In October 2023, the Securities and Exchange Commission (SEC) laid charges against SolarWinds Corporation and its chief information security officer (CISO). The charges allege fraud and control failures relating to cybersecurity vulnerabilities that resulted in a cyberattack from 2018 to at least 2020.
This development continues the trend of increasing risk of liability for directors and officers in relation to cybersecurity risk, and demonstrates the focus of financial regulators on cyber risk mitigation, disclosure and governance.
Facts of the lawsuit
SolarWinds was hacked by a group with alleged ties to Russian intelligence in a sustained cyberattack. Because SolarWinds is a major software vendor, the cyberattack impacted a slew of organizations with which it does business—including U.S. government agencies.
While SolarWinds disclosed generic and hypothetical risks, the SEC is seeking to hold the company and its CISO responsible for failing to disclose specific known cyber risks, thus overstating its cybersecurity posture and misleading investors. The SEC's position is that accurate analysis of a company's cyber controls is material information to investors. Regarding personal liability, the SEC alleges that the CISO was aware of the vulnerabilities but failed to resolve them or escalate the risks internally.
The SEC charged the company with violations of the Securities Act of 1933, the Securities Exchange Act of 1934 and the Exchange Act, and the CISO with aiding and abetting the company's conduct. The SEC is seeking both disgorgement of company profits and civil penalties as well as a bar against the CISO being an officer or director of other companies.
This enforcement action follows a securities class action arising from the drop in stock price after the cyberattack was disclosed in 2020. That litigation was settled for US$26 million in 2022. SolarWinds publicly disclosed that its insurance covered the litigation settlement costs.
Analysis and impact
This enforcement action is consistent with the SEC's recently adopted rules on cybersecurity disclosure obligations. Effective September 2023, the SEC requires U.S. public companies to 1) disclose material cybersecurity incidents and 2) periodically disclose the company's risk assessment and mitigation processes, including management's role and the board's oversight of this process.
The SolarWinds case emphasizes the importance of ongoing attention to cyber risk by management and boards in both the U.S. and Canada. Companies must continue to 1) allocate sufficient resources to cybersecurity assessment, threat monitoring and improvement; 2) report candidly on weaknesses and mitigation strategies to the C-suite and board; and 3) regularly update disclosure of their cybersecurity posture to be current, specific to the company, sector and industry, and balanced.
General counsel should be prepared for CISOs, other officers and directors to ask questions about their duties and personal liability risks. Supporting them could involve refresher trainings on internal procedures, fiduciary and other duties, or insurance resources. There may even be a role for separate counsel if they have concerns about personal liability.
The lawsuits are also reminders to regularly review insurance coverage to ensure that D&O and cyber policies adequately address the costs of consumer and shareholder class actions as well as regulatory enforcement proceedings.
Throughout this risk assessment and mitigation process and oversight, companies should be mindful of both internal vulnerabilities and those posed by cyberattacks on vendors and supply-chain partners, and ensure their third-party risk management strategy aligns with their cybersecurity risk and governance framework.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
