The US Securities and Exchange Commission (SEC) has turned the cybersecurity industry on its head by warning executives of SolarWinds that it may take legal action against them for violations of federal law in relation to their response to the 2020 attack on the company’s infrastructure. This attack affected thousands of customers across government agencies and companies worldwide.
SolarWinds, a company that sells a network and applications monitoring platform called Orion, was hit by a threat actor believed to be connected to Russia. The threat actor used the platform to distribute Trojanized updates to its users. The attack prompted an investigation by the SEC, which has now issued Wells Notices to current and former SolarWinds employees, including the chief financial officer (CFO) and chief information security officer (CISO).
A Wells Notice is a notification from the SEC staff that they have made a preliminary determination to recommend filing a civil enforcement action. It is important to note that a Wells Notice does not indicate wrongdoing or a final determination of violation. However, if legal action is pursued and the SEC prevails, there could be various consequences for the individuals involved.
SolarWinds highlighted the potential outcomes in its SEC filing, stating that if the SEC authorizes an action, it may seek an order to enjoin the individuals from future violations of securities laws, impose civil monetary penalties, bar them from serving as officers or directors of a public company, and provide other equitable relief within the SEC’s authority.
It should be noted that the SEC sent a Wells Notice to SolarWinds itself last year, alleging violations of federal securities laws with respect to cybersecurity disclosures and public statements, as well as internal controls and disclosure procedures. Action on that notice is still pending.
As news of the Wells Notices broke, SolarWinds CEO Sudhakar Ramakrishna sent an email to employees, expressing the company’s disappointment with the SEC’s positions. Despite cooperating with the SEC, the agency’s stance does not align with the facts, according to Ramakrishna. He emphasized the company’s intent to explore a potential resolution with the SEC and vigorously defend itself if legal action is initiated.
The SEC’s move to issue Wells Notices to individual employees within the company is rare and significant. It raises concerns among cybersecurity professionals, as it could signal a new level of liability for chief information security officers (CISOs). The notice suggests that a CISO could potentially be held accountable for a failure to disclose material information related to a cyber incident.
Cybersecurity experts and professionals weighed in on the development. Jamil Farshchi, CISO at Equifax, noted that while a Wells Notice usually targets CEOs or CFOs in cases such as Ponzi schemes or accounting fraud, CISOs could potentially be held accountable for failing to disclose the seriousness of an incident or doing so in a timely manner.
Former Biocon CISO Agnidipta Sarkar commented on the increased individual accountability for CISOs, stating that they will now be held responsible for the decisions they make or fail to make. However, Ruby Mishra, CISO at KPMG India, cautioned against solely blaming the CISO or CFO for cyberattacks. Mishra emphasized the collective responsibility of organizations and the complexity of cybersecurity.
Mishra also acknowledged the difficulties in preventing all cyberattacks, given the sophisticated techniques and rapidly evolving threat landscape. She suggested that the SEC considered various factors, including specific circumstances, legal frameworks, negligence in implementing security measures, neglecting SEC policies, and ignoring known vulnerabilities, before issuing the Wells Notices.
SolarWinds responded to the SEC’s actions by stating that the Sunburst attack, as they refer to the breach, was a highly sophisticated and unforeseeable attack carried out by a global superpower using novel techniques. The company argued that legal action against them and their employees could have a chilling effect on breach disclosures and emphasized the importance of public-private partnerships with the government in combating nation-state attacks like Sunburst.
As the cybersecurity industry grapples with the SEC’s move, the implications for CISOs and the potential outcomes of this legal action remain to be seen. This development reinforces the need for organizations to prioritize cybersecurity and ensure effective disclosure and response protocols are in place. Only time will tell how this case will unfold and if it will set a precedent for future actions against cybersecurity executives.