SolarWinds Boardroom Lacked Awareness
Digital Directors Networks’ Robert Zukis said SolarWinds’ boardroom accountability for cyber risk oversight was “very atypical.” That’s because the board’s governance committee was tasked to oversee cybersecurity risk.
“We gleaned all of this from public discloser information, and as you dig into that, you start to see some interesting anomalies and disparities in how they were approaching this issue,” he said. “For one, that’s not a stated responsibility within the charter.”
Overall, the board was “fairly shallow” when it comes to cybersecurity skills and capabilities, Zukis said.
“If you look at their risk factor disclosures, how they’re understanding risk, they weren’t bad actually,” he said. “They talked about nation-state issues and third parties. They were fairly comprehensive in terms of how we assess these against our framework. But you have to question whether they were, frankly, dialing it in around these issues.”
Based on the actions taken after the breach, “I think it’s an admission on their part that maybe they weren’t doing enough at the governance level to truly do the work of oversight,” Zukis said.
“This is a critical control point,” he said. “You need people in the boardroom that understand these issues. The board has to be organized effectively and you have to understand risk in the right way.”
