In a stinging rebuke of its attempted cybersecurity-related enforcement against a public company, a federal judge recently dismissed most of the charges that the U.S. Securities and Exchange Commission (SEC) had filed against SolarWinds Corporation and the company’s Chief Information Security Officer (CISO). The ruling is a remarkable setback for the SEC, but public companies and other regulated organizations should anticipate continued scrutiny from the SEC when it comes to cybersecurity.

The SolarWinds Case

In 2023, the SEC charged SolarWinds and its CISO with fraud and internal control failures related to allegedly known cybersecurity vulnerabilities. According to the SEC, the defendants overstated the company’s cybersecurity practices and understated the company’s cybersecurity risks. The defendants allegedly knew of specific deficiencies in the company’s cybersecurity program, and those deficiencies were exposed in December 2020 when the company announced that it was the victim of a massive cyberattack that spanned almost two years. Upon revealing the attack, SolarWinds’ stock dropped precipitously.

Federal Court Guts the SEC’s Case

Last month, the federal judge handling the SolarWinds case dismissed most of the SEC’s claims against the company and its CISO. Most importantly, the court rejected the SEC’s efforts to use the Securities Exchange Act of 1934’s internal accounting controls to support an enforcement action targeting a public company’s cybersecurity controls.

The SEC had alleged that, based on the company’s deficient cybersecurity program, SolarWinds failed to “devise and maintain a system of internal accounting controls.” This was the first instance where the SEC had brought an accounting control claim based on the defendant’s cybersecurity failings. The court found that the term “system of internal accounting controls” refers to a company’s financial accounting and does not encompass its cybersecurity systems. In addition to rejecting this claim, the court also rejected several others, leaving a small number remaining.

Key Takeaways

The SEC has increasingly sought to take a prominent role in cybersecurity. Several years ago, the agency issued guidance regarding public companies’ disclosure obligations related to cybersecurity incidents. And as recently as last year, the SEC issued a rule requiring timely disclosure of material cybersecurity incidents and annual disclosure of cybersecurity risk management, strategy, and governance.

The SEC has also promulgated rules related to cybersecurity policies and procedures for broker-dealers, investment companies, registered investment advisers, and other covered institutions. Our team has written about those policies and procedures here.

Further, prior to the order in the SolarWinds case (and as recently as June 2024), the SEC has settled enforcement actions against other public companies using the same internal accounting control theory that the SolarWinds judge rejected.

Against this backdrop, companies should consider the following takeaways:

1. Although the SolarWinds ruling is a stinging loss for the SEC, the agency’s case against the company and its CISO will continue, albeit on narrowed grounds.
2. The SEC remains very focused on cybersecurity enforcement and oversight for public companies, such as with the promulgation of the rule mandating disclosure of material cybersecurity incidents. Notably, that rule was not implicated in the SolarWinds case, given that the conduct at issue predated the rule’s effective date. Going forward, public companies should work with their legal advisors to comply with the SEC’s disclosure rule for public companies.
3. Broker-dealers, investment companies, registered investment advisers, and other covered institutions can expect continued cybersecurity rulemaking and enforcement actions by the SEC. The SEC has made it clear that it views cybersecurity as a significant issue for these entities.
4. As a result, companies and firms subject to SEC regulation should continue to invest in cybersecurity programs, develop cybersecurity policies & procedures (including incident response plans), and promptly investigate and respond to potential cybersecurity incidents. Working with trusted legal advisors on these steps can help strengthen the company’s cybersecurity program and mitigate risk.