ComplianceSEC charges SolarWinds and CISO over cyber risk disclosures
The SEC just charged SolarWinds and its CISO personally for misleading investors about cybersecurity. The complaint alleges the company knew its security was weaker than what it told investors, and the CISO is being held individually liable. If you are a security executive signing off on risk disclosures, this is the case that should keep you up at night.
Reviewed for accuracy by Kodi C.
On 30 October 2023 the U.S. Securities and Exchange Commission charged SolarWinds Corporation and its CISO with fraud and internal control violations related to statements about the company's cybersecurity posture before and after the 2020 Orion supply-chain compromise. The complaint establishes significant precedent for cybersecurity disclosure obligations and individual executive accountability.
Allegations and Legal Framework
The SEC complaint alleges SolarWinds made materially misleading statements about its cybersecurity practices in SEC filings, website disclosures, and investor communications. According to the complaint, internal assessments identified security weaknesses that contradicted public statements about the company's security posture. The SEC characterized these discrepancies as violations of antifraud provisions under Section 17(a) of the Securities Act and Section 10(b) of the Exchange Act.
The enforcement action against the CISO personally represents a significant escalation. The SEC alleges the CISO made misleading statements to investors and failed to ensure accurate disclosures despite knowledge of internal security assessments. This establishes precedent for personal liability of security executives for disclosure accuracy.
Disclosure Obligations Under Securities Law
Securities law requires disclosure of material information reasonably likely to affect investor decisions. For cybersecurity, materiality assessments must consider both quantitative factors (financial impact, remediation costs) and qualitative factors (reputational harm, regulatory consequences, customer relationships). The SolarWinds case suggests the SEC expects consistency between internal risk assessments and public disclosures.
Risk factor disclosures in annual reports should reflect actual security conditions rather than generic boilerplate. The complaint cited discrepancies between SolarWinds' Form 10-K risk factors and internal security assessments. If you are affected, review whether disclosed risk factors align with findings from penetration testing, vulnerability assessments, and audit reports.
Internal Controls Implications
The SEC alleged SolarWinds failed to maintain adequate internal controls over cybersecurity disclosures. This extends traditional financial reporting controls to cybersecurity risk communication. If you are affected, evaluate whether disclosure controls and procedures address cybersecurity information flows from technical teams through disclosure committee review.
Documentation of control evaluations becomes critical for demonstrating reasonable disclosure practices. If you are affected, maintain records of security assessments shared with disclosure committees, analysis supporting materiality determinations, and evidence of management review before filing.
CISO and Executive Accountability
Individual charges against the CISO require security executives to evaluate personal liability exposure. Directors and officers insurance policies should be reviewed for cybersecurity disclosure coverage and defense cost provisions. Employment agreements should clarify indemnification scope for disclosure-related activities.
Reporting structures warrant examination. CISOs reporting to disclosure committees may face different liability exposure than those with purely technical reporting lines. If you are affected, ensure security executives have appropriate access to disclosure processes and legal guidance when contributing to SEC filings.
Implementation Recommendations
- Disclosure review: Audit cybersecurity risk factors against internal security assessments and penetration test findings to identify potential inconsistencies.
- Control documentation: Strengthen documentation of cybersecurity information flows through disclosure controls and procedures.
- Materiality framework: Establish structured methodology for cybersecurity materiality determinations with documented analysis.
- Executive coverage: Review insurance and indemnification provisions for cybersecurity disclosure activities.
- Governance structure: Ensure appropriate CISO participation in disclosure committee processes with legal support.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
ESG Assurance Operating Guide
Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.
Coverage intelligence
- Published
- Coverage pillar
- Compliance
- Source credibility
- 71/100 — medium confidence
- Topics
- sec enforcement · cyber disclosures · solarwinds · public companies
- Sources cited
- 2 sources (iso.org, federalregister.gov)
- Reading time
- 5 min
References
- Industry Standards and Best Practices — International Organization for Standardization
- Federal Register Regulatory Notices
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.