The SEC has taken unprecedented action against SolarWinds and its CISO for cybersecurity misrepresentations following a significant cyberattack. The lawsuit alleges SolarWinds made false statements regarding its cybersecurity practices and the severity of the cyberattack despite internal knowledge of vulnerabilities. This marks the first SEC enforcement on scienter-based fraud for cybersecurity disclosures, the first against an individual, and the first internal accounting controls charge since the 21(a) Report. It represents a shift towards more aggressive cybersecurity enforcement by the SEC, with potential implications for public companies and executives regarding cybersecurity disclosures and internal controls1.

Here are three thought-provoking questions from the article:

  1. How will the SolarWinds lawsuit impact how public companies disclose cybersecurity risks and incidents in the future?
  2. What does the SEC’s aggressive stance in this lawsuit suggest about its evolving approach to cybersecurity enforcement?
  3. How might this lawsuit affect the responsibilities and liabilities of Chief Information Security Officers (CISOs) at public companies?