Moving Beyond a Security-Based Mindset: The Need for Integrated Disclosure and Internal Controls

In today’s interconnected and complex business environment, it is crucial for organizations to shift away from a security-based mindset that focuses narrowly on immediate threats. Instead, they must adopt an integrated risk management (IRM) approach that balances both tactical and strategic risk perspectives. Lessons learned from the SolarWinds cyberattack serve as a stark reminder of this necessity. The attack, discovered in December 2020, involved the insertion of malicious code into SolarWinds’ Orion software, compromising thousands of organizations, including key U.S. federal agencies. This incident revealed the limitations of traditional cybersecurity strategies and underscored the urgent need for robust internal and disclosure controls.

Understanding the SolarWinds Attack

The SolarWinds attack compromised multiple U.S. federal agencies, including the Department of Homeland Security and the National Nuclear Security Administration. The attackers used the Golden SAML flaw to gain unauthorized access to sensitive data, significantly impacting national security operations, COVID-19 research, and vaccine distribution efforts. The breach's extensive impact showcases the interconnected nature of modern tech ecosystems and the cascading effects of a single vulnerability.

A unique aspect of the SolarWinds attack was that it exploited a software supply chain vulnerability. Hackers inserted malware into a software update provided by SolarWinds to its customers. This update allowed the proliferation of the Golden SAML malware, enabling attackers to forge authentication tokens and access critical systems undetected. This infiltration method underscored the interconnected nature of modern tech ecosystems and the cascading effects that a single vulnerability can have across numerous organizations.

The Limitations of a Security-Based Mindset

A security-based mindset often focuses narrowly on the immediate asset under threat, emphasizing compliance and assurance by addressing risks based solely on their direct impact and likelihood. However, this perspective can be limited and insufficient in addressing integrated risk scenarios that span multiple assets, business processes, and strategic objectives.

The security boundary concept prevents recognizing the broader implications of vulnerabilities like the Golden SAML flaw. It does not account for how vulnerabilities in one area (such as on-premises servers) could affect other interconnected systems (like cloud services). This narrow focus ignores the integrated nature of modern tech ecosystems and the cascading effects that a breach in one area could have on others.

Shifting from Tactical to Strategic Risk Management 

Organizations often adopt a limited view of risk, focusing solely on loss minimization through tactical risk assessment, emphasizing high versus low risk. This approach can result in poor prioritization of resources and inadequate preparation for complex, integrated risk scenarios. A comprehensive risk management strategy should also include a strategic view of risk, assessing good versus bad risk to optimize profit and enhance organizational resilience.

• Compliance and Assurance (Tactical View):

  • Impact vs. Likelihood: This matrix assesses risks based on their potential impact and the likelihood of occurrence, categorizing them into high-risk and low-risk, primarily focusing on minimizing losses. Internal controls often result from this tactical view. 

• Resilience and Performance (Strategic View):

  • Value vs. Appetite: This approach considers the value a risk brings to the organization and the appetite for taking such risks, distinguishing between good risk and bad risk, thus optimizing profit and fostering innovation. Disclosure controls result from this strategic view.

Path Forward: Embracing a Dual Lens Approach with IRM Navigator™

Organizations must transition to an integrated risk management framework that balances these two perspectives. By doing so, they can better anticipate and mitigate risks while aligning them with their strategic objectives. This dual-lens approach ensures that risks are not merely seen as threats to be avoided but as opportunities for growth and innovation, fostering a more resilient and adaptive organizational culture.

Wheelhouse Advisors, through their IRM Navigator™ framework, exemplifies this dual-focus approach. As detailed at www.wheelhouseadvisors.com, the IRM Navigator™ is designed to provide organizations with a comprehensive strategy that integrates both tactical and strategic views of risk. This methodology allows businesses to balance compliance requirements with performance objectives, thus enhancing both resilience and value creation.

The Need for Effective Disclosure and Internal Controls

Another critical aspect highlighted by the SolarWinds incident is the lack of effective disclosure and internal controls in many organizations. Despite expertise and persistence, individuals struggled to communicate the potential risk beyond the security and product teams, who were motivated to accept the risk due to business pressures. Effective disclosure and internal controls would provide a direct channel to escalate concerns to higher management, including the board of directors, ensuring that significant risks impacting business operations are addressed promptly.

Additionally, the U.S. Government Accountability Office (GAO) report on the SolarWinds attack reveals that while the response included coordinated efforts from multiple agencies, there were significant gaps in detection and response capabilities. The GAO emphasized the need for improved interagency communication, better threat intelligence sharing, and enhanced incident response planning. These points further underscore the importance of a robust IRM framework that includes strategic risk assessments and integrated technological solutions to prevent and mitigate such breaches.

SEC Order Against R.R. Donnelley & Sons Co. (RRD)

A recent example of the regulatory consequences companies face today without effective IRM practices is the SEC's order against R.R. Donnelley & Sons Co. (RRD). The SEC found that RRD failed to design effective disclosure controls and procedures related to cybersecurity risks and incidents. Between November 2021 and January 2022, RRD's inadequate internal controls led to a delayed response to a ransomware intrusion, resulting in significant data exfiltration and business disruptions.

Summary of SEC Violations and Penalties:

• Violations: RRD violated Exchange Act Section 13(b)(2)(B) by failing to maintain sufficient internal accounting controls and Rule 13a-15(a) by not maintaining adequate disclosure controls and procedures.

• Penalties: The SEC ordered RRD to cease and desist from future violations and imposed a civil money penalty of $2.125 million.

SEC Charges Against SolarWinds and New Cybersecurity Risk Management Rules

The SEC's actions against SolarWinds highlight the increasing regulatory pressure for robust cybersecurity practices. In June 2023, the SEC issued a Wells notice to SolarWinds, signaling the intention to pursue enforcement action for inadequate public statements and internal controls related to the hack. The SEC charged SolarWinds and its Chief Information Security Officer (CISO) with concealing cybersecurity vulnerabilities. This unprecedented move against a cyberattack victim underscores the imperative for effective risk management.

As clarified in recent guidance, the SEC's new cybersecurity risk management rules mandate public companies to disclose material cybersecurity incidents promptly. These rules emphasize the necessity for comprehensive and integrated risk management practices to ensure timely and accurate cyber incident reporting, aligning with compliance and strategic risk objectives.

Implementing the Dual-Focus Approach: 

1. Risk Identification and Assessment: Use a combined lens of likelihood and impact (tactical) with value and appetite (strategic) to identify and assess risks.

2. Prioritization and Response: Develop response strategies that align with compliance requirements and strategic goals, ensuring a balanced approach to risk management.

3. Continuous Monitoring and Improvement: Regularly review and adjust risk management practices to adapt to evolving threats and opportunities.

The SolarWinds incident underscores the necessity for companies to utilize the IRM Navigator™ framework and approach, moving beyond a narrow focus on security. By integrating compliance and performance views and implementing robust disclosure and internal controls, organizations can enhance their resilience and thrive in an increasingly complex risk landscape. Take proactive steps now to align your risk management practices with strategic business goals, ensuring robust protection and sustainable growth.

References:

• ProPublica, "Microsoft Refused to Fix Flaw Years Before SolarWinds Hack"

• Wheelhouse Advisors, IRM Navigator™

• Senate Intelligence Committee Testimony, Brad Smith, 2021

• CyberArk Blog Post on Golden SAML, 2017

• The Washington Post, "Russian government hackers penetrated Treasury, Commerce, other U.S. agencies," December 2020

• CISA, "Alert (AA20-352A): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations," December 2020

• GAO Report on SolarWinds Attack

• SEC Order Against R.R. Donnelley & Sons Co., June 18, 2024

• SolarWinds Hack Explained: Everything You Need to Know

• Wheelhouse Advisors RTJ Article on SEC Cybersecurity Rules