SEC Hits SolarWinds and CISO with Investor Fraud Suit Over Cybersecurity

Linn Freedman
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

In a first, bold move by the Securities and Exchange Commission (SEC) following its new Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, issued on July 26, 2023, this week, the SEC filed suit against SolarWinds and its Chief Information Security Officer (CISO) alleging that SolarWinds and its CISO for years “ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company…and engaged in a campaign to paint a false picture” of its “cyber controls environment thereby depriving investors of accurate material information.”

The complaint against SolarWinds and its CISO outlines in detail internal statements made by SolarWinds and its CISO in emails, instant messages and presentations about SolarWinds’ security flaws and deficiencies.

The complaint should be a wake-up call to all public companies that the SEC is serious about holding executives responsible for following its cybersecurity guidelines and shoring up cybersecurity deficiencies. It is also a textbook case of how internal communications can, and will, be used by regulators and litigators to bolster a case, whether those communications are believed to be taken out of context or not. Internal communications like “Even if we start to hire like crazy, which we will most likely not, it will still take years. Can’t really figure out how to unf**ck this situation. Not good” will never be read in the most favorable light to the defendant.

Statement from SolarWinds spokesperson:

“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments. The truth of the matter is that SolarWinds maintained appropriate cyber security controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats.”

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide