In an extraordinary development that has caught the attention of global law firms and multinational corporations alike, software company SolarWinds Corporation and its Chief Information Security Officer, Timothy G. Brown, have been charged with fraud and internal controls charges by the Securities and Exchange Commission (SEC). At the crux of this case is a large-scale breach of SolarWinds’ network monitoring software system, Orion, in 2020, and this litigation forms one of the most high-profile actions undertaken by the SEC in recent times.
This direct action of the SEC against a C-level executive adds a new dimension to the customary course of cyber breach responses. The question arises: How can other corporations and their legal teams learn from this? What are the key takeaways from this episode that might guide law professionals and C-suite officers?
Firstly, this certainly highlights the criticality of ensuring that companies, large and small, have rigorous cyber security strategies in place. Moreover, complete and timely disclosure of any breaches is not optional but a legal obligation. According to the SEC, SolarWinds and its CISO failed to provide complete and accurate information in their SEC filings, internal documentation, and communications to auditors and shareholders.
Second, corporations need to understand that the role of a C-level executive in cybersecurity is not only a strategic one, but is also tied to the legal accountability for any lapses in security protocols. In the case at hand, the litigation has focused particularly on the CISO’s responsibility for allegedly making false statements to auditors and the SEC
Auditors and law firms, based on this case, should also be prepared to dig deeper when it comes to scrutinizing a company’s cyber security policies. A lack of transparency could end up raising red flags during audit processes, potentially leading to litigation if inconsistencies or inaccuracies are found.
Lastly, corporations should be ready to review and revise their cybersecurity strategies on an ongoing basis. This is not limited to just updating the technology, but also involves engaging and educating the workforce about the corporation’s cybersecurity policies, potential risks, and mitigation plans.
This case serves as stark reminder to corporations of the repercussion of not adherivent to their legal and ethical obligations when dealing with cybersecurity issues. The role of the CISO is penned to become more significant, as law firms, corporation and the SEC continue to deliberating on these matters of cybersecurity breaches and disclosures.
For more details on the SEC litigation against SolarWinds Corporation and Timothy G. Brown, visit here.