The U.S. Securities and Exchange Commission (SEC) is increasing its enforcement against companies that inadequately disclose their cybersecurity incidents and associated risks. A notable instance has occurred with SolarWinds and its Chief Information Security Officer (CISO), both of which have been charged with fraud over improper cyber-related disclosures.
The significance of this case lies in the SEC extending its reach in a new direction. While it is commonplace to witness the upper echelons of a corporation’s hierarchy held accountable in such situations, it is less common for actions to be taken against the lower ranks. However, in this case, the SEC has gone further down the executive chain of command than is usually the norm.
Not just focusing on the corporation as a whole, the regulator has specifically named the SolarWinds CISO as a defendant, translating its intentions to seek individual liability against a corporate technical expert. This progressed step seemingly intends to send a more robust and defined deterrent message.
This specific case is viewed as a clear illustration of the SEC persistently ratcheting up its enforcement in relation to cybersecurity incidents and incorrect or incomplete disclosure of the same. It is now more important than ever, with the regulator showcasing its capability to enforce actions against both a corporation and individual executives, for companies to ensure full and accurate disclosure of their cyber risks and security incidents.
More details can be found here.