The U.S. District Court for the Southern District of New York has dismissed many of the Securities and Exchange Commission’s (SEC’s) claims against software development company SolarWinds and its chief information security officer (CISO).

In its detailed July 18, 2024 opinion, the court allowed only a limited category of the SEC’s claims to proceed. The SEC had alleged SolarWinds and its CISO made materially misleading statements and omissions about the company’s cybersecurity practices and risks in public disclosures.¹

This case represents the SEC’s attempt to expand its authority to regulate internal accounting controls and is the first time the SEC has charged a CISO individually.

Dismissed SEC Claims

The court dismissed the following claims.

• Internal accounting controls. The court rejected the SEC’s attempt to impose liability under Section 13(b)(2)(B) of the Securities Exchange Act of 1934 for failing to maintain appropriate internal accounting controls on the basis of insufficient cybersecurity controls. The court ruled that the SEC’s authority to regulate an issuer’s system of internal accounting controls does not extend to corporate cybersecurity controls and instead relates solely to a company’s financial accounting controls.
• SEC filings and disclosures. Claims regarding SolarWinds’ SEC filings during and after the cyberattack were dismissed. The court found that the SEC failed to adequately support allegations of securities fraud or false filings.
• Public statements. The court also dismissed the SEC’s claims related to press releases, blog posts and other public communications, categorizing them as “non-actionable corporate puffery” that lacked sufficient detail for a reasonable investor to rely on them.

The court allowed claims concerning SolarWinds’ “Security Statement” to proceed. These claims allege that SolarWinds’ statements about access controls and password protections were materially misleading to investors. The court emphasized the importance of accurate cybersecurity disclosures given their relevance to the company’s business model.

Takeaways for CISOs and Cybersecurity Lawyers

The SEC’s dismissed claims were novel in that they sought to:

• Hold a CISO personally liable for the information contained in certain SEC filings.
• Base liability on voluntary scoring reported under the National Institute of Standards and Technology (NIST) cybersecurity framework.

The court’s rejection of these arguments is a significant win for CISOs and cybersecurity professionals. The court’s opinion chips away at the SEC’s authority to regulate cybersecurity issues.

Implications for Companies and CISOs

Notwithstanding the loss for the SEC in this matter, the remaining claims highlight the continued importance of confirming accurate and detailed cybersecurity disclosures. Companies should ensure that their public statements — in marketing materials, ESG reports and elsewhere — are truthful and reflective of their internal practices to avoid potential claims and maintain investor trust.

Companies should also consider reexamining their existing practices, including in the following areas.

• Security statements. Companies should conduct a comprehensive review of their public-facing security statements to ensure accuracy and consistency. When doing so, companies should provide accurate and complete information in their security statements and avoid overstating the effectiveness of cybersecurity measures. Going forward, companies should consider conducting regular and thorough assessments of their cybersecurity statements and internal cybersecurity measures to ensure that such statements reflect an accurate picture of current practices.
• Effective communication. The surviving claims underscore the need for clarity and accuracy in internal and external cybersecurity communications. Effective communication between CISOs, senior management and other stakeholders is critical. Executives must understand their role and responsibilities concerning cybersecurity.
• Guidance for security teams. Companies should reevaluate their training programs for security professionals, who should be trained to communicate effectively about cybersecurity challenges and avoid informal or misleading communications. Proper guidance can help mitigate potential liabilities and improve overall security posture.

_______________

1 For more information on the initial complaint, see our November 3, 2023, client alert “What Does the SEC’s Complaint Against SolarWinds Mean for CISOs and Boards?”

[View source.]