US SEC charges SolarWinds and its CISO for alleged cybersecurity misstatements and controls failures
On October 30, 2023, the SEC announced charges against software company SolarWinds Corporation and its chief information security officer (“CISO”), Timothy Brown, for allegedly making material misstatements regarding its cybersecurity practices, the description of breach, for not having reasonable internal controls to safeguard the company’s crown jewel assets, and for not having reasonable disclosure controls. The SEC investigation began following SolarWinds’ widely reported 2020 breach, which was felt throughout the US economy. This case emphasizes the need for companies to ensure that those approving public disclosures have the necessary, accurate and complete information about cybersecurity risks and incidents and individuals who have the relevant information may be liable for failing to escalate cybersecurity incidents and vulnerabilities to those responsible for the public disclosures.