By: Danielle A. Ocampo
The civil action taken by the Security Exchange Commission (SEC) against SolarWinds and its Chief Information Security Officer (CISO) underscores the evolving landscape of liability concerns for CISOs. In the October 2023 suit filed in New York federal court, the SEC charged SolarWinds with failing to disclose the company’s cybersecurity weakness during a massive hack in its supply chain to investors. Additionally, the SolarWinds CISO faced personal charges for allegedly exaggerating the company’s cyber control capabilities and not revealing known risks. In light of the SEC’s incident disclosure requirements implemented in July 2023, California businesses must now adapt to handling breaches in a post-SolarWinds era.
On November 2, 2023, the SEC’s Division of Enforcement’s Chief Crypto Asset and Cyber Attorney David Hirsch delivered a fireside chat at the University of San Diego’s Cyber Law and Risk Symposium. Mr. Hirsch shared general insight about the July rules in a post-SolarWinds framework. He outlined key questions to consider when assessing CISO liability: What did the CISO know, and what did the CISO do? In other words, once the CISO became aware of red flags, what did the CISO do regarding public disclosures?
The SEC favors a principles-based approach because incidents and breaches may vary. However, according to Mr. Hirsch, information that is material to investors must be disclosed in an organization’s 8-K form within the four-day period from the time the incident was determined, barring any exceptions. Once information is gathered and materiality is assessed, disclosure is a must. Regarding vendors, reporting third-party breaches draws on principles surrounding, for example, board management, cyber risk governance, and reasonable steps taken on the front end to find out how a vendor breach affected investors’ data.
The method of disclosure is not strictly outlined. Mr. Hirsch emphasized the principles-based approach, taking into account factors such as the language, text, and presentation that would be easily understood by an average reader. Considerations include ensuring clarity for those who may not be technologically proficient and fostering organizational cohesion to maintain a unified and comprehensible communication strategy during an incident.
Mr. Hirsch clarified that determining what is reasonable to disclose depends on what could be considered material and is subject to change, varying based on the nature of the incident. Some evidence that goes towards materiality may be quantitative or go to the nature, scope, or reasonable likely impacts of the event. Documentation to articulate a record of being proactive along with talking about what the company did to prepare, what is known presently, and what updates are important to investors are points to consider. He further commented that while the SEC does not require Board oversight, this may be a differentiating factor that may be material to investors. In principle, the organization should have the people it says it has.
The SEC has the broad authority to share information with other federal regulatory agencies and with states like CA that request access for similar issues. As the SolarWinds litigation is still underway, California businesses and their CISOs must patiently await the outcome to observe how the SEC’s principles-based approach will be implemented with respect to the new disclosure rules.