SEC rebuked in SolarWinds decision. What does it mean?

Managing Director, Protiviti

U.S. District Judge Paul Engelmayer has dismissed most of the charges made by the U.S. Securities and Exchange Commission (SEC) against software company and 2020 cyberattack victim SolarWinds and its chief information security officer (CISO), Tim Brown. In its original lawsuit, filed in October 2023, the SEC alleged that SolarWinds had defrauded investors by concealing security weaknesses in its public filings in IPO registration documents and 8-K filings about its internal cybersecurity practices.

In the ruling, the judge dismissed the charges that SolarWinds had misled investors in its public IPO filings, noting that the claims by the SEC were based on “hindsight and speculation.” However, the judge ruled the SEC can proceed with securities fraud charges for statements and claims the company made on its public-facing website about its cyber strategy leading up to a large-scale cyberattack in 2020.

Download

Topics

Cybersecurity and Privacy Business Performance

Why it matters

The judge’s ruling rejected SEC oversight of cybersecurity controls, The decision, which is viewed by many as a major loss for the SEC in its attempts to expand cyber oversight, potentially:

Reduces companies’ potential exposure to government penalties after cyberattacks.
Allows cyber incident victims to more safely and transparently share information post-incident with customers, investors and authorities.

What they say

A SolarWinds spokesperson

“We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate. We are grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed."

What we say

“Public companies should take note of the decision and the issue to which it relates, but also of the broader issue at hand. While the decision is a loss for the SEC in this instance, and the cybersecurity matter is what is involved, there’s no reason to believe the Commission will lose interest in holding others beyond the signers of public filings (CEOs and CFOs) accountable for disclosures made in securities filings.”

The bottom line

Anyone responsible for any kind of reporting in an SEC filing needs to understand their role in the process and make sure they have good controls around the data being provided to the public. Cyber disclosures are only one element of nonfinancial reporting provided (or soon to be provided) in SEC filings, and the Commission clearly has an interest in more than just the CFO and the CEO when it comes to those disclosures. Business leaders need to be aware that the SEC may continue to seek accountability from more than just the CEO and the CFO.

About Protiviti

VISION by Protiviti is a global content resource exploring big, transformational topics that will alter business over the next decade and beyond. Written for the C-suite and boardroom executives worldwide, VISION by Protiviti examines the impacts of disruptive forces shaping the world today and in the future. Through a variety of voices and a diversity of thought, VISION by Protiviti provides perspectives on what business will look like in a decade and beyond.

Search in Protiviti.com