The SEC has sent a Wells Notice to SolarWinds’ Chief Information Security Officer (CISO), which could potentially open up a new set of liabilities for cybersecurity professionals. This move comes as part of the ongoing investigation into SolarWinds’ cybersecurity disclosures and public statements.
According to SolarWinds’ latest quarterly financial report, the SEC has alleged “violations of certain provisions of the U.S. federal securities laws with respect to our cybersecurity disclosures and public statements, as well as our internal controls and disclosure controls and procedures.” The company is currently awaiting action on this notice from the SEC.
In response to the SEC’s actions, SolarWinds CEO Sudhakar Ramakrishna sent an email to employees expressing the company’s disappointment with the agency’s positions. Despite cooperating and providing information to the SEC, SolarWinds believes that the agency’s allegations do not align with the facts. Ramakrishna stated that the company will explore potential resolutions before any final decision is made by the SEC, and if legal action is taken, SolarWinds intends to vigorously defend itself.
The SEC’s decision to send a Wells Notice to the CISO is considered unusual by cybersecurity professionals. Typically, Wells Notices are sent to CEOs or CFOs for issues such as Ponzi schemes, accounting fraud, or market manipulation. However, this move could signify a new level of accountability and potential liabilities for CISOs regarding cybersecurity disclosures.
Jamil Farshchi, the CISO at Equifax, pointed out that one violation a CISO could potentially commit is a failure to disclose material information. In a LinkedIn post, Farshchi mentioned that situations like failing to disclose the severity of a cybersecurity incident or failing to do so in a timely manner could fall into this category. This suggestion highlights the importance of transparency and timely reporting for CISOs.
The SEC’s actions against SolarWinds and the CISO could have significant implications for the cybersecurity industry. With the possibility of increased liabilities, cybersecurity professionals may need to ensure that they have robust disclosure processes in place and promptly report any material information regarding cybersecurity incidents.
It is crucial for organizations to prioritize cybersecurity and take proactive measures to protect their systems and data. This includes regularly assessing and updating their internal controls and disclosure controls and procedures to meet regulatory requirements. By actively addressing cybersecurity concerns and cooperating with regulatory agencies like the SEC, companies can demonstrate their commitment to protecting their stakeholders’ information.
As the investigation continues, it remains to be seen how this case will unfold and whether there will be any legal action taken against SolarWinds or its CISO. In the meantime, the cybersecurity community will be closely watching this development, as it could set a precedent for potential liabilities and responsibilities of CISOs in the future.