On October 30, 2023, a new chapter in cybersecurity enforcement was initiated as the U.S. Securities and Exchange Commission (SEC) filed a notable legal action against SolarWinds Corp. and the company’s Chief Information Security Officer (CISO), Timothy Brown. This is the latest example of how the regulatory environment surrounding cybersecurity is heating up.
The SEC’s lawsuit against SolarWinds alleges contraventions of the antifraud stipulations within federal securities law, an action predicated on the defendant’s alleged violations of the scienter-based antifraud provisions. Furthermore, the SEC also highlights numerous purported failures relating to the company’s internal controls, mainly about the firm’s statements and disclosures about its cybersecurity infrastructure.
This ongoing case signifies that the boundaries of cybersecurity regulation continue to expand, potentially impacting organizations across various industry sectors. It serves as a reminder to corporations and their legal teams that the issue of cybersecurity is very much alive in the eyes of regulators, and failure to maintain, update, and transparently disclose effective cybersecurity measures may possibly lead to punitive legal actions.
With this latest action, the SEC is conveying a clear message to businesses that robust and transparent cybersecurity practices are no longer a choice, but a necessity in today’s digitally connected world. Legal professionals and companies are therefore advised to review their digital safety mechanisms and ensure that their practices align with regulatory expectations.
For more detailed analysis and specifics of the enforcement action, refer to Holland & Knight’s coverage on JD Supra.