Each of the fined companies learned that they had been breached during the SolarWinds hack in 2020 or 2021. Each was found by the SEC to have negligently minimized its cybersecurity disclosures in ways that could mislead investors, but all using somewhat different language.
ICE has been charged with causing nine of its subsidiaries in total, the NYSE included, to fall afoul of breach reporting requirements as they were not provided the information by their parent company in a timely enough manner.
Updated federal guidelines emphasize transparency and swift action to safeguard organizations, stakeholders, customers, and their communities. As cybersecurity teams adjust to the government's latest directives, security leaders must prepare and ensure compliance with these new regulations.
To many, the new SEC rules that require public companies to disclose “material” cybersecurity incidents within four days of determining their materiality may seem like a challenging, if not unreasonable, demand. Companies should put a priority on preparing incident response plans that will help them meet compliance.
The SEC has been clear that proper risk management and timely cyber incident disclosures protect investors and other stakeholders. The regulators may make an example out of SolarWinds and its leadership at the time of the Orion incident to set the tone for the importance of software supply chain security.
This appears to be the first time that the SEC has sent a Wells Notice to a CISO. While novel, this Wells Notice furthers the SEC’s recent enforcement and rulemaking focus on meaningful and timely cybersecurity-related disclosures, as well as holding individual liable for their roles in company violations.