Leadership & Executive Communication , Security and Exchange Commission compliance (SEC) , Standards, Regulations & Compliance
SEC Compliance: Lessons From the SolarWinds Case
Walker Newell and David Anderson of Woodruff Sawyer Discuss SEC RulesThe Security and Exchange Commission's handling of the SolarWinds case has transformed the landscape for CISOs already grappling with constant cyberattacks. The SEC's shift reflects the increasing focus on personal liability and the critical role of cybersecurity disclosures in regulatory frameworks, said Walker Newell, vice president, securities litigation and enforcement, at Woodruff Sawyer.
See Also: Post-Transformation: Building a Culture of Security
"One of the big lessons for folks who are in the cybersecurity community is: You have to use this as an opportunity to build closer ties with your legal organization, with compliance folks and with the finance organization," Newell said.
In this post-SolarWinds world, the cyber risk management imperatives are "having the right controls in place, and making stakeholders aware of what needs to get done," said David Anderson, vice president of cyber at Woodruff Sawyer. Meeting SEC guidelines requires clear reporting requirements internally, he said.
In this video interview with Information Security Media Group at the Fraud, Security and Risk Management Summit, Newell and Anderson also discussed:
- Integrating SEC reporting requirements into incident response plans;
- How CISOs can take a more active role in the disclosure process;
- How CISOs should approach materiality when assessing and reporting incidents.
Newell has more than a decade of experience leading high-stakes investigations and litigation as a lawyer in defense, regulatory enforcement and in-house roles. He offers clients a nuanced and business-focused perspective on financial services and cybersecurity liability issues.
Anderson focuses on complex cyber, privacy, technology and professional liability issues and is a dedicated and fierce advocate for his clients. He has extensive experience in risk assessment, risk management and pre-breach network security risk discovery, as well as hands-on post-incident client support and claims advocacy.