SEC Sends Ominous Warning to CISOs and Cybersecurity Professionals With Wells Notice Concerning SolarWinds Breach

On June 23, 2023, SolarWinds disclosed in its most recent Form 8-K filing that “certain current and former executive officers and employees” of SolarWinds, including SolarWinds’ Chief Financial Officer (CFO) and Chief Information Security Officer (CISO), had received Wells Notices from the US Securities and Exchange Commission (SEC or Commission) in connection with the major 2020 cybersecurity breach (the SolarWinds breach) experienced by the information technology firm.

These Wells Notices, which put the SolarWinds executives and employees on notice of the SEC’s possible intent to bring charges against them, come more than two years after the SolarWinds breach and magnify the changing landscape of the CISO’s role within a company, particularly publicly traded companies. This is thought to be the first time that a CISO has received a Wells Notice. The notifications to the individuals are likely a harbinger of enhanced SEC scrutiny and greater legal risks for many cybersecurity professionals.

The SolarWinds breach was discovered on December 8, 2020, by FireEye, a US-based cybersecurity firm that used the company’s software. Beginning in September 2019, foreign hackers called Cozy Bear, believed to be affiliated with the Russian Foreign Intelligence Service (the SVR), compromised SolarWinds’ Orion IT performance management system. At the time, Orion was used by many companies and the US federal government. By inserting malware into Orion software updates, which were then installed by customers in early 2020, the hackers gained remote access to confidential and sensitive data. Several federal agencies, including the Department of Homeland Security, Department of Defense, and Department of Commerce, as well as at least three state governments, were affected, implicating national security concerns. Over 100 private sector companies were also affected by the massive data breach.

SolarWinds’ shareholders sued the company in early 2021 for its alleged “utter failure” to employ adequate cybersecurity safeguards and for misleading investors about the state of its security practices in public filings with the SEC. On October 28, 2022, SolarWinds reached a tentative $26 million settlement with the class. The US District Court for the Western District of Texas will hold a final fairness hearing to consider whether to grant final approval of the settlement on July 28, 2023.

Previously, the SEC sent the company a Wells Notice on October 28, 2022, after investigating the cyberattack on SolarWinds’ Orion software. The SEC has not yet filed enforcement actions against SolarWinds or the individuals who received Wells Notices, although the notices are typically a precursor to litigation. In response to the threat of SEC liability, a spokesperson for SolarWinds asserted that the SEC’s contemplated actions against the company and its executives “will make the entire industry less secure by having a chilling effect on cyber incident disclosure.”

The SEC’s SolarWinds investigation is proceeding at the same time the Commission is engaged in rulemaking efforts related to cybersecurity. The SEC has proposed a package of cybersecurity-related rules in 2022 and 2023 that are expected to be finalized and adopted later this year. As a whole, the proposed rules include various disclosure requirements and would require certain SEC-regulated entities and public companies to implement numerous security measures.

The SEC’s focus on cybersecurity, as demonstrated by its rulemaking agenda and the recent developments in its SolarWinds investigation, is consistent with the attention that other law enforcement agencies are paying to the actions of cybersecurity executives and professionals in data incident and breach situations. For instance, in October 2022, Uber’s former Chief Security Officer was convicted in a federal case of obstruction of justice and misprision of a felony based upon his alleged cover-up of a 2016 cyberattack on Uber. That case is believed to be the first time a company executive was criminally prosecuted over their response to a cyberattack.

There is no doubt that cybersecurity risks have become a significant concern for investors and a priority for the SEC and other government enforcers. As a result, we expect to see more enforcement actions against companies and cybersecurity professionals in the future.

Summer associate Caron Song contributed to this post.