The Importance of Sound Risk Management in the Wake of the SEC's Recent Charge Against SolarWinds
Published On November 1, 2023
The cybersecurity industry is hotly debating the Securities and Exchange Commission's (SEC) October 30 charges against SolarWinds' former Chief Information Security Officer.
“The Securities and Exchange Commission today announced charges against Austin, Texas-based software company SolarWinds Corporation and its chief information security officer, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.”1
The SEC press release contains scathing remarks regarding SolarWinds security practices, or rather lack thereof, and deceptive public statements that misled inventors.
This is the first complaint SEC has filed since publishing their Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Final Rule.2
“Specifically, we are adopting amendments to require current disclosure about material cybersecurity incidents. We are also adopting rules requiring periodic disclosures about a registrant’s processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks.
This filing leaves security leaders asking themselves, "I am absolutely drowning in a sea of vulnerabilities, alerts, and known risks. How can I ensure I'm adequately addressing vulnerabilities and risks within my organization?" In this blog post, we will explore a sound risk management approach and steps healthcare organizations can take to avoid the appearance of failing to address risk.
Don’t panic. No regulator expects you to clean up every single vulnerability or risk within your organization, but they do expect you to demonstrate a sound risk management program.
Conducting routine risk assessments based on a standard framework such as NIST, HITRUST, or SOC 2 Type 2 demonstrates you have a plan for identifying and remediating risk. Triaging the findings of the risk assessment and establishing remediation priorities lets you demonstrate year over year progress and helps to prevent misleading statements of risk.
By taking these steps, you can show regulators that you're taking risk management seriously and that you're acting in good faith.
You can take risk management to the next level by conducting routine penetration testing and remediation of highly targeted access points. The SEC's press release noted SolarWinds' insecure remote access as one of its most damning claims. Routine testing can help identify issues before they become severe, and remediation can prevent future attacks on your company.
Your vendors, suppliers, and contractors present a considerable risk, especially if they can access sensitive data or your IT environment. Implementing a sound vendor risk management program protects the largest and most vulnerable points of entry to your company.
Most importantly, as a security leader, don’t ignore dire warnings from your security staff regarding concerning vulnerabilities in your products, even if the products have been around for years. It is critical that you, as a security leader, are willing to be truthful with your C-suite and Board of Directors about the risks you face and your status in dealing with them. The days of whitewashing concerning risks and critical vulnerabilities are over.
Considering the SolarWinds complaint, you should also be proactively managing risk to prevent attacks in the first place. And if you’re at a company with leadership that is encouraging you to paint over the problems you know about, you have to consider what avenues you have available to move on. It’s a matter of personal preservation with this new precedent-setting charge by the SEC.
To protect your organization against regulatory scrutiny, capture your risk management approach in a formal documented plan. Define the industry standard framework that forms the basis of the plan. Describe your approach to annual risk assessments. Define your risk calculation methodology. Create a standard approach for reporting risk to your board of directors. Most importantly, implement the plan and review it on an annual basis.
A formal plan is vital to avoid the appearance of “sweeping risk under the rug.”
By implementing a sound risk management approach, security leaders can act confidently, knowing that they're doing everything they can to identify and address vulnerabilities proactively.
Meditology can help you maintain regulatory requirements by conducting security risk assessments using industry standard frameworks. We can also take it to the next level and determine where your organization is most vulnerable to bad actors by assessing your environment with various technical testing techniques.
CORL, our sister company, can conduct CORL Cleared™ vendor security risk assessments and provide a comprehensive picture of vendor risk in our CORL portal.
Do you want peace of mind for three years? RITHM™ bundles everything into one comprehensive risk management program. (Pronounced 'rhythm' and intended to convey the importance of achieving a rhythm to addressing your core security and compliance requirements.) RITHM™ is a subscription-based IT risk management program for healthcare built upon decades of experience working with some of the country's leading healthcare organizations. Tiered packages provide the flexibility to select the mix of services that best addresses your specific needs.
Contact us here to learn more.
BRITTON BURTON | SENIOR DIRECTOR OF PRODUCT STRATEGY
Britton is a cybersecurity and risk management expert with over a decade of dedicated experience in designing and leading security programs and teams in the healthcare domain. He has held multiple senior leadership roles in cybersecurity at a Fortune100 healthcare corporation with lines of business touching nearly every aspect of the modern healthcare ecosystem. Britton's multifaceted roles have encompassed critical areas such as risk management, executive communication and relationship building, governance, GRC, third-party risk management, incident response, disaster recovery planning, and policy and procedure management. Throughout his various roles, the central focus of his career has consistently been on developing and implementing practical risk management frameworks to help his stakeholders and customers make sense of the day-to-day chaos that is cybersecurity. Now, Britton applies this passion for practical solutions at CORL Technologies where he is the Senior Director of Product Strategy responsible for a methodology that is revolutionizing TPRM from a contract roadblock to a contract enabler.