Takeaways from the Dismissal of Most of the Government’s Case Against the SolarWinds CISO
The case against SolarWinds was filed by the Securities and Exchange Commission (SEC), a government agency that has interpreted its authority broadly to regulate publicly traded companies. The court did not agree with the SEC’s use of that authority in key respects and dismissed allegations that the statements in SolarWinds’ press releases, blog posts, podcasts, and certain SEC filings, misrepresented the company’s cybersecurity risks and controls.
The most noteworthy part of the court’s ruling, and one that is likely to be appealed, is that the SEC does not have legal authority to regulate a company’s security resilience (as distinct from the company’s disclosures). The SEC’s oversight of a company’s internal accounting controls does not, in the court’s view, extend to cybersecurity practices. If the ruling is upheld on appeal, it may result in significant limits to the SEC’s enforcement authority.
The court allowed the government to proceed to trial on a single claim, the allegation that SolarWinds’ statements about access controls and password practices, in its security statement, were materially misleading by a “wide margin.”
Here are some other takeaways from the ruling:
- Companies are still required to implement programs with adequate cybersecurity resilience. While this court rejected the SEC’s authority to regulate this resilience, the SEC’s likely appeal may result in a different outcome, and inadequate security controls could lead to legal action under other regulations.
- The claim that will go to trial is a result of alleged inconsistencies between how the internal team described their security resilience and the public statements that investors reasonably rely on, such as trust or security statements. The government may bring enforcement actions if they believe public statements misrepresent a company’s true security posture.
- Though the court dismissed many charges, the SEC’s requirements that public companies disclose material cybersecurity incidents, as well as material security governance and strategy information, remain in place. Companies should continue to ensure they have processes in place to assess materiality and disclose material information related to cybersecurity to investors.
No matter how aggressively the government intends to investigate and enforce adequate security controls, companies will always benefit from managing cybersecurity threats and proactively reducing risk.