In a first, bold move by the Securities and Exchange Commission (SEC) following its new Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, issued on July 26, 2023, this week, the SEC filed suit against SolarWinds and its Chief Information Security Officer (CISO) alleging that SolarWinds and its CISO for years “ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company…and engaged in a campaign to paint a false picture” of its “cyber controls environment thereby depriving investors of accurate material information.”

The complaint against SolarWinds and its CISO outlines in detail internal statements made by SolarWinds and its CISO in emails, instant messages and presentations about SolarWinds’ security flaws and deficiencies.

The complaint should be a wake-up call to all public companies that the SEC is serious about holding executives responsible for following its cybersecurity guidelines and shoring up cybersecurity deficiencies. It is also a textbook case of how internal communications can, and will, be used by regulators and litigators to bolster a case, whether those communications are believed to be taken out of context or not. Internal communications like “Even if we start to hire like crazy, which we will most likely not, it will still take years. Can’t really figure out how to unf**ck this situation. Not good” will never be read in the most favorable light to the defendant.

Statement from SolarWinds spokesperson:

“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments. The truth of the matter is that SolarWinds maintained appropriate cyber security controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats.”

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.