CISOs could find themselves in a painful Catch-22 situation when the US Securities and Exchange Commission’s new cybersecurity rules are enacted in December.
With the US Securities and Exchange Commission (SEC) having taken legal action against CISOs at both SolarWinds and Uber, security executives feel the pressure to be absolutely precise when writing up security incidents that the company has decided are material. Things get tricky because even if the CISO's report is perfect, someone up the line-the CEO, the CFO, general counsel, or even a board member-might make a change that the SEC finds problematic and possibly fraudulent.
Here's the big problem: if the CISO sees the final version and realizes that the filing is misleading the SEC, that CISO can't just sit back and say, "Well, what I wrote was fine. If the CEO makes a change, that's on the CEO." The CISO is legally required to report that fraud to the SEC under federal SEC whistleblower protections. Otherwise, the CISO could face charges of being an accessory after the fact to the fraud.
As bad as that may seem, it's worse. Whistleblower protections only exist if the CISO is right and there actually is fraud. If the CISO is wrong, there are no protections, and the company can retaliate any way the company wants.