Author
In October 2023, the Securities and Exchange Commission (SEC) laid charges against SolarWinds Corporation and its chief information security officer (CISO). The charges allege fraud and control failures relating to cybersecurity vulnerabilities that resulted in a cyberattack from 2018 to at least 2020.
This development continues the trend of increasing risk of liability for directors and officers in relation to cybersecurity risk, and demonstrates the focus of financial regulators on cyber risk mitigation, disclosure and governance.
SolarWinds was hacked by a group with alleged ties to Russian intelligence in a sustained cyberattack. Because SolarWinds is a major software vendor, the cyberattack impacted corporate and government clients.
While SolarWinds disclosed generic and hypothetical risks, the SEC is seeking to hold the company and its CISO responsible for failing to disclose specific known cyber risks, thus overstating its cybersecurity posture and misleading investors. The SEC’s position is that accurate analysis of a company’s cyber controls is material information to investors. Regarding personal liability, the SEC alleges that the CISO was aware of the vulnerabilities but failed to resolve them or escalate the risks internally.
The SEC charged the company with violations of the Securities Act of 1933, the Securities Exchange Act of 1934 and the Exchange Act, and the CISO with aiding and abetting the company’s conduct. The SEC is seeking both disgorgement of company profits and civil penalties as well as a bar against the CISO being an officer or director of other companies.
This enforcement action follows a securities class action arising from the drop in stock price after the cyberattack was disclosed in 2020. That litigation was settled for US$26 million in 2022. SolarWinds publicly disclosed that its insurance covered the litigation settlement costs.
This enforcement action is consistent with the SEC’s recently adopted rules on cybersecurity disclosure obligations. Effective September 2023, the SEC requires U.S. public companies to 1) disclose material cybersecurity incidents and 2) periodically disclose the company’s risk assessment and mitigation processes, including management’s role and the board’s oversight of this process.
The SolarWinds case emphasizes the importance of ongoing attention to cyber risk by management and boards in both the U.S. and Canada. Companies must continue to 1) allocate sufficient resources to cybersecurity assessment, threat monitoring and improvement; 2) report candidly on weaknesses and mitigation strategies to the C-suite and board; and 3) regularly update disclosure of their cybersecurity posture to be current, specific to the company, sector and industry, and balanced.
General counsel should be prepared for CISOs, other officers and directors to ask questions about their duties and personal liability risks. Supporting them could involve refresher trainings on internal procedures, fiduciary and other duties, or insurance resources. There may even be a role for separate counsel if they have concerns about personal liability.
The lawsuits are also reminders to regularly review insurance coverage to ensure that D&O and cyber policies adequately address the costs of consumer and shareholder class actions as well as regulatory enforcement proceedings.
Throughout this risk assessment and mitigation process and oversight, companies should be mindful of both internal vulnerabilities and those posed by cyberattacks on vendors and supply-chain partners, and ensure their third-party risk management strategy aligns with their cybersecurity risk and governance framework.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2024 by Torys LLP.
All rights reserved.