Page of | Results - of

Podcast

Specialty Podcast: A Look Inside the SolarWinds Cyber Incident & SEC Charges

By Alliant Specialty

How did the SolarWinds cyber incident evolve into one of the most significant cyber-attacks of our time, triggering SEC charges against SolarWinds and its ex-Chief Information Security Officer? Join Brian Dunphy, CJ Dietzman, Steve Shappell and David Finz as they examine this complex cybersecurity breach and explore the SECs stance, the implications for D&O and cyber insurance and strategies to fortify cyber defenses.

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Brian Dunphy (00:08):
Hello everyone. Brian Dunphy here on the Alliant Specialty Podcast Network. I'm here today to talk about the Securities and Exchange Commission's (SEC) decision to file charges against SolarWinds and its former Chief Information Security Officer. Joining me on the pod today are three of my colleagues in Alliant Specialty. I'm joined by Steve Shappell, head of Claims and Legal, David Finz, Cyber Claims Counsel, and CJ Dietzman, Senior Vice President and consultant in Alliant Cyber. Welcome, gentlemen. Thanks for the time.

Steve Shappell (00:37):
Thank you.

Brian Dunphy (00:38):
So, as I mentioned, we're here to talk about the SolarWinds developments in the last couple of weeks and how the SEC has decided to charge its former CISO with violations of the 34 Act. I think it’s the SEC's way of saying, we warned you that we were coming for you if you didn't pay closer attention to cyber hygiene, and they're here now for your stuff. Is that a fair statement?

Steve Shappell (01:01):
Yeah, I think it's a really good description of the shot across the bow here.

Brian Dunphy (01:05):
Yeah, I agree. And CJ, just since this happened, the underlying incident happened roughly three years ago. Can you recap for the listeners what SolarWinds does as a business and what happened as the tipping point?

CJ Dietzman (01:20):
Most certainly. And, and thank you so much, Brian, and great to be talking about this critical topic with Alliant colleagues. It's been coming up a lot over the past couple of years, and most certainly since the SEC's action in October, it's more relevant than ever. Let's talk about it. A couple things to know, as you say, Brian, dating back to 2019, and first things first, who SolarWinds is and the fact that this is a pretty extreme case and a massive and significant cyber attack. I think for years as cybersecurity practitioners are toiling in this realm, and cyber risk management leaders, we've all heard discussion about a significant supply chain attack targeting a widely used software platform across federal and municipal agencies and the commercial sector that could be exploited by cyber attackers to propagate a significant breach at scale.

And guys, that's exactly what happened, isn't it? It's the sum of all fears in many ways. Brian, the perfect storm, how else can I say it without being too cliche? And in all seriousness, who is SolarWinds? Any organization, particularly large organizations, have leveraged SolarWinds services as IT infrastructure and software management. They've got thousands and thousands of clients worldwide, installations of their software tools and services. So, the scale is massive, global across the private and public sectors. Specifically, let's talk about the platform that was compromised here. They have an offering called Orion, and somewhere on the order of 30,000 plus global customers, including in the U.S., three letter agencies, federal agencies, states, municipalities, as well as very large private organizations. And this Orion software, Brian, as you well know, was leveraged to instrument, monitor, configure and manage information systems and technology platforms, and essentially had pervasive and sweeping access across technology architecture.

Long story short, the malicious actors were able to compromise the SolarWinds environment. So, if we think upstream, this would constitute the early days of a supply chain attack, a pervasive large scale enterprise service provider was compromised. Malicious actors after compromising the environment were able to poison, for lack of a better phrase, and in the spirit of simplicity here, they were able to poison and infect the Orion code with backdoor software enabling a hole in the platform to be distributed by SolarWinds eventually downstream. Now we see that the flow in the supply chain across that population of thousands of SolarWinds Orion client installations. So, now we've got a propagated attack that was sourced upstream in the supply chain, distributed out, through a trusted channel, through the SolarWinds channel that ultimately allowed the malicious parties, the attackers to get access not only to SolarWinds, but through that backdoor and its propagation into thousands of customer installations into those customer environments, and to be shielded and shrouded under the cloak of SolarWinds legitimate traffic; difficult to detect. This dates back to September of 2019, ultimately to February of 2020 where the malicious code known as sunburst was injected into the Orion platform. And then ultimately in March of 2020, where SolarWinds started sending out the infected SolarWinds Orion updates to clients. So, this is going back a ways and ultimately not discovered in a meaningful way until somewhere on the order of December of 2020. So at that point, damage done, malicious actors crawling all over customer environments; just bad all around.

Brian Dunphy (05:24):
Yeah, and I think that the thing that you mentioned there, CJ, which is critical in two different aspects, is you use the word trust. And so, clients and customers trusted SolarWinds as a provider of these services through software. And on the other side, you had investors in SolarWinds that trusted that the security measures taken and deployed by SolarWinds were effective and therefore made SolarWinds a good investment for them to return value on that set investment. So, to the surprise of no one, Steve, this cyber attack triggered a stock drop, which in turn led to a shareholder class action claim, which was ultimately settled, I believe. But the SEC came back around and issued Wells Notices specifically to the CFO and the former CISO. Steve, walk us through the process from your perspective on how the SEC got to this point and what is to come.

Steve Shappell (06:19):
Yeah, and as CJ noted, the scope of this breach was large. Because of the impact on SolarWinds’ customers and clients. And so it really did get the attention of the SEC. So, in addition to the SEC taking very seriously their obligation to truly monitor and enforce the security laws as to issuers, the scope of impact was dramatic. And that's what led to the SEC opening an investigation and aggressively following the leads and, doing tremendous amount of investigation, informal and then formal. And when you read the complaint, some of the information and perception of the callous disregard for the seriousness of the issues led the SEC to really become quite unhappy about the lack of commitment to the integrity of the controls and then the disclosures of the controls, and thus the issuing of a Wells Notice, which is basically, this investigation is overwhelming.

The conduct revealed and the disclosures and the quality of the controls compared to the disclosures made just don't line up. So, you get a crack at convincing us to not file this enforcement action. And obviously the Wells Notice and subsequent response didn't convince the SEC of anything other than filing, truly a first of its kind enforcement action here, it's pretty telling. But the one takeaway I don't want to have is to dismiss this and not have lessons learned for other issuers and companies just because the conduct here as pled is pretty egregious, to your point, Brian, that you made earlier. The SEC making a really clear statement that they take this seriously and they are going to enforce the law, the disclosures’ while this was the first, it's not going to be the last. And so there are some lessons to be learned here.

Brian Dunphy (08:15):
Yeah. And I think even to the point that what is believed to be some of the internal communications that were sent around, the lack of quality of controls are incredibly damning. So, this brings us back to the Venn diagram of D&O insurance, cybersecurity and cyber liability. So David, as it relates to cyber liability insurance, setting aside the cost related to the initial breach in the response, how would a cyber liability policy respond in this circumstance, if it would at all?

David Finz (08:50):
Thanks, Brian. In a nutshell, it wouldn't, or at least we wouldn't expect an off cyber policy to pick up this type of inquiry by the SEC. This is the SEC in its role as a protector of investors. This is not about a privacy issue. Now, there are SEC activities that could trigger cyber coverage. For example, an action brought under regulation SP, which requires broker dealers and investment advisors to maintain some cybersecurity standards in order to protect investors, personal data. That's not what this is about. This is really in their capacity as an enforcer of securities laws. And as such, we would look to a public company, D&O form, presumably to respond to this. And I think Steve is imminently better versed in that area. And I'll defer to him on how that might respond.

Brian Dunphy (09:48):
Well, don't sell yourself short. I'm sure you could figure that out, David, but you're right. This is one of those situations where we have an officer being a CISO who would customarily look for protections for his or her activities under a cyber policy where they are more comfortable, but they're being brought into an alleged act here that is squarely under a D&O policy, that probably the ones that were written originally never really contemplated, even the role of a CISO. But there is a silver lining here, at least in how D&O policies are historically written. But Steve, I think you and I and others, we have some shared concerns about how insurers may react to these developments or have already taken measures to try to wall off cover related to cyber incidents.

Steve Shappell (10:39):
Yeah, absolutely. Because as David pointed out, this is a securities claim. This is the SEC bringing a claim based on this issuer buying and selling securities. And so that's what this is about, and it fits the definition of a securities claim. The concern that we're seeing is, in my view, dramatic overreaction of an attempt by markets to add network liability exclusions. There's no need for network liability exclusion. This claim is a securities claim, and that's what D&O policies are designed to respond to. So, it's something that we’re paying a lot of attention to and where we can, we're going to have conversations that it's unfortunate when the SEC comes knocking because the SEC can be very expensive and can be very aggressive, but this fits precisely within a D&O policy of what we expect and the fact that it's, but for a network breach, the claim wouldn't have happened.

We can't lose coverage over that. Because to David's point, we get that network breach. The traditional coverage from a network breach belongs in a cyber policy. Similarly, we get that a securities claim belongs in a D&O and we don't look for the cost of correction and cost to respond to our cyber breach in a D&O policy, but we do look for securities coverage in a D&O policy. You had mentioned that the information security officer's title, they're likely a quote officer as defined by most policies. But the other good thing about this is most policies correctly avoid that dilemma of is an information and security officer, a duly elected and appointed director and officer? Well, it doesn't matter because the policy is going to respond to all directors, officers and employees for a securities matter. And that's kind of the breadth that we have and we must maintain to avoid any gaps in cover. Because this exposure, while again, first of its kind, this is predictable that the SEC would come after an issuer for the quality of its disclosures that it makes to its investors.

Brian Dunphy (12:38):
Yeah, there have been warnings issued by them and a trail of breadcrumbs the size of local Italian bread been left out there by them that this was happening or going to happen eventually. So, this all comes back to vigilance around cyber hygiene, especially for companies like SolarWinds. CJ and David, talk from your personal experiences, if you can, for the real value that's derived by corporations, companies and organizations for what I would broadly call periodic cyber checkups and just generally constant vigilance around the issues and staying current.

CJ Dietzman (13:14):
Sure. and you know, I was just sitting here, fantastic dialogue fellows, particularly David and Steve and, and Brian, really good stuff. I'm listening. A couple things to talk about and then I want to hear from David. First things first, when, when I read through the SEC's charges in their document filed in October, and I look at some of the disclosed and released internal emails, communications, statements coming out of SolarWinds; a couple things to know. They had some, what appeared to be fairly significant control and security deficiencies that they were aware of with their most critical client facing product line and infrastructure. So, no organization is perfect. But reasonable and defensible. Reasonable and defensible, when we think about cybersecurity controls, certainly to your point, Brian, ongoing assessment and review, we've got to stay vigilant, but we need more than that.

And more specifically, when I think about, us as the good guys and our clients, we only have to be wrong once, we only have to miss one thing. On the flip side of that, the bad guys only have to be right once. And really bad things can happen, catastrophes can happen. It can be the genesis of a vulnerability, a soft spot that can be exploited by a bad guy. And how do we prevent that in a reasonable and defensible manner in the context, thinking about some of the things that were disclosed with SolarWinds and what was going on there right off the bat, security and the software development lifecycle. We've got to apply robust principles and tollgates throughout to make sure to reduce the risk of introducing this type of vulnerability that gets distributed widespread as a trusted provider. Our SDLC has to be rock solid as much as possible. The other thing I'll say, the consistency and implementation of controls. I just mentioned the concept of we only have to be wrong once, the bad guys only have to be right once, therefore, consistency. We can't just make high level statements. I'm sure, David, you agree we can't just make high level statements about academic security; we've got to deploy it consistently where it matters most.

David Finz (15:25):
No, that's absolutely right, CJ. I think this is a cautionary tale for CISOs. They need to be able to demonstrate due diligence to the board, to investors and ultimately to maintain the trust of regulators. If they can't do that, then apart from the fact that there's potential liability there from an insurability standpoint, these are the types of things that cyber underwriters want to hear about as well. So, when we're talking about proactive risk management, we're talking about incident response planning, we're talking about testing your incident response plan, holding tabletop exercises to make sure everybody understands their assigned swim lane, if there is a crisis, and how they're going to communicate what messaging goes out to stakeholders. This is all stuff that needs to be fleshed out in advance. And again, the things that regulators are going to want to see in that regard are the things that cyber underwriters are going to want to see as well. So, you know, compliance does not equate to security, but compliance will potentially keep you from liability. And for CISOs right now, looking at what happened with SolarWinds, it's sort of a textbook example of what not to do.

Brian Dunphy (16:42):
CJ and David, thank you. I think that just again, to underscore this, I think that center part of the Venn diagram is getting a lot larger in the overlap of the two circles of D&O and cyber. And I think that this has been a great discussion and I think we'll call it a wrap here. There's a lot more to come in this topic across all of our Alliant platforms. So I would encourage everyone to stay tuned. If you have any questions, you can reach out to any of the four of us or any of our colleagues across the country, and we look forward to connecting with you and telling you more about the more rewarding way to manage risk. Thanks everybody.

 

Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.