After retaining counsel, all subsequent moves are fraught with danger. “If the CISO believes that there has been a fraud to the SEC, the CISO has an obligation to report it to the board. That may itself be corporate suicide,” Rasch said, adding that the next move-going to the feds-is even more problematic. “Going to the SEC is crossing the Rubicon.”
“The CISO is not an expert on SEC disclosures, but you have an officer who now knows that the company made materially false disclosures,” Rasch said. “There is a legal obligation for the CISO to do so if the CISO is right. And only if the CISO is right.”
Rasch then tempered his comment slightly, as he tried to articulate what an SEC lawyer is likely to consider. “You don’t necessarily have to be right, but you have to be reasonable. It’s going to be a question of degree.” In other words, if the CISO suspects fraud but chooses to not report it to the SEC or to the board, the CISO might not be prosecuted if the SEC concludes that the CISO reasonably assessed that no fraud existed. If the CISO is certain that fraud did exist, there is an obligation to report.
Set expectations for SEC filings when hired
Brush argues that CISOs need to negotiate when they accept the CISO role that they would have final say on SEC filings that deal with cybersecurity matters. At the very least, Brush said, the CISO should insist that the CISO be asked about any changes before they are final so that the CISO has an opportunity to argue why the change may be a bad idea.
Put objections to SEC filings in writing
Beyond that, Brush suggests that CISOs put in writing any objections to filing. “If I have a dissenting view, I want it on the record,” Brush said. That doesn’t mean that it will be included in the filing. It merely means that the document is placed in a personnel folder or some other private location. If things blow up months later and become a legal mess, the SEC can discover the document that makes it clear that the CISO objected.
“If there is any IR [incident response] report that never sees the light of day, I am going to be putting in a dissenting view and making sure that it is filed away somewhere,” Brush said. “That’s an ace in your back pocket.”
