The SEC’s disclosure-related charges against software company SolarWinds and its CISO are a game-changer.
Why it matters: The enforcement action signals that the SEC espouses a broader view of accountability, one that extends beyond the certifying officers — namely, the CEO and CFO — to the rest of the C-suite and other senior leaders possessing and providing information and insights affecting public reports.
The big picture: The SEC’s enforcement statement conveys zero tolerance for neglect and indifference to properly informing investors of material information.
What’s next: CFOs must help their colleagues navigate what likely amounts to a new era of personal accountability for SEC registrants.
The U.S. Securities and Exchange Commission’s (SEC’s) disclosure-related charges against software company SolarWinds and its chief information security officer (CISO) are a game-changer. The enforcement action signals that the SEC espouses a broader view of accountability, one that extends beyond the certifying officers — namely, the CEO and CFO — to the rest of the C-suite and other senior leaders possessing and providing information and insights affecting public reports.
While the CFO (like the CEO) is ultimately on the hook for the accuracy of information contained in public filings, the SEC will not turn a blind eye toward others who contribute to egregious reporting errors or omissions. This means that CFOs must help their colleagues navigate what likely amounts to a new era of personal accountability for SEC registrants. How well finance chiefs fulfill this role will directly affect the magnitude of risk assumed by their peers as well as themselves.
Personal Accountability Expands
On October 30, the SEC announced charges against SolarWinds and its CISO for fraud, internal control and disclosure failures relating to allegedly known cybersecurity vulnerabilities. The complaint maintains that the company and its CISO defrauded investors by overstating its cybersecurity practices and concealing known risks related to the extended cyberattack the company experienced from 2018 to 2020. Among other allegations, the SEC states that SolarWinds misled investors by providing “only generic and hypothetical cybersecurity risk disclosures” when the company and CISO knew of specific deficiencies in cybersecurity practices as well as increasingly elevated risks that the company faced.
The SEC’s enforcement statement conveys zero tolerance for neglect and indifference to properly informing investors of material information. Historically, the SEC has focused on the CEO and CFO, insofar as executive officer accountability is concerned. The charges against the SolarWinds CISO imply that, in any situation involving a blatant omission of material facts in reports to the investing public, the SEC will now hold culpable executives accountable.
Finance chiefs have for years focused on mitigating cybersecurity risks. According to a recent survey of global finance leaders conducted by Protiviti, data privacy and cybersecurity rank as a top priority for CFOs to address in the coming year. But the SolarWinds enforcement action is not just about cybersecurity. It suggests that CFOs have a role to play to ensure their peers understand their respective responsibilities in the overall reporting process. As such, chief human resources officers, chief sustainability officers, chief risk officers and other executive leaders should take note of the potential for increased oversight of their operations by the SEC to the extent that they are involved with activities, decisions, information and risks affecting financial and non-financial reporting and other public disclosures.
Taking the Lead
In taking the lead to reinforce the importance among all executive leaders to provide reasonable assurance of accurate information they furnish for public disclosures, CFOs can take the following actions:
- Start with a culture that stresses the importance of accurate public disclosures.
Besides focusing on protocols relating to financial and non-financial reporting compliance, CFOs should prioritize building a robust risk governance culture that supports adherence to applicable laws, regulations and internal policies. They should emphasize that, under federal securities laws, responsibility for the adequacy of public disclosures ultimately falls to everyone possessing and contributing information either required by statute or regulation or deemed material to investors. Voluntary disclosures, such as those being made by many companies in the area of ESG, need to be no less accurate than those that are required.
- Clarify roles and responsibilities.
Disclosure committees and the disclosure process need the right information reported through appropriate channels to function effectively. If there isn’t timely access to the needed information, their effectiveness is diminished. To that end, the CFO should take the lead in delineating the roles and responsibilities of this committee, individual executives, financial and public reporting preparers, and other contributors to the disclosure process.
- Engage internal stakeholders.
The CFO should engage peers in the C-suite and across business units, functions and geographies, as well as appropriate subject-matter experts in complex areas, by making them aware of significant matters under their auspices having disclosure implications. If issues in a specific domain that have potential disclosure implications arise, the responsible executive has a duty to ensure sufficient resources are brought to bear to obtain the necessary insights to satisfy the disclosure requirements.
- Support and empower individual at-risk executives.
Executives who own activities, decisions and information having significant public reporting implications should be empowered with a clear mandate, have the authority to initiate positive change and be adequately resourced. Escalation protocols should facilitate unfiltered communications to the certifying officers and the audit committee on sensitive matters.
- Encourage at-risk executives to think before signing.
Many organizations support the Sarbanes-Oxley Section 302 quarterly executive certifications with an internal sub-certification process in which others charged with reporting and disclosure responsibilities represent, via their signatures, that they provided appropriate information for external reporting and disclosure purposes and maintain appropriate internal controls. All at-risk executives should give careful thought to whether they discharged their respective disclosure responsibilities before signing these “backup certifications.”
- Forge a chain of accountability.
Backup sub-certifications provide a “chain of certifications,” but they do not necessarily provide assurance that reliable information is being furnished to management and preparers for timely disclosure. As an alternative, a “chain of accountability” arises from clearly linking required disclosures to the internal reporting processes that are designed to deliver the necessary information in a timely manner to those making disclosure decisions. For disclosure processes that pertain to critical issues, such as cyber breaches, the company should encourage the responsible executives to evaluate the related risk and control points, understand the sources of relevant data (which are likely not from traditional or finance-related information), identify gaps, and formulate action plans to close the gaps.
- Evaluate the disclosure process.
It is not lost on CFOs that the quarterly certifications they sign assert that they are “responsible for establishing and maintaining disclosure controls and procedures.” To that end, periodic assessments of the disclosure infrastructure should consider the organization’s performance expectations, incentive compensation programs and other behavior-influencing practices that may impact fair reporting. The CFO and disclosure committee should monitor emerging disclosure risks and determine whether any aspects of the company’s culture could impede the goal of fair reporting. Responsible executives should be encouraged to escalate any concerns regarding the efficacy of disclosure controls and procedures.
- Make it clear that personal accountability is expanding.
ESG and other emerging non-financial reporting and disclosure requirements are increasing the volume of non-financial data incorporated in SEC filings. As such, CFOs must ensure non-financial data is collected and calculated with sufficiently rigorous completeness, accuracy and consistency.
The SolarWinds enforcement action is hardly the first time SEC officials have emphasized the need to avoid generic disclosures in favor of accurate and complete accounts of material risks, including those related to cybersecurity. In July, SEC Chairperson Gary Gensler asserted that companies and investors alike “would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.” In his speech, Gensler noted, “Our markets depend on a basic bargain. Investors get to decide which risks to take so long as companies raising money from the public make full, fair, and truthful disclosure.”
The SEC has put public reporting companies on notice. Fulfilling their end of this bargain now requires CFOs to take a more active, hands-on role in helping colleagues avoid personal liability for violating federal securities laws.
This article originally appeared on Forbes CFO Network.
Read additional posts on The Protiviti View regarding Technology and Cybersecurity.