US SEC staff have recommended legal action against individual SolarWinds employees, including the CISO — an unusual move that is causing a stir among cybersecurity professionals. Credit: CIO The US Securities and Exchange Commission has roiled the cybersecurity industry by putting executives of SolarWind on notice that it may pursue legal action for violations of federal law in connection with their response to the 2020 attack on the company’s infrastructure that affected thousands of customers in government agencies and companies globally. Current and former employees and officers of the company, including the chief financial officer (CFO) and chief information security officer (CISO), have received so-called Wells Notices notices from the SEC staff, in connection with the investigation of the 2020 cyberattack, the company said in an SEC filing. "The Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws," SolarWinds said in its filing. A Wells Notice is neither a formal charge of wrongdoing nor a final determination that the recipient has violated any law, SolarWinds noted. However, if the SEC does pursue legal action and prevails in a lawsuit, there could be various consequences. “If the SEC were to authorize an action against any of these individuals, it could seek an order enjoining such individuals from engaging in future violations of provisions of the federal securities laws subject to the action, imposing civil monetary penalties and/or a bar from serving as an officer or director of a public company and providing for other equitable relief within the SEC's authority,” Solarwinds said in its filing. SolarWinds sells a network and applications monitoring platform called Orion, which was hit by a threat actor widely believed to be affiliated with Russia, and used to distribute Trojanized updates to the software’s users. The SEC also sent a Wells Notice to the company itself last year. In that notice, the SEC alleged “violations of certain provisions of the U.S. federal securities laws with respect to our cybersecurity disclosures and public statements, as well as our internal controls and disclosure controls and procedures,” according to SolarWinds’ latest quarterly financial report. Action on that notice is pending, according to SolarWinds. SolarWinds to defend itself SolarWinds CEO Sudhakar Ramakrishna sent an email to employees stating that despite their extraordinary measures to cooperate with and inform the SEC, the agency continues to take positions that SolarWinds do not believe match the facts. “We will continue to explore a potential resolution of this matter before the SEC makes any final decision. And if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves," Ramakrishna wrote in the email, which the company has sent to news organizations. SEC move could mean more liability for CISOs Meanwhile, cybersecurity professionals noted that it is unusual for a Wells Notice to be sent to a CISO, and the move by the SEC could signal a whole new set of potential liabilities for cybersecurity professionals. "Usually, a Wells Notice names a CEO or CFO for issues such as Ponzi schemes, accounting fraud or market manipulation, but those are unlikely to apply to a CISO," Jamil Farshchi, CISO at Equifax, said in a LinkedIn post, adding that one violation that a CISO might be in the position to commit is a failure to disclose material information. "Things like failing to disclose the gravity of an incident … or failing to do so in a timely manner, could conceivably fall into this category," Farshchi said in the post. The move by the SEC will make CSOs more individually accountable for cybersecurity, said Agnidipta Sarkar, a former CISO of pharmaceuticals company Biocon. "Though it doesn’t mean that the CISO has been charged, it is a new milestone. From today onwards, CISOs will increasingly be made accountable for the decisions they take or did not take," Sarkar said. However, attributing blame solely to the CISO or CFO might not always be fair or accurate, said Ruby Mishra, CISO at KPMG India. "In order to manage cybersecurity effectively, the organization adopts a multilayered approach involving various stakeholders and departments. Holding the CISO or CFO solely responsible for a cyberattack may overlook the collective responsibility," Mishra said. Mishra noted that it is difficult for individuals or organizations to prevent all cyberattacks due to sophisticated techniques and rapidly changing threat landscapes. "Before issuing the notice, the SEC may have considered a variety of factors, including specific circumstances, and legal frameworks, or may have demonstrated negligence if CISO failed to implement adequate security measures, neglected SEC policies, guidelines, and practices, or ignored known vulnerabilities," Mishra said. On its part, SolarWinds said in a statement sent to media outlets that “Sunburst,” its name for the breach, “was a highly sophisticated and unforeseeable attack that the U.S. government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before.” It also noted that legal action against SolarWinds and its employees could have a “chilling” effect on breach disclosures. “The only possible way to prevent sophisticated and widespread nation-state attacks such as Sunburst is through public-private partnerships with the government,” the company said. Related content news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Regulation Government news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware feature How a digital design firm navigated its SOC 2 audit L+R's pursuit of SOC 2 certification was complicated by hardware inadequacies and its early adoption of AI, but a successful audit has provided security and business benefits. By Alex Levin Nov 28, 2023 11 mins Certifications Compliance news GE investigates alleged data breach into confidential projects: Report General Electric has confirmed that it has started an investigation into the data breach claims made by IntelBroker. By Shweta Sharma Nov 27, 2023 3 mins Data Breach Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe