SolarWinds Ruling: Why CISOs Need to be Aware of FraudIndustry Experts Warn of Reckless Market Statements Potentially Constituting Fraud
The U.S. Securities and Exchange Commission in late October charged SolarWinds and its CISO with fraud and internal control failures.. Without the correct understanding of fraud, organizations and CISO who recklessly make incomplete and misleading statements to the market, whether to sell products or preserve stock prices, are not realizing they have created the potential for regulatory action and criminal enforcement for fraud, said Paul Dunlop, COO at Fraud Doctor, and Steve Hindle, CISO and founder of Achilles Shield (see: SEC Alleges SolarWinds, CISO Tim Brown Defrauded Investors).
Companies should not think that the SEC is out to get them, said Dunlop. "The SEC is not out to pick on these professionals trying to do a difficult job in a difficult space, but they carry a real standard for getting it right. There is a level of accountability," he said. "I don't think anybody is picking up on any one person. The regulator is trying to address too much risk in the market."
CISOs in particular, said Hindle, must acclimate to new expectations of transparency. "We look at things through a lens of: 'What are we telling our internal stakeholders? What are we telling our people?' And then: 'What are we outwardly talking about? How are we outwardly positioning risk?' Most mature CISOs will create a risk register. They will do a business impact analysis to examine the risk to the company. That's just maturity in risk management," he said. "But then you can't say in your public statements and filings: 'We are not impacted by these risks.'"
In a video interview with Information Security Media Group, Dunlop and Hindle discussed:
- Why companies do not talk about this type of fraud;
- How CISOs can be more aware of occupational fraud;
- A case study on how businesses have handled occupational fraud.
Dunlop joined Fraud Doctor in 2018. He has over two decades of in-house industry experience in designing and leading fraud and related risk management programs across the global banking and insurance industries.
Hindle is a tenured CISO, board member, and the founder of Achilles Shield, a global cybersecurity consulting and advisory organization that specializes in building lean programs. He leads organizations through complex change and delivers crisis response in globally disrupting events, including cyberattacks, breaches, civil unrest, and natural or man-made disasters.