SEC’s Legal Notice to SolarWinds Executives: Accountability in Cybersecurity

In a move that has sent shockwaves through the cybersecurity industry, the US Securities and Exchange Commission (SEC) has issued Wells Notices to executives of SolarWinds, a leading provider of IT management software. The notices are in connection with the company’s response to the 2020 cyberattack on its infrastructure, which had far-reaching impacts on thousands of customers, including government agencies and companies worldwide.

The Wells Notices, received by current and former employees and officers of SolarWinds, including the CFO and CISO, indicate that the SEC staff has made a preliminary determination to recommend filing a civil enforcement action against the recipients. The allegations pertain to violations of certain provisions of the U.S. federal securities laws, as stated in SolarWinds’ SEC filing.

While it is not a formal charge of wrongdoing or a final determination of law violation, a Wells Notice does signal potential legal action. If the SEC were to prevail in a lawsuit, the consequences could range from injunctions against future violations and civil monetary penalties to barring the individuals from serving as an officer or director of a public company.

SolarWinds, known for its network and applications monitoring platform Orion, fell victim to a cyberattack believed to be orchestrated by a threat actor affiliated with Russia. The attack involved distributing modified updates to the software’s users.

Actually, this is not the first Wells Notice sent on this matter. A previous one had been sent to SolarWinds itself, alleging violations of U.S. federal securities laws regarding cybersecurity disclosures, public statements, and internal controls. The action on this notice is still pending.

The SEC’s move to issue a Wells Notice to a CISO is unusual and could herald a new era of potential liabilities for cybersecurity professionals. Traditionally, such notices have been issued to CEOs or CFOs in cases of Ponzi schemes, accounting fraud, or market manipulation. However, a CISO could potentially violate laws by failing to disclose material information, such as the severity of an incident or not disclosing it in a timely manner. However, attributing blame solely to the CISO or CFO might not always be fair or accurate, as cybersecurity management often involves various stakeholders and departments.

The SEC’s actions may have been influenced by a variety of factors, including specific circumstances, legal frameworks, or demonstrated negligence if the CISO failed to implement adequate security measures, neglected SEC policies, guidelines, and practices, or ignored known vulnerabilities.

SolarWinds, on its part, has stated that the attack, dubbed “Sunburst,” was a highly sophisticated and unforeseeable attack carried out by a global superpower using novel techniques. The company also warned that legal action against it and its employees could have a chilling effect on breach disclosures.

This situation echoes a similar case in Finland, where the ex-CEO of a psychotherapy clinic received a suspended prison sentence due to poor cybersecurity practices. The company had failed to adhere to GDPR requirements concerning the pseudonymization and encryption of patient data, leaving sensitive information vulnerable to theft and unauthorized access. The CEO and IT managers were aware of the security problems and the data breach but chose to conceal evidence related to the breaches and blackmail attempts instead of reporting the incident to the authorities.

In a throwback to other large investigations in the past, not related to IT, “it’s not the crime, it’s the cover up”.

The SolarWinds case and the Finnish example underline the increasing importance of cybersecurity and the potential legal consequences of negligence in this area. It serves as a stark reminder to all companies and their executives that cybersecurity is not just a technical issue but a legal and ethical responsibility

While it remains to be seen how this situation will unfold, it is clear that cybersecurity is no longer just an IT issue. It is a critical business risk that requires the attention and oversight of the highest levels of management. As the legal landscape continues to evolve, companies and their executives must stay informed and proactive in their approach to cybersecurity to avoid potential legal repercussions. It signals a shift towards greater accountability for cybersecurity professionals and highlights the potential legal consequences of failing to adequately protect against and respond to cyberattacks.

As the saying goes, “an ounce of prevention is worth a pound of cure.” In the context of cybersecurity, this means investing in robust security measures, fostering a culture of security awareness, and ensuring transparency and promptness in responding to incidents. These actions will not only help protect against cyber threats but also mitigate the risk of legal action in the event of a breach.

In the end, the goal should be to create a secure digital environment where businesses can thrive, and customers can trust that their data is safe. The SolarWinds case serves as a reminder of the high stakes involved and the need for continuous vigilance in the face of ever-evolving cyber threats.

Summary

Article Name

SEC's Legal Notice to SolarWinds Executives: Accountability in Cybersecurity

Description

Explore the connection between SolarWindis and the 2020 cyber-attack, which had far-reaching impacts on thousands of customers, including government agencies and businesses around the world.