The U.S. Securities and Exchange Commission (SEC) has served Wells Notices to the CFO and CISO of SolarWinds, the technology company embroiled in controversy following a significant cyber breach in 2020. Commonly known as the “SolarWinds breach,” this incident has largely been identified as one of the most complicated cyberattacks ever recorded.
This move by the SEC brings the legal and reputational consequences of the breach firmly into the personal realm of these two executives, marking a critical development in increasing personal accountability for cybersecurity failings.
According to JD Supra, SolarWinds has been the focus of several investigations and lawsuits in the aftermath of the breach, including a class action lawsuit that saw the company agreeing to a $26 million settlement. As a reminder, Wells Notices are not formal charges or a finding of wrongdoing, but they are a significant step in the SEC’s enforcement procedure
The issuance of Wells Notices suggests that the SEC’s investigations have unearthed preliminary findings substantial enough to consider an enforcement action. It demonstrates the increasing importance of personal liability for top executives in maintaining robust cybersecurity measures. Legal professionals, particularly those providing counsel to C-suite executives in the technology sector, must take note of this development.
In the face of such high-profile cyber breaches, it’s crucial that corporate counsel ensures their clients are suitably prepared and compliant. Integrating sound cybersecurity practices is no longer an optional add-on but a fundamental component of modern corporate governance. With hefty financial settlements, regulatory scrutiny, and now the threat of personal liability hanging over executives’ heads, maintaining a strong cybersecurity posture is more critical than ever.