SECURE POLICY

A New Coalition to Protect Cyber Professionals, Companies and Shareholders

Protect Your Chief Information Security Officer

Protect Your Company - Protect Your Shareholders

Updated: January 11, 2024

Download The Secure Policy Prospectus

Overview:


SolarWinds was the victim of a concerted, ongoing cyberattack by Russian state-backed hackers. The results were catastrophic and cascaded around the world. On October 30, 2023, the Securities and Exchange Commission (“SEC” or “Commission”) took the unprecedented action of filing charges against the victim of a nation-state attack and targeted the CISO personally in its complaint.


This lawsuit blames the victim. Notwithstanding the facts of any one case, personally targeting the CISO has chilled the market. This comes at a dangerous time – threatening to stifle the nation’s cybersecurity progress in an increasingly perilous geopolitical climate. The SEC is sending the wrong message to cyber executives, and its action erodes trust in good-faith public-private partnerships that have taken decades of dialogue to establish.


Making CISOs personally liable for cyber-attacks against which few can defend dissuades individuals from pursuing cyber as a career. There is already a dearth of expertise and more than 750,000 cyber vacancies in the U.S. Ironically, this approach only undermines public company cybersecurity as well as the progress the U.S. government has sought to achieve through carefully coordinated, inter-agency private sector engagement.  


With 85% of U.S. critical infrastructure deployed and maintained by the private sector, it’s time for Congress to step in, protect companies and shareholders trying to do the right thing, ensure CISOs and Cyber Professionals have what they need to do their jobs without fear of prosecution, and protect the nation’s critical infrastructure. Join us in a new coalition grounded in sound corporate governance and committed to the needs of CISOs and Cyber Professionals across all sectors.


The Uncertain Cyber Liability Landscape: 


There is no silver bullet to keep out determined threat actors. Even the most secure entity can be breached when dedicated foreign adversaries target them. Cyber must be a team sport where everyone has a role to play — from the Board to management to support staff to government partners. 

The latest cyber governance requirements, an emerging wave of cyber regulations and standards, new private-rights-of-action, and lawsuits personally targeting cyber executives have created significant uncertainty and liability risk to manage. This only undermines innovation, collaboration, and efforts to promote open dialogue. Blaming the victim runs counter to best practices and efforts to establish trusted public-private partnerships in a dynamic and challenging global ecosystem. 

Other federal law enforcement agencies rejected such an approach, e.g., most recently regarding ransomware payments. The fragmented and uncoordinated liability landscape and conflicting standards for cyber victims are emerging as one of the greatest threats to the cyber ecosystem and need to be addressed urgently.

The SEC’s complaint also seems counter to the spirit of many recent cyber laws and initiatives established by Congress and the Administration, which were carefully crafted to engender trust, facilitate public-private partnerships, and built on decades of prior effort. 

Recent examples include:


  • The Cyber Incident Reporting for Critical Infrastructure Act of 2022.


  • President Biden’s Cyber Executive Order 14028, including carefully coordinated sector specific “sprints” for incident reporting and cyber governance requirement.


  • The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency’s (CISA) Joint Cyber Defense Collaborative (JCDC) and other efforts to cultivate public private collaborations for information sharing, including the Information Sharing Analysis Centers (ISACs)

Personally targeting the CISO undermines the SEC’s ability to achieve effective collaboration with industry and sector risk management agencies. Unfortunately, this was not unforeseen. In the years leading up to the SEC Cyber Rule on Risk Management, Strategy, Governance and Incident Disclosure, industry and even some in the Administration raised concerns. Many questioned the wisdom of pursuing stringent regulatory actions while best practices around cyber disclosure and incident reporting are still evolving. Others raised security concerns associated with premature disclosure of vulnerabilities.   


Unless something is done to counter the uncertainty in the cyber liability domain and unfortunate legal precedents that engage in victim-blaming, the U.S. will only regress in cybersecurity efforts to date and ultimately undermine our own national and economic security.

Join Us.

Government policies should be coordinated and developed in collaboration with private sector experts. Better solutions are possible when our best experts have input. Join us as we establish a coalition to pursue thoughtful liability protections and cyber governance standards. We will work with Congress, the White House, and relevant agencies to develop solutions and guardrails that protect public and private company CISOs and all cybersecurity professionals from being singled out and targeted when they act in good faith. 


To accomplish this important work, Modern Fortis is spearheading Secure Policy, a coalition of individual CISOs, concerned executives, companies, litigators, non-profits, and allied organizations committed to real change in federal policies that understand and respect the real-world cyber challenges in a modern digital ecosystem.


Led by Modern Fortis, Secure Policy is working with world-renowned legal experts Andrew Goldstein of Cooley LLP and Freshfield’s Timothy Howard on a CISO-centric amicus with consideration to the needs of the global cybersecurity apparatus. The Modern Fortis-Secure Policy amicus will stand in support of CISOs, private companies, and the global cyber-security ecosystem on the SolarWinds matter.

 

But the Modern Fortis-Secure Policy amicus is just the beginning of our journey to build better and safer federal cybersecurity policy. Progress will require a cross-sector, collaborative approach with experts in multiple fields to craft sound policies and systems that incentivize and lead an ecosystem with better cyber outcomes. Secure Policy will work to deliver legislative and regulatory changes that promote thoughtful and harmonized cyber regulatory harmonization, corporate governance controls, and tax / investment policies that work with law enforcement, national security, and regulatory needs.

Modern Fortis is proud to partner with our colleagues in cyber-security and technology to leverage our lobbying firm's unique experience, relationships, and reach on Capital Hill and beyond.

Join Secure Policy

The Secure Policy coalition is a program owned and operated by Modern Fortis LLC. Some services, actions, or products may be provided by outside experts, third parties, or through collaboration with other organizations at the discretion and direction of Modern Fortis and/or their designee.


Modern Fortis-Secure Policy Coalition Inquiries


Joseph Cameron

CEO

Modern Fortis

(774) 306 - 1300

joe@modernfortis.com


Modern Fortis-Secure Policy Amicus Co-Signer Inquiries


Margo Klosterman

Partner

Modern Fortis

(202) 680 - 9325

margo@modernfortis.com


Share by: