SEC Charges Against SolarWinds Signal Resolute Cybersecurity Enforcement and May Spur Surge in Cybersecurity Whistleblowing to SEC

Today the SEC filed a complaint against SolarWinds Corporation and its CIO for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. According to the complaint, SolarWinds defrauded investors by overstating its cybersecurity practices and understating or failing to disclose known risks.  The SEC’s complaint signifies robust SEC enforcement of cybersecurity-related securities violations, including failure to disclose known material cybersecurity risks and failure to maintain adequate cybersecurity controls.  In a press release announcing the charges, Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, states: “Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

In light of the elevated cybersecurity risk environment and the SEC prioritizing enforcement of cybersecurity violations, cybersecurity whistleblowers have a strong incentive to report cybersecurity violations to potentially qualify for an SEC whistleblower award and can play a vital role in protecting against cyber breaches and attacks.

Information security and data privacy whistleblowers are often in a position to identify and remedy vulnerabilities—and therefore prevent breaches—if only decision makers would act on their concerns. In our practice representing cybersecurity whistleblowers, we find that all too often, chief information security officers and other information security professionals encounter indifference or retaliation when they raise concerns about vulnerabilities.  The SEC whistleblower program offers a powerful incentive for cybersecurity whistleblowers to report violations to the SEC and assist the SEC in taking decisive enforcement actions that will encourage registrants to provide accurate disclosures about cybersecurity and maintain appropriate cybersecurity controls.

This post discusses the implications of the charges against SolarWinds and how cybersecurity whistleblowers can qualify for an SEC whistleblower award.

SEC Complaint Against SolarWinds

The complaint alleges what appears to be a blatant failure to remedy significant cybersecurity vulnerabilities and concealment from shareholders of the risks stemming from those vulnerabilities:

The complaint reveals how the SEC applies anti-fraud and internal control rules to cybersecurity violations, including two key issues:

Cybersecurity Securities Violations

The complaint against SolarWinds alleges violations of the following provisions of federal securities laws:

In December 2023, the SEC will have an additional tool to combat cybersecurity violations in that the recently adopted rules on cybersecurity risk management, strategy, governance, and incident disclosure will become effective.  These rules require registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

New Form 8-K Item 1.05 will require registrants to disclose any cybersecurity incident they determine to be material and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant.  And new Regulation S-K Item 106 will require registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats and describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.  The new Regulation S-K Item 106 will be effective for annual reports for fiscal years ending on or after December 15, 2023 and the incident disclosure requirements in Form 8-K Item 1.05 will become effective around December 18, 2023.

SEC Whistleblower Awards for Cybersecurity Whistleblowers

Under the SEC Whistleblower Program, the SEC is required to pay awards to eligible whistleblowers who voluntarily provide the SEC with original information that leads to a successful enforcement action resulting in monetary sanctions in excess of $1 million.

A cybersecurity whistleblower may receive an award of between 10% and 30% of the total monetary sanctions collected. If represented by an attorney, a whistleblower may submit a tip anonymously to the SEC.

Since 2012, the SEC has issued more than  $1.8 billion in awards to whistleblowers.   SEC whistleblower attorneys can provide critical guidance to whistleblowers throughout this process to protect their identities and increase the likelihood that they not only obtain, but maximize, their awards. See our tips to obtain an SEC whistleblower award.

Federal and state whistleblower protection laws protect cybersecurity whistleblowers against retaliation, including the Sarbanes-Oxley Act, the False Claims Act, and the Defense Contractor Whistleblower Protection Act.

© 2024 Zuckerman Law
National Law Review, Volumess XIII, Number 304