SEC’s Case Against SolarWinds’ CISO Establishes That Top Security Executives May Face Personal Liability for Cyberattacks

On October 30, the SEC announced charges against software company SolarWinds Corporation and its Chief Information Security Officer (“CISO”) for fraud and internal control failures for allegedly misleading investors about the company’s cyber security practices prior to a nearly two-year-long cyberattack launched in 2019. The SEC’s action against SolarWinds is not unlike previous actions brought against other companies in which the SEC alleged that protections against cybersecurity risks were inadequate. For example, in August 2021, the SEC alleged that Pearson plc misled investors by referring to a data breach as a hypothetical risk even though the company had already suffered an actual cyber intrusion.

However, it is the first time that the SEC has launched an enforcement action against an information security executive over their role in a company’s allegedly inadequate disclosures regarding cybersecurity risks. The SEC’s complaint is part of a growing effort by regulators to hold individuals accountable in cybersecurity lapses.

The SEC’s complaint alleges that, from October 2018 through December 2020, SolarWinds and its CISO defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. SolarWinds allegedly misled investors in its public disclosures by only identifying generic and hypothetical risks when the company and its CISO knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time. As the complaint alleges, these public statements were at odds with the company’s internal assessments, including a presentation by the CISO that stated the company’s security practices were in a “very vulnerable state.” The complaint also quoted the CISO’s internal communications acknowledging that the company’s “backends are not that resilient.” SolarWinds’ CEO has stated that SolarWinds will vigorously oppose the SEC’s action and that the company “maintained appropriate cybersecurity controls prior to” the cyberattack against the company.

The SEC also alleges that SolarWinds’ CISO was repeatedly made aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company. As a result of these failures, the company allegedly could not provide reasonable assurances that its assets were adequately protected. These allegations are not unlike the allegations raised against Blackbaud, Inc., in March of this year but, in that case, no Blackbaud employee faced any charges. SolarWinds’ CISO, like SolarWinds, is defending against the SEC’s lawsuit.

The SEC’s action against SolarWinds and its CISO come as the agency is preparing to start enforcing its new cybersecurity rules among publicly traded companies, which will become effective this December. As discussed in a prior client alert, the rules require companies to disclose material cyber incidents within four business days and to share details about their cybersecurity programs in annual reports. Experienced counsel can guide companies and their executives through these new SEC disclosure requirements, help to devise and implement effective internal accounting and disclosure controls, and, if it becomes necessary, defend against regulatory inquiries and actions.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Sharon M. Bunzel, an O'Melveny partner licensed to practice law in California, Jorge deNeve, an O'Melveny partner licensed to practice law in California, Andrew J. Geist, an O'Melveny partner licensed to practice law in New York, Mia N. Gonzalez, an O'Melveny partner licensed to practice law in New York, Shelly Heyduk, an O'Melveny partner licensed to practice law in California, Michele Wein Layne, an O'Melveny of counsel licensed to practice law in California, Sid Mody, an O'Melveny partner licensed to practice law in Texas, Steven J. Olson, an O'Melveny partner licensed to practice law in California, Robert Plesnarski, an O'Melveny partner licensed to practice law in the District of Columbia and Pennsylvania, Damali A. Taylor, an O'Melveny partner licensed to practice law in California and New York, Jamie Quinn, an O'Melveny counsel licensed to practice law in California, Caroline K. Katz, an O'Melveny associate licensed to practice law in California, and Chloe K. Keedy, an O'Melveny associate licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2023 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.