What Did Your Board of Directors Know, and When Did They Know It?

SolarWinds Lawsuit:  Only the Beginning 

Microsoft, Cisco, Deloitte, and even the Cybersecurity and Infrastructure Security Agency (CISA). These are just a handful of the 18,000 or so customers affected by the SolarWinds Orion data breach of 2020, and, nearly two years later, the company continues to handle the fallout from this event. “We expect to incur significant legal and other professional services expenses associated with the Cyber Incident in future periods,” it said in a Q2 2021 Preliminary Financial Results statement. 

The SolarWinds attack, which left customers vulnerable as it remained undetected for nine months, is now back in the news as predicted, with “significant legal” expenses heading their way. On Friday, November 5th, 2021, we learned of a new lawsuit brought against the company’s Board of Directors by its investors. The suit alleges that the SolarWinds Board of Directors knew about the cyber risks facing the company and failed to monitor these risks that ultimately led to the breach. We’ve seen Boards subject to lawsuits by shareholders in the realm of physical safety and risk – the Boeing 737 Max crash and the subsequent lawsuit being one of the most high-profile. This newest lawsuit against SolarWinds is an omen of the consequences that can occur when a Board doesn’t understand risk as it relates to cybersecurity.  

Cyber Risk Assessment and Mitigation 

We are now seeing what people have been saying for years come to fruition – that cybersecurity is not a technical issue, but a business issue. Axio CEO and Co-Founder, Scott Kannry, spoke to this point during our webinar, “What Boards Need to Know to Manage Cyber Risk,” with retired group BP CEO Bob Dudley and Cybersecurity Global lead at Accenture, Rex Thexton. Cybersecurity is a business and fiduciary issue, which lands firmly in the hands of the senior execs and the Boards whose “highest duty on an ongoing basis…” Kannry states, “…is protecting the sustainability of the enterprise.” When cyberattacks occur, the responsibility falls under these execs. 

From a CISOs perspective, the SolarWinds lawsuit highlights the importance of communicating risks to the Board properly and the importance of communicating your mitigation strategies. It’s time to move away from the “defend and protect” cybersecurity strategy and focus on risk mitigation and risk management. The Board must understand that cyber risk is inevitable; their due diligence resides in ensuring the organization monitors these risks and takes appropriate steps to mitigate them, such as purchasing cyber insurance and implementing technical controls and policies. 

Due Diligence and Defensible Data 

In the SolarWinds lawsuit, the more significant issue is really not that the Board allegedly knew about the risks; it’s that they reportedly knew and then did nothing to prevent or mitigate it. In 2021, the role of the Board has shifted to limiting the damage of these attacks and ensuring those risks are accounted for by their organization. What the Board needs from its CISO is clear communication on what projects you have in place and how they relate to existing and potential threats.  

Everyone on the Board and C-Suite should clearly understand which risk scenarios pose the highest threat, the dollar values for each scenario, and therefore, which are most critical for mitigation. Axio360’s software can help CISOs bridge this connection between mitigation strategies and scenarios. Axio360’s risk assessment software uses quantification and a data-driven approach to interpreting risk scenarios. Not only does quantification give you a defensible number to determine budget and prioritization, it allows you to benchmark your projects and illustrate that your organization has performed its due diligence.  

Summary 

Risk awareness and risk mitigation are interlinked when building and implementing your cybersecurity strategy. The shareholders suing SolarWinds’ Board of Directors contend that the board “failed to implement procedures to monitor cybersecurity risks, such as requiring the company’s management to report on those risks regularly,” Reuters reports. Cybersecurity, thus, needs to be a continuous, ongoing process. As Bob Dudley noted in our webinar last week, it would be irresponsible for a CFO to look at their balance sheet only once a year, and the same should go for CISOs, CEOs, and Boards when it comes to cybersecurity. 

A risk-based approach to cybersecurity involves establishing reports with your current risk summary, planned risk summary, and your benchmark risk summary; by taking these steps, you’re protecting yourself from a lawsuit like the one brought against SolarWinds. Axio360 can help you consider different cost scenarios and prioritize projects based on the financial impact to your business.