SolarWinds, a software firm, disclosed that the U.S. Securities and Exchange Commission (SEC) sent Wells Notices to multiple company executives, including CFO J. Barton Kalsu and CISO Tim Brown, regarding possible securities infringements connected to a data breach in 2020. SolarWinds also received a Wells Notice in relation to the same issue. The data breach in question had severe repercussions, as it exposed thousands of public and private organizations globally, including vital U.S. government agencies, to potential cyberattacks. The SEC is now investigating whether the company’s executives violated securities laws by failing to disclose the extent of the breach or by engaging in unlawful trading activities before the breach was publicly known.

The SolarWinds Data Breach and Its Aftermath

The data breach occurred in December 2020, when the Russian Foreign Intelligence Service inserted malicious software into SolarWinds’ “Orion” platform. This enabled them to access data from numerous businesses and government agencies, causing many Orion customers to reassess their operations and data protection measures. As a result of this incident, there has been a significant increase in concerns regarding cybersecurity and the potential vulnerabilities in widely used software platforms. Companies and government organizations are now investing more resources in securing their digital infrastructure to prevent similar attacks and protect sensitive information from cybercriminals.

Understanding Wells Notices and Their Implications

Receipt of a Wells Notice implies that the SEC’s Enforcement Division is contemplating recommending charges against the recipients. The Wells procedure grants those receiving the notice an opportunity to contest the charges. Upon receiving the Wells Notice, the recipient has a chance to provide a written response, known as a Wells submission, arguing against the potential charges. This submission allows them to present facts, legal analysis, and policy arguments to persuade the SEC that enforcement action is unnecessary or unwarranted before any formal charges are brought forward.

Increased Focus on Cybersecurity Disclosures and Individual Accountability

In this case, it marks the first time a CISO has received a Wells Notice, indicating the SEC’s increasing focus on significant and timely cybersecurity-related disclosures and holding individuals accountable for company violations. This development showcases the mounting pressure on companies to prioritize their cybersecurity measures and promptly report any breaches, ensuring transparency in their operations. Furthermore, it emphasizes the growing importance of individual accountability for CISOs and corporate executives in maintaining robust security practices and ensuring compliance with regulatory guidelines.

SEC Enforcement Actions: The Case of First American Financial

This comes after the SEC charged First American Financial, a real estate settlement services provider, in June 2021 for insufficient disclosures about its cyber attack controls and processes. The charges against First American Financial serve as a crucial reminder for companies to prioritize transparency regarding their cybersecurity protocols. As cyber threats continue to rise, organizations must maintain stringent measures and open communication with stakeholders to prevent potential incidents and maintain consumer trust.

New Regulations: Compelling Public Companies to Disclose Cybersecurity Incidents

Furthermore, in March 2022, the SEC proposed new regulations that would compel public companies to report material cybersecurity incidents and establish regular disclosure obligations concerning cybersecurity incidents, risk management, and governance. These new regulations aim to increase transparency and accountability for stakeholders by providing them with critical information about companies’ cybersecurity practices. As a result, investors and shareholders can make informed decisions based on a more comprehensive understanding of the organization’s cybersecurity risks, incident responses, and strategic approaches to protecting valuable digital assets.

The Rise of Individual Liability in SEC Enforcement Actions

As the SEC intensifies its focus on regulatory and enforcement initiatives in this area, the agency is becoming more determined to hold individuals liable for alleged corporate misconduct. This heightened scrutiny has led to an increased number of enforcement actions and fines against executives and other high-ranking employees, aiming to establish accountability for corporate misdeeds. As a result, companies and their leaders need to ensure they have a robust compliance program in place and prioritize ethical conduct within their organizations to avoid potential penalties.

Section 304 of the Sarbanes-Oxley Act: Reclaiming Bonuses and Compensation

This has previously led to the application of Section 304 of the Sarbanes-Oxley Act to reclaim bonuses and compensation for the company. CEOs and others implicated in purported securities violations have also been pursued by the SEC. As a result, companies must diligently ensure compliance with regulations to avoid potential financial and legal repercussions. This includes establishing strong internal controls and transparent financial reporting procedures to reduce the risk of securities violations and maintain corporate integrity.

SolarWinds’ Response to the SEC Investigation

While SolarWinds and its executives have not revealed the specific securities violations under consideration, the firm asserts that its disclosures, public statements, controls, and procedures were suitable. Additionally, SolarWinds maintains that it has been transparent and cooperative with authorities during the investigation process. Company officials have expressed their commitment to adhering to regulatory standards and diligently addressing any concerns raised by the Securities and Exchange Commission.

Conclusion

In conclusion, the SolarWinds case highlights the SEC’s growing focus on timely cybersecurity-related disclosures and holding individuals accountable for company violations, which may lead to more enforcement actions in the future. This implies that companies must be more vigilant in maintaining robust cybersecurity practices and transparent communication with investors to avoid regulatory scrutiny. As the digital landscape continues to evolve, organizations must adapt and invest in the necessary resources to safeguard their data and protect their stakeholders from potential cyber risks.

FAQ

What is the SEC’s investigation into SolarWinds executives about?

The SEC is investigating whether SolarWinds executives violated securities laws by failing to disclose the extent of a data breach in 2020 or by engaging in unlawful trading activities before the breach was publicly known.

What happened during the SolarWinds data breach?

In December 2020, the Russian Foreign Intelligence Service inserted malicious software into SolarWinds’ “Orion” platform, enabling them to access data from numerous businesses and government agencies. This resulted in heightened concerns about cybersecurity and increased investment in securing digital infrastructure.

What is a Wells Notice?

A Wells Notice implies that the SEC’s Enforcement Division is contemplating recommending charges against the recipients. The Wells procedure grants recipients an opportunity to contest the charges by providing a written response called a Wells submission.

Why is the SEC focusing on individual accountability for cybersecurity disclosures?

The focus on individual accountability indicates the SEC’s increasing emphasis on significant, timely cybersecurity-related disclosures and holding individuals accountable for company violations. As a result, CISOs and corporate executives need to maintain robust security practices and adhere to regulatory guidelines.

What was the SEC’s enforcement action against First American Financial?

The SEC charged First American Financial in June 2021 for insufficient disclosures about its cyber attack controls and processes, emphasizing the need for companies to prioritize transparency in their cybersecurity protocols.

What are the new regulations proposed by the SEC regarding compulsory cybersecurity disclosures?

In March 2022, the SEC proposed new regulations that would compel public companies to report material cybersecurity incidents and establish regular disclosure obligations concerning cybersecurity incidents, risk management, and governance. This aims to increase transparency and accountability for stakeholders.

How has the rise of individual liability in SEC enforcement actions affected companies and executives?

With the rise of individual liability, the SEC is increasingly holding executives and high-ranking employees accountable for alleged corporate misconduct. Companies and their leaders must ensure they have a robust compliance program in place and prioritize ethical conduct to avoid potential penalties.

How has Section 304 of the Sarbanes-Oxley Act been used to reclaim bonuses and compensation?

Section 304 of the Sarbanes-Oxley Act has been applied to reclaim bonuses and compensation from CEOs and others implicated in alleged securities violations. Companies must establish strong internal controls and transparent financial reporting procedures to reduce the risk of violations and maintain corporate integrity.

How has SolarWinds responded to the SEC investigation?

SolarWinds asserts that its disclosures, public statements, controls, and procedures were suitable, and the firm has been transparent and cooperative with authorities during the investigation process, committing to adhering to regulatory standards and addressing concerns raised by the SEC.

First Reported on: cpomagazine.com
Featured Image provided by: Pexels – Thank you!