by Ilona Cohen
Last year, the government filed a landmark lawsuit alleging that SolarWinds and its Chief Information Security Officer (CISO) misled the public about the company’s cybersecurity practices before and after a major cyberattack. The charges surprised leaders in the industry and forced many companies to reevaluate their own security programs. In a recent development, however, a judge in New York dismissed most of the charges against the company and SolarWinds’ CISO, leaving many to wonder what these developments mean for them.
The case against SolarWinds was filed by the Securities and Exchange Commission (SEC), a government agency that has interpreted its authority broadly to regulate publicly traded companies. The court did not agree with the SEC’s use of that authority in key respects and dismissed allegations that the statements in SolarWinds’ press releases, blog posts, podcasts, and certain SEC filings, misrepresented the company’s cybersecurity risks and controls.
The most noteworthy part of the court’s ruling, and one that is likely to be appealed, is that the SEC does not have legal authority to regulate a company’s security resilience (as distinct from the company’s disclosures). The SEC’s oversight of a company’s internal accounting controls does not, in the court’s view, extend to cybersecurity practices. If the ruling is upheld on appeal, it may result in significant limits to the SEC’s enforcement authority.
The court allowed the government to proceed to trial on a single claim, the allegation that SolarWinds’ statements about access controls and password practices, in its security statement, were materially misleading by a “wide margin.”
Here are some other takeaways from the ruling:
- Companies are still required to implement programs with adequate cybersecurity resilience. While this court rejected the SEC’s authority to regulate this resilience, the SEC’s likely appeal may result in a different outcome, and inadequate security controls could lead to legal action under other regulations.
- The claim that was not dismissed is a result of alleged inconsistencies between how the internal team described their security resilience and the public statements that investors reasonably rely on, such as trust or security statements. The government may bring enforcement actions if they believe public statements misrepresent a company’s true security posture.
- Though the court dismissed many charges, the SEC’s requirements that public companies disclose material cybersecurity incidents, as well as material security governance and strategy information, remain in place. Companies should continue to ensure they have processes in place to assess materiality and disclose material information related to cybersecurity to investors.
No matter how aggressively the government intends to investigate and enforce adequate security controls, companies will always benefit from managing cybersecurity threats and proactively reducing risk.
Ilona Cohen is the Chief Legal Officer, Chief Policy Officer, and Corporate Secretary at HackerOne. This post first appeared on HackOne’s blog.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).