On October 30, 2023, the Securities and Exchange Commission filed a securities fraud claim in federal court in the Southern District of New York against SolarWinds Corporation as well as its Chief Information Security Officer, Timothy G. Brown. Reminiscent of the recent Uber case, in which Uber’s CISO faced jail time for data breach concealment, the SEC in SolarWinds alleges fraud, contending that the company and its CISO made misstatements and omissions in the company’s SEC filings.
Specifically, the SEC alleges that SolarWinds hid its “poor cybersecurity practices” and “heightened” and “increasing” cybersecurity risks by making misrepresentations of fact and omitting material facts in its public filings. Among other things, the SEC further alleges that false statements were made regarding the company’s adherence to the standards of the National Institute of Standards and Technology.
On January 26, SolarWinds and Mr. Brown struck back with a lengthy and combative memorandum asking the court to dismiss the SEC action. Among many arguments, the motion focused on the claimed inability of the SEC to find intent by Mr. Brown because he was not a member of the company’s disclosure committee. In essence, Mr. Brown cannot be liable for the content of public filings when he was not part of the committee that finalized and filed those statements.
SolarWinds raises questions about the extent to which CISOs can be liable for what they “should have known” – as opposed to what they actually know – and also to what extent a CISO can be liable for not raising suspicions of negligence or fraud with co-officers and, potentially, board members. Further, this case may increase potential liability even for those CISOs who are not corporate officers, and thus have less control over company decisions.
The bottom line is that CISOs need to watch the SolarWinds case carefully as they consider the potential risks associated with the CISO title.