Is the SEC’s case against SolarWinds counterproductive?

Cydney Posner
Cooley LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Cooley LLP

You remember the 2020 SolarWinds hack, perhaps one of the worst cyberattacks in history? As described by NPR in 2021, the hack was  “believed to be directed by the Russian intelligence service, the SVR,” which used a “routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.” It was estimated that 18,000 customers were affected, including some very well-known companies and about a dozen government agencies including the Treasury, Justice and Energy departments, the Pentagon and, ironically, the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security.  The SEC filed a complaint against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, charging ‘fraud and  internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” The gist of the complaint, as alleged by the SEC, is that many red flags emerged and incidents occurred, well known among company employees, that should have spurred the company and its CISO to take action to address serious cyber vulnerabilities, including vulnerabilities related to the company’s “crown jewel” assets.  Instead, the SEC charged, the CISO “failed to resolve the issues or, at times, sufficiently raise them further within the company.” (See this PubCo post.) As discussed in this blogpost, Fatal Flaws in SEC’s Amended Complaint Against SolarWinds, from our White Collar Defense and Investigations group, this case has developed into a very high-stakes contest.  

As described in the post, last month, a coalition of over fifty cybersecurity leaders and organizations from the business community, the software industry and former law enforcement joined an amicus brief calling for dismissal of the SEC’s amended complaint against SolarWinds and its CISO.  The brief contended that “the SEC’s latest allegations against SolarWinds and Brown—the first time in history that the SEC has charged a CISO with securities violations—are counterproductive for cybersecurity and national security.” According to the post, the SEC’s charges “also provide a stark warning for companies, executives, and cybersecurity professionals that the SEC remains committed to policing cybersecurity in the years to come.”  Check it out!

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Written by:

Cooley LLP
Cooley LLP
Contact
more
less

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide