Flawed ITAM: Known Cyber Security Risks Spell Trouble for CISOs and Boards
Yesterday’s SEC release alleging that software developer SolarWinds Corp. and its Chief Information Security Officer (CISO) T. Brown misled investors about known cybersecurity risks and vulnerabilities is yet another in a series of Commission actions regarding cybersecurity that should be setting off alarms for CISOs, CIOs, and the boards at all publicly traded companies and investment firms.
The charges against SolarWinds come on the heels of the new SEC requirement for publicly traded corporations and foreign private issuers to disclose material cybersecurity incidents and the $3 million settlement with software company Blackbaud Inc. for misleading cyber-attack disclosures.
Commenting on yesterday’s action, Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, said:
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
What This Means to ITAM/ITAD
It is widely accepted that publicly traded corporations (and other enterprises) can’t locate a significant number of IT assets. However, instead of investigating and resolving these missing IT assets, these errant “crown jewels” are (intentionally or inadvertently) swept under the rug by lumping them into batches of IT assets allegedly sent off for secure recycling. While this practice already defies data protection regulations requiring such resolution, it becomes even riskier in light of the previously mentioned SEC cyber incident disclosure requirements. How can a corporation know if a missing IT asset represents a material breach if it is ignored?
By any definition, this is a “known” risk, and some CIOs and boards will inevitably find themselves in the hot seat over it.
It is also useful to note that, while the SolarWinds allegations take aim at “known” risks, the Blackbaud settlement held the company’s board responsible for cybersecurity security incidents they should have known but didn’t.
For a more detailed exploration of the issue, read “The flawed IT asset management paradigm: Key considerations for privacy professionals.”
© 2024 Privata Vox, LLC - All Rights Reserved
About Author
Bob Johnson, CSDS, CIPP/US, CIPP/E, is the Principal Advocate at Privata Vox, LLC. Read more about his long career in privacy and data protection policy development.
Scan OR Click QR Code below to automatically add to contacts