On July 18, 2024, the U.S. District Court for the Southern District of New York made a significant ruling regarding the Security and Exchange Commission’s (SEC) case against SolarWinds. The SEC had accused SolarWinds and its chief information security officer, Timothy Brown, of misrepresenting the company’s cybersecurity defenses and handling of a major breach in 2020.
The court dismissed most of the SEC’s claims, including those related to internal accounting controls and post-incident disclosures. While the SEC argued that SolarWinds’s cybersecurity failures constituted a breakdown in internal accounting controls, the court disagreed. It stated that the term “internal accounting controls” in the Exchange Act only pertains to financial accounting controls and does not extend to cybersecurity measures.
Although the court upheld some pre-incident disclosure claims regarding the accuracy of SolarWinds’s security statement, it rejected other claims related to cybersecurity risk factor disclosures. This decision challenges the SEC’s attempt to broaden its regulation of cybersecurity by including it under internal accounting controls.
The court’s ruling may have implications for the SEC’s future cybersecurity enforcement actions. Despite the setback in this case, the SEC is likely to continue focusing on the adequacy of cybersecurity disclosures by companies. It is essential for issuers to ensure that their disclosure decisions are based on accurate and current information about their cybersecurity practices to mitigate risks.
Jones Day’s insights on this matter are meant for general information purposes only and should not be considered legal advice. The views expressed are personal and do not necessarily reflect those of the firm. Reproduction or citation of this content without permission is prohibited.
In conclusion, the court’s decision in the SolarWinds case highlights the ongoing debate over the SEC’s authority in regulating cybersecurity controls. While the ruling may limit the SEC’s ability to expand its oversight in this area, companies should remain vigilant in ensuring transparent and accurate cybersecurity disclosures to avoid potential legal challenges.