ARTICLE
15 August 2024

Down But Not Out: Federal Court Curbs SEC Cybersecurity Enforcement Authority

FL
Foley & Lardner

Contributor

Foley & Lardner logo
Foley & Lardner LLP looks beyond the law to focus on the constantly evolving demands facing our clients and their industries. With over 1,100 lawyers in 24 offices across the United States, Mexico, Europe and Asia, Foley approaches client service by first understanding our clients’ priorities, objectives and challenges. We work hard to understand our clients’ issues and forge long-term relationships with them to help achieve successful outcomes and solve their legal issues through practical business advice and cutting-edge legal insight. Our clients view us as trusted business advisors because we understand that great legal service is only valuable if it is relevant, practical and beneficial to their businesses.
Explore Firm Details
In a stinging rebuke of its attempted cybersecurity-related enforcement against a public company, a federal judge recently dismissed most of the charges that the U.S. Securities and Exchange Commission (SEC)...
United States Technology
Photo of Joseph W. Swanson
Photo of James G. Lundy
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

In a stinging rebuke of its attempted cybersecurity-related enforcement against a public company, a federal judge recently dismissed most of the charges that the U.S. Securities and Exchange Commission (SEC) had filed against SolarWinds Corporation and the company's Chief Information Security Officer (CISO). The ruling is a remarkable setback for the SEC, but public companies and other regulated organizations should anticipate continued scrutiny from the SEC when it comes to cybersecurity.

The SolarWinds Case

In 2023, the SEC charged SolarWinds and its CISO with fraud and internal control failures related to allegedly known cybersecurity vulnerabilities. According to the SEC, the defendants overstated the company's cybersecurity practices and understated the company's cybersecurity risks. The defendants allegedly knew of specific deficiencies in the company's cybersecurity program, and those deficiencies were exposed in December 2020 when the company announced that it was the victim of a massive cyberattack that spanned almost two years. Upon revealing the attack, SolarWinds' stock dropped precipitously.

Federal Court Guts the SEC's Case

Last month, the federal judge handling the SolarWinds case dismissed most of the SEC's claims against the company and its CISO. Most importantly, the court rejected the SEC's efforts to use the Securities Exchange Act of 1934's internal accounting controls to support an enforcement action targeting a public company's cybersecurity controls.

The SEC had alleged that, based on the company's deficient cybersecurity program, SolarWinds failed to "devise and maintain a system of internal accounting controls." This was the first instance where the SEC had brought an accounting control claim based on the defendant's cybersecurity failings. The court found that the term "system of internal accounting controls" refers to a company's financial accounting and does not encompass its cybersecurity systems. In addition to rejecting this claim, the court also rejected several others, leaving a small number remaining.

Key Takeaways

The SEC has increasingly sought to take a prominent role in cybersecurity. Several years ago, the agency issued guidance regarding public companies' disclosure obligations related to cybersecurity incidents. And as recently as last year, the SEC issued a rule requiring timely disclosure of material cybersecurity incidents and annual disclosure of cybersecurity risk management, strategy, and governance.

The SEC has also promulgated rules related to cybersecurity policies and procedures for broker-dealers, investment companies, registered investment advisers, and other covered institutions. Our team has written about those policies and procedures here.

Further, prior to the order in the SolarWinds case (and as recently as June 2024), the SEC has settled enforcement actions against other public companies using the same internal accounting control theory that the SolarWinds judge rejected.

Against this backdrop, companies should consider the following takeaways:

  1. Although the SolarWinds ruling is a stinging loss for the SEC, the agency's case against the company and its CISO will continue, albeit on narrowed grounds.
  2. The SEC remains very focused on cybersecurity enforcement and oversight for public companies, such as with the promulgation of the rule mandating disclosure of material cybersecurity incidents. Notably, that rule was not implicated in the SolarWinds case, given that the conduct at issue predated the rule's effective date. Going forward, public companies should work with their legal advisors to comply with the SEC's disclosure rule for public companies.
  3. Broker-dealers, investment companies, registered investment advisers, and other covered institutions can expect continued cybersecurity rulemaking and enforcement actions by the SEC. The SEC has made it clear that it views cybersecurity as a significant issue for these entities.
  4. As a result, companies and firms subject to SEC regulation should continue to invest in cybersecurity programs, develop cybersecurity policies & procedures (including incident response plans), and promptly investigate and respond to potential cybersecurity incidents. Working with trusted legal advisors on these steps can help strengthen the company's cybersecurity program and mitigate risk.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Joseph W. Swanson
Joseph W. Swanson
Photo of James G. Lundy
James G. Lundy
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More