The SEC has been on a cybersecurity tear in 2023, instituting new rules on disclosures of cybersecurity events and threat assessments. But not wanting to let go of the past, it brought suit on October 30 in the Southern District of New York against SolarWinds and its Chief Information Security Officer, Timothy Brown. The SEC based the action on what it saw as mismatches between SolarWinds’ public disclosures and what the SEC saw in its investigation. The case certainly is a first in many ways: the first cybersecurity-related SEC case with allegations of intentional concealment, in which internal controls have figured prominently, and where SEC brought an action against the CISO personally. This has been blown up in data security media to suggest that CISO is somehow the most dangerous position in a corporation. In reality, this is not IT Armageddon, but there are some practical lessons.
Is this a black swan? Or a perfect storm?
The SolarWinds case is hardly guaranteed to set off a tidal wave of similar SEC actions. First, the SEC’s jurisdiction is limited to public companies. Given this and the finite resources of the Commission, this case may have been cherry-picked.
Second, it is difficult for regulators to ignore the scope of the SolarWinds SUNBURST data breach. The company provides network monitoring software to major enterprises as well as multiple government agencies. The SolarWinds breach—in which attackers caused the company to distribute compromised versions of SolarWinds Orion software—ran for more than a year before detection. It resulted in one of the three biggest supply-chain attacks in history. Per SEC, it hit almost 18,000 customers and 1,500 publicly traded companies. Given the compromise of government institutions (“A” according to the complaint—but impacted agencies are commonly thought to include the Department of Defense and the Justice Department), and what came out in the SEC investigation, the incident provides ample reason to “make a lesson” out of someone.
Third, this is a case where the individual charged had significant involvement in 14 cybersecurity-related disclosures that the SEC claimed were refuted by evidence from its investigation. The December 2020 8-K following the SolarWinds breach was just the last of these—and it piqued SEC’s interest in preceding ones. The SEC alleges there was an evidence trail demonstrating that (1) the CISO repeatedly communicated with management about security and control deficiencies even predating the IPO and did not act on them; (2) other employees made similar statements; and (3) the CISO effectively became a PR/shareholder relations flack for management by signing off on (and signing) disclosures (and certifications) that were… optimistic. Given this, the SEC’s pursuit of an individual is unsurprising. Although this is the first such SEC action, it is not the first time outward-facing statements by CISOs have caused legal trouble: in 2022, Uber’s former CEO was prosecuted and convicted for recharacterizing a ransomware payment as a “bug-finding fee.”
Finally, given SolarWinds’ business, system security and internal controls are especially crucial to the value of its products—and the company. This puts extra focus on the duties of an executive-level officer.
But what can we learn?
Even if they do not check all the boxes that aroused the ire of the SEC here, most businesses can learn something from this case. First, public companies have considerably less latitude in describing security incidents to their shareholders than would a private company describing one to its customers. And beyond that, SEC focused on the line between “less is more” and “opposite day.”
Second, even for private companies, the SEC case will focus attention on the quality of disclosures to owners and prospective purchasers. Here, the SEC cited SolarWinds for disclosures allegedly false in some instances and incomplete in others. Even where a securities law violation is not available, there could be state-law remedies.
Third, all companies should carefully consider internal communications regarding the state of data security in the company, particularly subjective descriptions. Though not all companies are subject to SEC investigations, these same types of communications can come out in civil litigation following the publication of a data breach.
Finally, the hard lesson for the CISO involved here is that being perceived as part of a coverup can have disastrous consequences.
- The SEC’s case against SolarWinds and its CISO is pathbreaking in the sense that it specifically calls out (and pursues) a CISO for distorting SEC disclosures.
- That said, its filing is based on several circumstances that, in combination, represent an unusual situation.
- Even though this suit is based on SEC disclosure principles, it could inspire shareholder suits in privately held companies, based on duties of care, loyalty, and good faith.