In a recent turn of events, legal, risk management, and cybersecurity experts are emphasizing the critical importance of corporations prioritizing internal controls, investor transparency, and material disclosure. Against the backdrop of the Securities and Exchange Commission's (SEC) recent accusations of fraud against SolarWinds, industry leaders are sounding a cautionary note for all public firms to adhere to the agency's newly established cyber disclosure standards.
The SEC's lawsuit against SolarWinds and its Chief Information Security Officer (CISO), Tim alleges that the company misled investors by concealing vulnerabilities and exaggerating its security posture prior to the notorious December 2020 Sunburst attack. If the SEC prevails in its case, SolarWinds could face significant fines, and Brown, who assumed the role of CISO after the cyberattack, might face permanent disqualification from corporate leadership.
Gallagher cyber liability managing director John Farley underscores the gravity of the situation, stating, “The SEC has made it abundantly clear that organizations need to take the new disclosure mandates very seriously. Their public disclosures specific to their cyber risk management strategies must reflect reality and be put in practice every day.”
The timing of the SEC's legal action is noteworthy, occurring less than two months after the implementation of the agency's updated disclosure regulations, compelling publicly traded businesses to promptly disclose significant cyber events. Following a brief grace period, corporations are now required to report cybersecurity issues on Form 8-K within four days of materiality. Additionally, companies must annually disclose board supervision and management involvement in cybersecurity risk strategy.
The SEC's complaint sent shockwaves through the industry by revealing internal emails, documents, and other proof that SolarWinds executives, including CISO Tim Brown, lied about security holes and other problems within the company. In 2018, a SolarWinds network engineer identified a security vulnerability in the company's remote access virtual private network, expressing concerns about its security. Astonishingly, another internal email in the same year falsely asserted the robustness of SolarWinds' Secure Development Lifecycle, a claim executives concealed until the company could substantiate it.
Foley & Lardner partner Aaron Tantleff underscores the significance of the revelations, stating, "They knew what their environment was." It appears that SolarWinds internally acknowledged its lack of control over certain aspects of its cybersecurity but publicly asserted otherwise, raising serious concerns about the company's transparency and adherence to disclosure standards.
As corporations navigate the evolving landscape of cybersecurity, the SolarWinds case serves as a stark reminder of the imperative to align public disclosures with the ground realities of cyber risk management. The industry awaits the outcome of the SEC's legal proceedings, recognizing the potential far-reaching implications for corporate governance and cybersecurity transparency.