In Cybersecurity Law Report, Ed McNicholas Comments on Mitigating CISO Personal Liability

In The News
February 14, 2024

In an article for Cybersecurity Law Report, data, privacy & cybersecurity co-head Ed McNicholas discussed the SEC’s new cybersecurity disclosure requirements, the SEC’s charges against software company SolarWinds, and the increasing risk of personal liability for CISOs.

The historic Russia-led cyberattack against SolarWinds in 2019 was perhaps the most sophisticated and complex nation-state supply-chain attack in history. On October 30, 2023, the SEC charged SolarWinds and Timothy Brown, the company’s then vice president of security and architecture, for allegedly defrauding investors and depriving them of material information “by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.”

“Is the standard of care really that any company is supposed to stop a state-sponsored attack?” said Ed.

The SEC also held that by being internally transparent about SolarWinds’ cybersecurity risks and vulnerabilities, the company “experienced lapses … and could not provide reasonable assurances that its most valuable assets were adequately protected.”

Ed noted that the whole culture of IT security relies on information sharing and that the SEC’s allegations could have a widespread chilling effect if CISOs start to fear the SEC will interpret their information-sharing communications as problematic.

Ropes & Gray currently represents the former CEO of SolarWinds in various state AG, congressional, and federal investigations.