In a groundbreaking decision, the U.S. Securities and Exchange Commission (SEC) recently charged SolarWinds and its Chief Information Security Officer (CISO), Timothy Brown, with fraud and internal control failures regarding known cybersecurity vulnerabilities. This represents not only the first instance of the SEC pursuing cybersecurity-related civil fraud claims against a public company, but the first formal action by the SEC against a CISO in particular.
According to Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, SolarWinds and Brown “engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
Traditionally, the SEC’s primary role has been to regulate the financial aspects of publicly traded companies. In recent years, the agency has increasingly expanded that mandate to include a focus on cybersecurity. The complaint against SolarWinds and Brown exemplifies the SEC’s recognition of the critical role that robust cybersecurity practices play in protecting investors and maintaining the integrity of financial markets.
Here are the most important things to know about what the SEC’s SolarWinds suit means for public companies:
One of the most significant implications of this legal action is that it holds a CISO accountable for cybersecurity failures within their organization. Until now, CISOs have generally been insulated from legal repercussions in the event of breaches; with roles that primarily revolve around implementing cybersecurity measures and advising on best practices, risk is an acknowledged part of the job.
Launch Cybersecurity Studio Director Creighton Adams cautions against the “moral hazard” that comes with that immunity. “Information asymmetry, where one party has more information for decision-making than another in an agent-principal relationship, compounds risk,” he says. Brown, he contends, had more information at hand than SolarWinds shareholders, and he “went the path of profit versus the path of community protection.”
In a word, Brown is culpable for the risks unknowingly assumed by shareholders. Indeed, the SEC’s lawsuit against him signals that CISOs can now be held personally responsible if they fail to adequately protect their organizations from cyber threats.
What does that mean for other public businesses? It means they must ensure their CISOs are equipped to handle the complex landscape of cybersecurity risks in an ecosystem that’s more connected than ever. This includes not only having technical knowledge, but also understanding the tightening legal and regulatory implications of their decisions.
The SEC’s decision to pursue civil fraud claims against SolarWinds puts all public companies on notice: the accuracy and transparency of cybersecurity disclosures are now under heightened scrutiny.
Organizations must ensure that their cybersecurity disclosures are not only comprehensive, but also reflect their true cybersecurity posture. Misrepresenting or downplaying cybersecurity risks can have serious legal ramifications, including substantial monetary fines for a company or, as in this case, personal consequences like fraud charges or imprisonment for key individuals involved.
In the free market, full disclosure is imperative. Shareholders and regulators expect these large companies to prioritize transparency and accuracy in their cybersecurity reporting. Cybersecurity teams and CISOs must collaborate closely with legal and compliance departments to ensure that their disclosures align with regulatory requirements and accurately portray the organization’s cybersecurity efforts.
Additionally, company leadership should ensure that policies are not only accurate and applicable, but enforced within the wider ecosystem that supports the company.
The charges against SolarWinds and Brown make it clear: regulatory agencies are watching, and that means robust cybersecurity governance and oversight within an organization is more critical than ever. The SEC filing “highlights the importance of companies’ executives taking a proactive approach to managing cybersecurity risks with investors,” says Mike, in addition to actively engaging with cybersecurity matters and exercising due diligence in their oversight responsibilities.
Moreover, it creates legal precedent for future judgments involving companies and their CISOs—which, as Creighton points out, is really a useful opportunity for any organization. With citable action from court proceedings, he says, “the business community as a whole will know exactly what they should be doing to support their respective industry as it pertains to digital systems.”
This clarity will be a net benefit to the SolarWinds suit in an industry that’s evolving at the pace of technology. New threats—including AI-enabled cyberattacks—continually create new scenarios and grey areas that test not only a business’s cyber defenses, but also their disclosure decisions and limits. In the interim, clear policies, procedures, and oversight mechanisms to effectively manage and disclose cybersecurity risks must remain a top priority.
Ultimately, this watershed moment represents a fundamental shift in the way that regulatory agencies like the SEC handle cybersecurity concerns. The lawsuit emphasizes the importance of accountability, transparency, and governance for SolarWinds and any publicly traded (or, for that matter, private) company.
As cyber threats evolve, the SEC is leading the way for regulators to take a more active stance in holding organizations accountable for their cybersecurity practices. Safeguarding digital assets is critical not only for organizational health, but for market and shareholder trust as well. Building a robust cybersecurity strategy is not easy, but it is essential to protect investors, maintain market integrity, and avoid legal pitfalls—both for the company and for its employees.
At Launch, we're here to help enhance your cybersecurity risk disclosure practices. We offer best-in-class cyber engineering practices, honed through extensive market experience, for enterprise architecture and enterprise systems across your entire service portfolio, all with efficiency in mind.
So, the next step is yours. How will you take your next step down the path in protecting your business? If you'd like an expert hand to help, take our Future State of Cybersecurity Workshop. Sit down with the sharpest minds in security, cloud, and strategy for an interactive working session - and start readying yourself to race down that road.