SolarWinds Executives May Face Personal Liability as SEC Issues Wells Notices

CybersecurityDisclosuresGovernanceSEC
Written By Hosch & Morris

 Privacy Plus+

Privacy, Technology and Perspective

SolarWinds Executives May Face Personal Liability as SEC Issues Wells Notices. This week, let’s hearken back to a perineal favorite topic: Personal cyber liability for executives and boards of directors. Liability issues continue to emerge, and here, we will cover the latest news related to prospective executive liability for two SolarWinds officers.

Background: We have been dedicated to covering the topic of executive liability for a while. So for background, please click on the following link to a recent post on that subject:

https://www.hoschmorris.com/privacy-plus-news/cyber-liability-for-directors-and-officers

SolarWinds: As an update to the trend of enhanced executive liability, SolarWinds recently disclosed that the U.S. Securities and Exchange Commission (“SEC”) issued a “Wells Notice” to not only the company, but to its Chief Financial Officer (“CFO”)  and Chief Information Security Officer (“CISO”) as well. A Wells Notice details specific allegations against an individual and/or company, and provides an opportunity for a response before the SEC makes a final decision on whether to bring formal charges of wrongdoing. Hence, the Wells Notices show the SEC is considering authorizing actions against SolarWinds’ CFO and CISO for violating federal securities laws in connection with the cyberattack on SolarWinds’ Orion software platform and internal systems.

A link to SolarWinds’ Form 8-K containing this disclosure follows:

https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/02aed9ff-6065-4158-8efd-6b5e31f7eb89.pdf

Recall that the SolarWinds hack was one of the broadest, deepest, and most shocking hacks ever conceived and executed by the Russian security force SVR. It affected vital U.S. Government departments and agencies (including the Departments of Defense and Justice and the NSA), some of the technology companies in the U.S. (including Microsoft), and even the most sophisticated forensic and counter-intrusion companies in the world (including Mandiant). Mandiant experts described the sophistication of the hack as “sheer elegance.”   That quote, along with the story of the SolarWinds hack is told in a gripping Wired magazine article entitled “The Untold Story of the Boldest Supply-Chain Hack Ever.” A link to that article follows:

https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/

Our thoughts: 

  1. Include Securities-Law Requirements in Incident-Response Training. The early stages of incident response are often chaotic, hair-on-fire scrambles to learn what has happened and how to deal with it.  Meanwhile, all stakeholders – including major investors – may be beating the doors down, demanding to be told in real-time whatever the response team is learning. Later, how those stakeholders act on that information may be intensely scrutinized. The moral seems to be to include securities-law obligations (including “insider trading” law) in incident-response training.

  2. Re-think Private Rights of Action? It’s not uncommon now to see private rights of action authorized after security breaches, when the affected company is later found not to have acted “reasonably” to prevent the breach. (California’s CCPA, as amended by the CPRA, is one example.)  This trend seems to be creeping toward personal liability for the company’s senior officers (and directors) under the guise of “accountability,” somewhat like personal responsibility under Sarbanes-Oxley (“SOX”) is thought to do for internal accounting practices.

The trouble is that internal accounting practices and cybersecurity are subject to very different attacks. So far as we’ve ever heard, foreign espionage agencies don’t commonly target financial reporting to make businesses look more or less profitable or risky than they are, which is what SOX mainly addresses. In contrast, one of the most dangerous agencies in the world targeted SolarWinds, and used its Orion software package to target many others – for purposes of what the Wired article calls pure espionage.  Significantly, many of the world’s best were watching closely, and they also missed the attack.  Normally, companies aren’t liable if they acted “reasonably” under the circumstances. But no matter how many assessment frameworks are referenced, sometimes what is “reasonable” ends up being in the eye of the beholder, and a beholder sees the world in hindsight. You know the old saying: hindsight is 20-20.

To ask companies, much less people, to be personally “accountable” for the harms caused by the SVR or other malign, foreign espionage agencies is very close to asking those companies (or people) to be the insurers of first resort against the consequences of terrorism or war. No insurance company will agree to underwrite such a thing. In our view, we shouldn’t expect their victims to, either.

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

 

 

 

Hosch & Morris https://hoschmorris.com
Previous

The Escalating Battle Against Disinformation in a Digitally-Driven World
Next

FTC Charges Genetic Testing Company 1Health.io with Privacy and Security Failures