CLS Blue Sky Blog

Skadden Discusses What SEC’s Solar Winds Complaint Means for Boards, Information Security Officers

On October 30, 2023, the SEC filed a litigated complaint against SolarWinds, a software development company, and Timothy Brown, its chief information security officer (CISO). The SEC alleges that from October 2018, when SolarWinds went public, to January 2021, SolarWinds and Brown made materially misleading statements and omissions about the company’s cybersecurity practices and risks in public disclosures, which the SEC claims ultimately led to a drop in SolarWinds’ stock following the later disclosure of a large-scale cybersecurity attack known as SUNBURST.

Specifically, the complaint alleges that SolarWinds and Brown inaccurately claimed on a website security statement that the company followed cybersecurity standards like the National Institute of Standards and Technology Cybersecurity Framework (NIST framework), used Secure Development Lifecycle (SDL) practices, enforced strong password policies and maintained adequate access controls. Further, the SEC alleges that SolarWinds’s periodic filings included generic and hypothetical cybersecurity risk statements that failed to address known risks. Finally, the SEC alleges that, at the time of drafting the Form 8-K filed on December 14, 2020, disclosing the SUNBURST cybersecurity incident, SolarWinds and Brown knew of several confirmed attacks against customers, yet drafted the 8-K to frame the vulnerability as hypothetical.

The SEC also accused SolarWinds of having deficient cybersecurity controls and known vulnerabilities that left its systems susceptible to attack. Internal documents allegedly warned about these cybersecurity gaps, but the company’s statements purportedly concealed cybersecurity failings that were then exploited in the SUNBURST cyberattack in late 2020 and impacted Orion software used by thousands of SolarWinds customers. Before the attack, SolarWinds and Brown purportedly knew about vulnerabilities and attacks involving Orion, but they were not disclosed.

The SEC’s complaint charges SolarWinds and Brown with direct anti-fraud violations for alleged misstatements as well as direct and secondary liability against them for internal controls violations. This case marks a significant precedent, as it is the first instance where the SEC charged a CISO with fraud, representing a profound departure from its traditional focus on officers with explicit accounting and disclosure duties and SEC reporting expertise. This unprecedented action highlights the increasing importance of cybersecurity in the realm of federal securities law and underscores the gravity of the role CISOs play in the accurate representation of a company’s cyber health. The SEC’s complaint seeks not only corrective actions but also significant penalties, including injunctions, the return of ill-gotten gains and a prohibition on Brown serving as an officer or director in any public company, reflecting the severity with which the agency views these alleged infractions.

What CISOs Need To Know

The SEC’s complaint names Brown individually and serves as a stark reminder to CISOs about the consequences of public and internal statements regarding cybersecurity practices and risks. The complaint highlights the expectation for CISOs to provide accurate representations of their company’s cybersecurity posture both internally and in public disclosures. The SEC’s detailed complaint against Brown provides insight into the specific practices that CISOs should keep in mind:

The SEC’s focus on the accuracy of cybersecurity-related statements made by CISOs emphasizes the critical role they play in a company’s compliance with federal securities laws. CISOs must ensure that there is no significant disconnect between what is being communicated publicly and the actual cybersecurity challenges the company faces. The increasing trend of regulatory scrutiny over such matters makes it essential for CISOs to adopt a proactive approach to their company’s cybersecurity disclosures. For more insights on this topic, see our November 3, 2023, client alert “Private Equity CISO Fireside Chat — Cybersecurity Leadership in the Age of Generative AI.”

What the Board and Senior Executives Need To Know

The SEC’s complaint against SolarWinds, along with previously filed SEC actions, places increased emphasis on the responsibility of boards to ensure accuracy and integrity in cybersecurity disclosures:

Boards are encouraged to reexamine their disclosure practices and ensure that the company’s public statements are accurate reflections of its internal situation. The board should work closely with the CISO and legal and compliance teams to develop a clear and defensible reporting strategy that considers the actual status of cybersecurity risks and incidents. The SEC’s actions in the SolarWinds case and others serve as a clear warning that inaccuracies or mischaracterizations in such disclosures can lead to significant legal and reputational repercussions.

This post comes to us from Skadden, Arps, Slate, Meagher & Flom LLP. It is based on the firm’s memorandum, “What Does the SEC’s Complaint Against SolarWinds Mean for CISOs and Boards?” dated November 3, 2023, and available here. 

Exit mobile version