SEC notice to SolarWinds CISO and CFO roils cybersecurity industry

The US Securities and Exchange Commission has roiled the cybersecurity industry by putting executives of SolarWind on notice that it may pursue legal action for violations of federal law in connection with their response to the 2020 attack on the company’s infrastructure that affected thousands of customers in government agencies and companies globally.

Current and former employees and officers of the company, including the chief financial officer (CFO) and chief information security officer (CISO), have received so-called Wells Notices notices from the SEC staff, in connection with the investigation of the 2020 cyberattack, the company said in an SEC filing. 

"The Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws," SolarWinds said in its filing. 

A Wells Notice is neither a formal charge of wrongdoing nor a final determination that the recipient has violated any law, SolarWinds noted. However, if the SEC does pursue legal action and prevails in a lawsuit, there could be various consequences.

“If the SEC were to authorize an action against any of these individuals, it could seek an order enjoining such individuals from engaging in future violations of provisions of the federal securities laws subject to the action, imposing civil monetary penalties and/or a bar from serving as an officer or director of a public company and providing for other equitable relief within the SEC's authority,” Solarwinds said in its filing.

SolarWinds sells a network and applications monitoring platform called Orion, which was hit by a threat actor widely believed to be affiliated with Russia, and used to distribute Trojanized updates to the software’s users.

The SEC also sent a Wells Notice to the company itself last year. In that notice, the SEC alleged “violations of certain provisions of the U.S. federal securities laws with respect to our cybersecurity disclosures and public statements, as well as our internal controls and disclosure controls and procedures,” according to SolarWinds’ latest quarterly financial report. Action on that notice is pending, according to SolarWinds.

SolarWinds to defend itself 

SolarWinds CEO Sudhakar Ramakrishna sent an email to employees stating that despite their extraordinary measures to cooperate with and inform the SEC, the agency continues to take positions that SolarWinds do not believe match the facts.

“We will continue to explore a potential resolution of this matter before the SEC makes any final decision. And if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves," Ramakrishna wrote in the email, which the company has sent to news organizations. 

SEC move could mean more liability for CISOs

Meanwhile, cybersecurity professionals noted that it is unusual for a Wells Notice to be sent to a CISO, and the move by the SEC could signal a whole new set of potential liabilities for cybersecurity professionals.  

"Usually, a Wells Notice names a CEO or CFO for issues such as Ponzi schemes, accounting fraud or market manipulation, but those are unlikely to apply to a CISO,"  Jamil Farshchi, CISO at Equifax, said in a LinkedIn post, adding that one violation that a CISO might be in the position to commit is a failure to disclose material information. 

"Things like failing to disclose the gravity of an incident … or failing to do so in a timely manner, could conceivably fall into this category," Farshchi said in the post. 

The move by the SEC will make CSOs more individually accountable for cybersecurity, said Agnidipta Sarkar, a former CISO of pharmaceuticals company Biocon.

"Though it doesn’t mean that the CISO has been charged, it is a new milestone. From today onwards, CISOs will increasingly be made accountable for the decisions they take or did not take," Sarkar said. 

However, attributing blame solely to the CISO or CFO might not always be fair or accurate, said Ruby Mishra, CISO at KPMG India.

"In order to manage cybersecurity effectively, the organization adopts a multilayered approach involving various stakeholders and departments. Holding the CISO or CFO solely responsible for a cyberattack may overlook the collective responsibility," Mishra said. 

Mishra noted that it is difficult for individuals or organizations to prevent all cyberattacks due to sophisticated techniques and rapidly changing threat landscapes. 

"Before issuing the notice, the SEC may have considered a variety of factors, including specific circumstances, and legal frameworks, or may have demonstrated negligence if CISO failed to implement adequate security measures, neglected SEC policies, guidelines, and practices, or ignored known vulnerabilities," Mishra said. 

On its part, SolarWinds said in a statement sent to media outlets that “Sunburst,” its name for the breach, “was a highly sophisticated and unforeseeable attack that the U.S. government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before.”

It also noted that legal action against SolarWinds and its employees could have a “chilling” effect on breach disclosures. “The only possible way to prevent sophisticated and widespread nation-state attacks such as Sunburst is through public-private partnerships with the government,” the company said.