Beyond Cybersecurity by Dr Rois Ni Thuama
The SolarWinds Scandal as a Reflection of Corporate Governance Failures
This article examines the material facts of this case and explains why this incident transcends a mere deficiency in cyber governance, indicating broader corporate failures hinting at significant corporate pain if we overlook the lessons from this matter.
The article also examines the SEC filings to capture the issues that the defendants are facing and provides clear instruction on how firms and their CISOs can avoid similar issues in the future.
There are three key takeaways from the short paragraph above.
Firstly, it is critical to understand SolarWinds (SW)’ offering to the market. The SW platform forms the core of their IT Management Portfolio providing a ‘stable and scalable architecture that includes data collection, processing, storage, and presentation.’ In other words, the executives in this firm are not without any understanding of how technology operates. This isn’t, for example, a company that manufactures lipstick.
Thirdly, the attack was attributed to a sophisticated nation-state actor. i.e Russia. However, this fact alone does not inherently imply anything about the complexity of the attack.
Historically, there has been a strong focus on determining the source of such attacks, with significant emphasis on discerning whether they were perpetrated by a nation-state or a criminal organisation. But from a technological standpoint, the nature of the actor is less consequential than the nature of the act itself. No company should be vulnerable to exploitation or attack due to a common vulnerability or exposure.
The emphasis on who initiated the attack is interesting from a geopolitical risk perspective, but not from a cyber governance, risk management or mitigation perspective. Ensuring that your business is fortified against known and significant threats is crucial, not only for maintaining cyber resilience but also for establishing a legally defensible position. Putting it simply, it’s not the actor, it’s the act.
It is likely that sophisticated and professional investors will increasingly look to recover for losses that might have been preventable. In the United States, for example, the business judgement rule shields a corporation’s director from liability in lawsuits alleging a breach of the duty of care to the company, provided the director’s actions meet the criteria of the rule.
It is elementary that directors in a technological firm appreciate the importance of making sound business decisions relating to their digital operational posture. After all, they must promote the success of their business, protect their firm, their clients and their reputation.
Directors in Ireland are subject to comparable responsibilities. Pursuant to Section 228 of the Companies Act 2014, a director is required to fulfil several duties, including acting in the best interests of the company, acting honestly in relation to the conduct of the affairs of the company, avoiding conflicts of interest, and demonstrating an appropriate level of care, skill, and diligence.
To what extent a director has exercised care, skill, and diligence will be considered against a two-stage test which contains both subjective and objective elements.
They are:
- the knowledge and experience that may reasonably be expected of a person in the same position as the director; and
- the knowledge and experience which the director has.
- Advertises its product as a ‘stable architecture encompassing data collection, processing, storage’ and
- Markets this product to entities classified under Critical National Infrastructure (CNI).
Given the givens, the bar is high. It would not be unreasonable to expect that any person holding a position of director and involved in the daily operations and management of a technologically sophisticated business would consider that in order to meet their legal obligations they would:
- Exercise reasonable care to ensure their own digital estate management is resilient, and
- Address reasonably identifiable circumstances to manage and mitigate risks to their business and their clients. In other words, they would recognise the importance of their business as a supplier to highly sensitive government agencies.
While these questions are not yet before the court, it is inevitable that businesses, on both sides of the Atlantic will find themselves defending their decisions and their decision-making process following cyber-attacks. Ultimately, this will be more painful in situations where the directors failed to fulfil their legal responsibilities, resulting in cyber-attacks that were preventable.
However, while it has been an intellectually stimulating exercise to speculate on potential outcomes, the current situation faced by the firm and its Chief Information Security Officer (CISO) offers a significant learning opportunity for businesses.
From a legal perspective, the presence of multiple false claims is significant as it indicates a pattern of conduct within the business. Had there been a solitary occurrence, it might have been capable of being construed as an error or oversight. However, a series of such incidents over a period of time evidences a continuity of purpose. This makes defending any genuine errors extremely difficult for the legal team.
This policy should expressly prohibit any employee from making statements about the business that are untrue or false. Declarations that statements are true together with notification of penalties for misleading the market could assist senior executives in appreciating the seriousness of making false claims.
Furthermore, it should be a standard expectation for executives to provide clear justification for their positions. For instance, if a technical executive, referred to as Executive A, makes a technological claim that is endorsed and propagated by the business across various departments (such as sales and marketing), there needs to be a transparent and traceable link from the claim’s originator to the final document. Importantly, this document should not be subject to alterations. Separate versions of the document should be preserved to document and track any modifications.
Given that it is well known and understood that strong passwords are a critical factor in keeping businesses safe and protecting them from cyber-attacks, it should be uncontroversial to implement best practice. Given that it is neither technologically difficult nor expensive to enforce, it is surprising that the firm failed to comply with even the most well-known, plain vanilla cyber security strategies.
The paramount lesson derived from the SolarWinds scandal is the widespread presence of dishonesty and duplicity within the organisation, indicative of a corporate culture that tolerates such behaviour. Attributing this to the corporate culture inherently implicates the leadership. Although the Chief Information Security Officer (CISO) is currently bearing the brunt, the ethical climate was established by the entire executive management. Such corporate failings are not a matter of technical inadequacies but rather a reflection of leadership deficiencies.