Computer Security Expert Dan Farmer once wrote: “As we’ve seen over and over again, the digital realm can be as dangerous and fraught with peril as the physical world, and it’s high time we started taking it just as seriously.” The U.S. Securities and Exchange Commission (SEC) agrees.
The SEC is taking important steps to ensure that businesses remain vigilant and proactive in safeguarding their valuable assets, sensitive data, and customer information from the looming threat of cyberattacks. Further, the SEC is underscoring the importance of quick and robust disclosures when a material cybersecurity incident occurs.
New Cybersecurity Risk Management Rules
In late July, the SEC adopted rules requiring companies that register with the SEC to disclose both cybersecurity incidents and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.
In announcing the new rules, SEC Chair Gary Gensler stated: “Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Under the new rules, registrants will be required to disclose any cybersecurity incident they deem material and to describe “the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.” Such disclosures must be made within four business days after a registrant determines that a cybersecurity incident is material, with exceptions in circumstances where the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.
In addition, the new rules will require registrants to describe their processes, if any, for “assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.” It will also require registrants to annually describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
These rules are set to take effect December 15, 2023, but the SEC is not delaying in flexing its enforcement muscle on this topic.
The SEC’s “Milestone” SolarWinds Complaint
On October 30, 2023, the SEC announced charges against SolarWinds Corp. and its Chief Information Security Officer, Timothy G. Brown, alleging fraud and internal control failures related to allegedly known cybersecurity risks and vulnerabilities. The Wall Street Journal has dubbed the action “a milestone in its evolving attempt to regulate how public companies deal with cybersecurity.”
The facts underlying the SolarWinds action date back to between January 2019 and December 2020. During that time, SolarWinds experienced a “massive, nearly two-year long cyberattack.”
The SEC’s complaint alleges that from at least October 2018 through at least January 12, 2021, SolarWinds and Brown “defrauded SolarWinds’ investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened—and increasing—cybersecurity risks. SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.”
Specifically, the SEC claims that SolarWinds poor cybersecurity practices included “(a) failure to consistently maintain a secure development lifecycle for software it developed and provided to thousands of customers, (b) failure to enforce the use of strong passwords on all systems, and (c) failure to remedy access control problems that persisted for years.”
In support of its allegations, the SEC cites to internal memoranda in claiming that SolarWinds’ security posture was extremely poor, in contrast with the company’s public disclosures. According to the complaint, Brown wrote in internal presentations in 2018 that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. The SEC also cites to 2018 and 2019 presentations by Brown that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”
In announcing the complaint, the SEC’s Director of Enforcement Gurbir S. Grewal stated: “We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company…. SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
The action has been controversial among some business that believe the SEC is placing excessive burdens on the purported victims of cyber attacks. An attorney for SolarWinds commented, “The SEC is improperly trying to appoint itself the cybersecurity police for public companies. The agency’s overreach into this complex area should alarm all public companies and cybersecurity professionals across the country.”
* * *
Given the rapid expansion of our digital landscape, coupled with the global shift in remote work and the integration of smart devices, there is fertile ground for malicious actors seeking to exploit vulnerabilities within corporate systems. As the threats become more widespread and sophisticated it is critical that companies remain vigilant and proactive in protecting against cyberattacks. Further, once a material breach occurs, companies must be transparent and swiftly disclose material facts about the incident to better inform investors and protect clients and customers.
With its new rules and SolarWinds action, the SEC demonstrating the importance of implementing robust cybersecurity controls and ensuring accurate public disclosures following cybersecurity incidents.
In addition to its commitment to prosecute securities and antitrust frauds, Berman Tabacco has launched its data privacy team to work to protect consumers. From data breaches, to concealed tracking software, to compromised health records, Berman Tabacco’s privacy attorneys represent consumers harmed by businesses that fail to safeguard private information and covertly monetize client data for profit. For more information, please visit our Privacy practice area page.