SEC Turning Up the Heat: SolarWinds and Its CISO Charged with Fraud Regarding Cyber-related Disclosures

Nov 22, 2023 08:00 pm Cyber Security 109

Key Takeaways

With the SolarWinds enforcement action, the SEC continues to ratchet up its enforcement against companies that fail to properly disclose their cybersecurity incidents and risks.

By naming the SolarWinds CISO as a defendant, the SEC is reaching further down the executive chain of command than normally is the case and seeking individual liability against a corporate technical expert to send a stronger deterrent message.

The fact that SolarWinds had numerous federal government agencies as customers of its software and those agencies were impacted by the massive cyberattack may be part of the explanation for the SEC’s decision to bring an enforcement action against SolarWinds and its CISO.

Background: The SEC’s Increased Focus on Cybersecurity

On October 30, 2023, the United States Securities and Exchange Commission (SEC) announced charges against SolarWinds, an Austin-based technology company that provides customers with network monitoring software, and Timothy Brown, SolarWinds’ Chief Information Security Officer (CISO), for fraud and internal control failures relating to known cybersecurity risks that culminated in a nearly two-year long cyberattack against SolarWinds and some of its customers, including federal and state government agencies, and that was first disclosed to the public in December 2020.

The charges are the latest development in a recent string of SEC activity targeting cybersecurity risks and disclosure policies on both the rulemaking and enforcement fronts. Following a keynote address made at the outset of 2022 by SEC Chair Gary Gensler that harped on the agency’s increased focus on cyber issues in light of the increasing risk of cyberattacks, the SEC proposed two new cybersecurity rules: one aimed at public companies, and turning solarwinds charged fraud regarding cyber related disclosures