In a stinging rebuke of its attempted cybersecurity-related enforcement against a public company, a federal judge recently dismissed most of the charges that the U.S. Securities and Exchange Commission (SEC) had filed against SolarWinds Corporation and the company’s Chief Information Security Officer (CISO). The ruling is a remarkable setback for the SEC, but public companies and other regulated organizations should anticipate continued scrutiny from the SEC when it comes to cybersecurity.
The SolarWinds Case
In 2023, the SEC charged SolarWinds and its CISO with fraud and internal control failures related to allegedly known cybersecurity vulnerabilities. According to the SEC, the defendants overstated the company’s cybersecurity practices and understated the company’s cybersecurity risks. The defendants allegedly knew of specific deficiencies in the company’s cybersecurity program, and those deficiencies were exposed in December 2020 when the company announced that it was the victim of a massive cyberattack that spanned almost two years. Upon revealing the attack, SolarWinds’ stock dropped precipitously.
Federal Court Guts the SEC’s Case
Last month, the federal judge handling the SolarWinds case dismissed most of the SEC’s claims against the company and its CISO. Most importantly, the court rejected the SEC’s efforts to use the Securities Exchange Act of 1934’s internal accounting controls to support an enforcement action targeting a public company’s cybersecurity controls.
The SEC had alleged that, based on the company’s deficient cybersecurity program, SolarWinds failed to “devise and maintain a system of internal accounting controls.” This was the first instance where the SEC had brought an accounting control claim based on the defendant’s cybersecurity failings. The court found that the term “system of internal accounting controls” refers to a company’s financial accounting and does not encompass its cybersecurity systems. In addition to rejecting this claim, the court also rejected several others, leaving a small number remaining.
Key Takeaways
The SEC has increasingly sought to take a prominent role in cybersecurity. Several years ago, the agency issued guidance regarding public companies’ disclosure obligations related to cybersecurity incidents. And as recently as last year, the SEC issued a rule requiring timely disclosure of material cybersecurity incidents and annual disclosure of cybersecurity risk management, strategy, and governance.
The SEC has also promulgated rules related to cybersecurity policies and procedures for broker-dealers, investment companies, registered investment advisers, and other covered institutions. Our team has written about those policies and procedures here.
Further, prior to the order in the SolarWinds case (and as recently as June 2024), the SEC has settled enforcement actions against other public companies using the same internal accounting control theory that the SolarWinds judge rejected.
Against this backdrop, companies should consider the following takeaways:
- Although the SolarWinds ruling is a stinging loss for the SEC, the agency’s case against the company and its CISO will continue, albeit on narrowed grounds.
- The SEC remains very focused on cybersecurity enforcement and oversight for public companies, such as with the promulgation of the rule mandating disclosure of material cybersecurity incidents. Notably, that rule was not implicated in the SolarWinds case, given that the conduct at issue predated the rule’s effective date. Going forward, public companies should work with their legal advisors to comply with the SEC’s disclosure rule for public companies.
- Broker-dealers, investment companies, registered investment advisers, and other covered institutions can expect continued cybersecurity rulemaking and enforcement actions by the SEC. The SEC has made it clear that it views cybersecurity as a significant issue for these entities.
- As a result, companies and firms subject to SEC regulation should continue to invest in cybersecurity programs, develop cybersecurity policies & procedures (including incident response plans), and promptly investigate and respond to potential cybersecurity incidents. Working with trusted legal advisors on these steps can help strengthen the company’s cybersecurity program and mitigate risk.
This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.