Wall Street building in downtown New York City showing SEC investigation on SolarWinds and cybersecurity disclosures

What the SEC’s Investigation of SolarWinds Means for CISOs and Cybersecurity Disclosures

On June 23, 2023, the information security software company SolarWinds disclosed that certain executives, including Chief Financial Officer (“CFO”) J. Barton Kalsu and Chief Information Security Officer (“CISO”) Tim Brown, had been issued Wells Notices by the U.S. Securities and Exchange Commission (“SEC”) concerning potential securities violations allegedly related to a 2020 data breach.  This followed the SEC issuing a Wells Notice to SolarWinds itself concerning the same breach.

In December 2020, SolarWinds revealed that the Russian Foreign Intelligence Service (“FIS”) had injected a malicious code into SolarWinds’s “Orion” software, which enabled the FIS to use SolarWinds’s software updates to access data from companies and government agencies that used the Orion software.  After this breach, many Orion users evaluated the breach’s impacts on their operations and the security of their data.  The SEC sent information requests to many of these companies.  In issuing Wells Notices, the SEC’s Enforcement Division is informing SolarWinds, its CFO and its CISO that it is prepared to recommend charges to the Commission and that the Wells process offers each Notice recipient an opportunity to explain to the Commission why the recipient should not be charged.

This appears to be the first time that the SEC has sent a Wells Notice to a CISO.  While novel, this Wells Notice furthers the SEC’s recent enforcement and rulemaking focus on meaningful and timely cybersecurity-related disclosures, as well as holding individual liable for their roles in company violations.

Increased regulatory focus on cybersecurity disclosure

In June 2021, the SEC charged another public company, real estate settlement services provider First American Financial, based on its inadequate disclosures about its controls and procedures after suffering a cyberattack.  In violation of Exchange Act Rule 13a-15(a) (17 C.F.R. § 240.13a-15), the company did not disclose that a prior internal report had identified vulnerabilities in the attacked application, and the SEC’s investigation determined that senior executives were unaware of this report prior to filing the Form 8-K about the attack.  No individuals were charged.

In addition to such enforcement actions, the agency is also advancing new disclosure requirements for public companies like SolarWinds that specifically address cybersecurity risks and incidents.  As discussed in a previous client alert, in March 2022, the SEC proposed new rules that, if adopted, would require public companies to report material cybersecurity incidents and impose periodic disclosure requirements concerning cybersecurity incidents, risk management and governance, among other issues.  These proposed rules are consistent with the SEC’s similar proposals, which have been reopened for public comment, to revise cybersecurity-related reporting obligations for investment advisors and funds.

Enforcement trend of charging individuals

As the SEC has focused on enhancing its rulemaking and pursuing enforcement actions in this area, the agency has increasingly aimed to hold individuals accountable for their alleged roles in company misconduct.[1]  Among other things, the SEC has used Section 304 of the Sarbanes-Oxley Act to require current and former employees to return bonuses and other compensation to the company in connection with charges against their company, even if the individuals themselves were not personally charged with misconduct.[2]  Relatedly, the SEC has charged Chief Compliance Officers when the agency has alleged that those individuals have had substantial involvement in the company’s alleged securities violations.  For instance, on June 30, 2022, the SEC filed a settled action against Hamilton Investment Counsel, LLC and its chief compliance officer, whom the SEC had charged with aiding and abetting the company’s failures to adopt and implement policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules.

Neither SolarWinds nor its executives have disclosed what potential securities violations the SEC is considering charging Brown, the CISO, but SolarWinds has asserted that its own “disclosures, public statements, controls and procedures were appropriate.”

Takeaways for CISOs

In sending a Wells Notice to SolarWinds’s CISO, the SEC has put CISOs generally on high alert that the agency is focused on how such professionals may be involved in company missteps concerning cybersecurity issues.  Managing cybersecurity at a large company often involves multiple layers of personnel involved in different aspects of complex processes, and the SEC may face challenges in investigating, and possibly charging, future CISOs.  CISOs and their companies—working with counsel—should take care to design processes to detect cyber incidents and have appropriate governance around evaluating and escalating them, so that the people who are responsible for making disclosure decisions can receive timely and accurate information.

As illustrated by the First American Financial case, it is imperative that an incident response plan includes up-the-ladder reporting so that senior company personnel can effectively evaluate incidents and make appropriate disclosures.  Employees should promptly report cyber incidents to the company’s disclosure committee to facilitate timely and effective disclosure assessments.  Moreover, companies and their CISOs should ensure that there is sufficient Board oversight of mission-critical risks—particularly considering the SEC’s proposed rules to mandate enhanced disclosures about the Board’s role in overseeing a company’s cybersecurity risk.

  • [1] In FY 2022, more than two-thirds of the SEC’s stand-alone enforcement actions involved at least one individual defendant or respondent, although many of these included no allegations of company wrongdoing.
    [2] For example, the SEC charged an infrastructure company and former executive with financial reporting fraud on August 25, 2022.  In separate administrative proceedings, the company’s former CEO and CFOs agreed to return nearly $2 million in bonuses and compensation to the company pursuant to Section 304.  Similarly, on June 7, 2022, the SEC charged a software company and senior employees with accounting-related misconduct, and the company’s founder and former CEO agreed to reimburse the company for more than $1.3 million in stock sale profits and bonuses, and to return previously granted shares of company stock pursuant to Section 304.