Black Hat , CISO Trainings , Events
SolarWinds Fallout: Legal Risks for CISOs Intensify
Jess Nall of Baker McKenzie on New SEC Rules and Cybersecurity DisclosuresThe recent SolarWinds case has intensified the legal risks for chief information security officers. A judge validated the SEC's legal theory of intentional securities fraud under the Securities and Exchange Act 10b-5, marking the first time a federal court accepted this theory against a CISO, said Jess Nall, partner for cyber and AI at Baker McKenzie. This decision, the first of its kind, has escalated the likelihood of the case proceeding to a jury trial against Tim Brown, the SolarWinds CISO.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
If Brown loses the trial, he risks being labeled a securities fraudster, which could severely damage his career and reputation, Nall said. Such a charge, she said, would also affect his ability to hold future executive roles.
New SEC disclosure regulations now require public companies to report cybersecurity incidents more promptly. "Now cybersecurity incidents of any material nature have to be disclosed within four business days. But that's a different issue, because now all companies that are public issuers in the U.S. are going to be required to disclose under Rule 105," Nall said.
In this video interview with Information Security Media Group at Black Hat 2024, Nall also discussed:
- Regulatory enforcement in the Joe Sullivan case;
- How discrepancies between disclosures and actual cybersecurity practices could lead to legal issues;
- Why CISOs should secure indemnity agreements and D&O insurance.
Nall has more than 20 years of experience in internal investigations, strategy implementation and risk management. She focuses on the intersection of government enforcement and emerging technologies, including AI, cybersecurity and tech. At Baker McKenzie, she has spearheaded investigations and advisory teams in more than 75 international jurisdictions.