In an article for Cybersecurity Law Report, data, privacy & cybersecurity co-head Ed McNicholas discussed the SEC’s new cybersecurity disclosure requirements, the SEC’s charges against software company SolarWinds, and the increasing risk of personal liability for CISOs.
The historic Russia-led cyberattack against SolarWinds in 2019 was perhaps the most sophisticated and complex nation-state supply-chain attack in history. On October 30, 2023, the SEC charged SolarWinds and Timothy Brown, the company’s then vice president of security and architecture, for allegedly defrauding investors and depriving them of material information “by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.”
“Is the standard of care really that any company is supposed to stop a state-sponsored attack?” said Ed.
The SEC also held that by being internally transparent about SolarWinds’ cybersecurity risks and vulnerabilities, the company “experienced lapses … and could not provide reasonable assurances that its most valuable assets were adequately protected.”
Ed noted that the whole culture of IT security relies on information sharing and that the SEC’s allegations could have a widespread chilling effect if CISOs start to fear the SEC will interpret their information-sharing communications as problematic.
Ropes & Gray currently represents the former CEO of SolarWinds in various state AG, congressional, and federal investigations.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.