes when we're doing our security um questionnaires that Sig that we always have to fill out everybody just kind of goes through the motions and says yeah we're doing this we're doing this if you start looking at what the SEC filing is out it it really looks like hey people were just checking boxes and saying hey we're doing this and they're really not doing it so it we're going to have to start really walking the the walk and you know saying what we're doing and showing that we're really doing and it's no longer just a verbal yeah we did that we checked the Box um it it's more than that it's really coming down to that GC governance risk and compliance questionnaire and being really truthful about it because you're going to be liable and it's nothing new it just you know this one kind of went a little wild and the SEC is trying to make an example out of him and I think we're gonna have to be careful because it could could go either way and it could really hurt us as Tios or it can give us a better foothold and really be able to go and say we need these extra tools we need this extra money and really get it.



Community Division:

  • The SEC's actions have polarized the cybersecurity community. One group views these actions as unfairly targeting CISOs, making their challenging roles even more difficult. The other believes accountability should be enforced when individuals fail in their duties.
  • The debate has intensified, indicating the significance of this case in shaping industry norms and expectations.

Precedent and Industry Impact:

  • This case is seen as a landmark that will influence the cybersecurity industry regardless of the outcome. It could drive significant changes in behavior and practices, potentially leading to both positive and negative outcomes.
  • The industry hopes for a maturation in practices, though it may also necessitate new tools or behavioral changes among CISOs.

Legal Obligations and Charges:

  • The SEC's charges involve alleged failures in disclosure, a critical component of corporate transparency and investor trust.
  • Public companies are required to file specific forms (S1, S8, 8K) quarterly, especially when seeking funding or after a material incident. These forms are essential for providing investors with accurate information to make informed decisions.

Disclosure Requirements and Process:

  • Accurate and truthful disclosure on SEC forms is crucial. The legal departments are responsible for overseeing the process of sharing information with regulators, ensuring that disclosures meet all legal requirements.
  • CISOs are accountable for bringing relevant information to the legal team, who then decide how and when to disclose it to regulators.

Industry Backlash and Concerns:

  • There is concern within the cybersecurity community about personal liability and the potential for harsh penalties against individual CISOs. This could deter skilled professionals from pursuing or remaining in these roles due to increased personal risk.
  • The case has highlighted the need for clear and fair regulatory standards to support CISOs while maintaining transparency and compliance.


The SEC's enforcement action against SolarWinds and its CISO, Timothy Brown, has brought to light the intense scrutiny and significant responsibilities faced by cybersecurity leaders. This case will likely leave a lasting impact on the cybersecurity industry, influencing future practices and the allocation of responsibilities within organizations.

As the industry moves forward, it is essential to balance accountability with fair and supportive measures for cybersecurity leaders. Ensuring adequate legal protections for CISOs will help maintain a strong and effective leadership framework in cybersecurity, enabling organizations to better defend against evolving threats. This case serves as a pivotal moment, underscoring the need for robust and transparent practices that protect both the organization and its cybersecurity leaders.



Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.


Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa