The Securities and Exchange Commission’s lawsuit against SolarWinds for misleading cybersecurity disclosures didn’t just make headlines — it made history. The case represents a seismic shift in regulatory expectations and enforcement around cybersecurity, particularly for public companies and government contractors.
Organizations handling sensitive data now face a new era of accountability and scrutiny, where meeting mandatory minimum cybersecurity standards is considered essential to fiduciary duty and, for federal contractors, national security.
Make no mistake; this isn’t just the SEC flexing its regulatory muscle. SolarWinds is the opening salvo in a coordinated federal push to enforce cybersecurity requirements. The line in the sand everyone has been waiting for has finally been drawn.
Line in the Sand
Practically speaking, this means that chief information security officers (CISOs) at publicly traded companies will have to be much more thoughtful and documented in designing, implementing, and managing their cybersecurity programs. Similar to statements made, reports generated, and opinions issued by chief financial officers, CISOs now have a similar weight on their shoulders. Some may welcome this, as they’ve been advocating for a seat at the table for many years. It’s good news and bad news: You got your seat at the table, and it comes with accountability.
Federal contractors with the Department of Defense (DoD) have been waiting to see just how far the government is willing to go to enforce cybersecurity compliance. The DoD has required prime and subcontractors in the defense industrial base to self-attest their levels of cybersecurity for years, by inputting compliance scores into a federal database. A study conducted by Merrill Research found that only 36% of contractors submitted those scores, down 10 percentage points from last year’s inaugural report.
Risk Work-Around
Some companies have taken the approach of simply entering perfect scores, knowing that there was no active program on behalf of the government to validate reported scores, and therefore no consequences for inaccurately reporting cybersecurity risk. This SEC case immediately exposes publicly traded companies in the defense industrial base, and there are many additional legal risks If they don’t accurately report compliance with existing cybersecurity mandates.
Just last summer, for instance, Aerojet Rocketdyne agreed to pay $9 million to settle a False Claims Act case in which the Department of Justice said the company knowingly misrepresented its security posture.
The Merrill Research study showed many contractors simply don’t think they have to comply despite signing lucrative contracts compelling them to comply. For instance, only 19% of respondents implemented vulnerability management solutions, and 25% have secure IT backup solutions, both required by the DoD. Yet 40% go beyond what the law requires and explicitly deny the use of Huawei Technologies products, which the Federal Communications Commission (FCC) designated as a national security risk.
The inability to achieve compliance or misrepresenting security posture can lead to loss of current and future government contracts — a massive blow to revenue and shareholder value.
However, the damage extends far beyond legal and financial consequences. For contractors, poor cybersecurity potentially exposes critical American technology, weapons systems, and other national security assets to sophisticated foreign adversaries such as China, Russia, Iran, and North Korea. Lives and the future of geopolitics hang in the balance.
The alleged Boeing breach by ransomware gang LockBit underscores the urgency. It highlights the cyber-risks contractors face amid heightened cybersecurity requirements. The reality is that determined, sophisticated adversaries are constantly seeking access to sensitive government and commercial data, and years of public-private partnership went into developing the cybersecurity requirements that are our best shot at protecting all that information.
A pending federal law, the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, will soon impact hundreds of thousands of DoD contractors by enforcing and auditing for compliance against the mandatory cybersecurity minimums that exist in well over 1 million contracts dating back nearly a decade. In a worst-case scenario, if a publicly traded defense contractor is found to fail a compliance audit but has previously reported full compliance, it is now subject to action by the SEC.
The era of checking compliance boxes without earnest commitment to security is over. The SEC showed that public companies, and even specific executives, will now be held accountable for cybersecurity as a matter of law and national security. Half-measures and obfuscation will expose organizations to substantial liability. To protect stakeholder data, investment, trust, and competitive advantage, executives must make cybersecurity a top priority. The government has sent an unmistakable message — it isn’t willing to take a “trust, but don’t verify” approach any longer.