The original lawsuit against SolarWinds, filed in October 2023 following the massive 2020 SUNBURST cyberattack, alleged that the company and its CISO misled investors about security practices and subsequently downplayed the incident’s scope. The case was a rare instance of the SEC directly targeting a CISO, sending chilling effects throughout the industry. The dismissal, stipulated by the SEC, SolarWinds, and the CISO without admission of wrongdoing, concluded this years-long legal battle. Although the SEC noted that the dismissal was an “exercise of its discretion” and does not necessarily reflect its position on any other case, it is nearly impossible not to interpret the decision as signaling an adjustment to the SEC’s approach to cybersecurity disclosures.

The dismissal follows a July 2024 ruling by a federal judge who dismissed most of the SolarWinds charges, including the novel application of the internal accounting controls statute to police non-financial cybersecurity controls. Current SEC Commissioners have criticized the overbroad use of the controls provision to meet every perceived disclosure failure.

Despite the dismissal, the SEC’s core cybersecurity disclosure rules on Forms 8-K and 10-K remain in effect. Companies should continue to assess the materiality of cybersecurity incidents and Form 8-K filing requirements within four business days, and they should continue to evaluate specific annual disclosures about risk management, governance, and management’s role and expertise.

That materiality question has also been revisited by the current Commission. The dismissal echoes what certain Commissioners noted in 2024, when a dissent in post-SolarWinds administrative proceedings questioned materiality thresholds applied in the settled actions and criticized the Commission for playing “Monday morning quarterback.” The dissenting Commissioners expressed support for treating companies that have been subject to a cyberattack as victims. The dissent asserted that public companies are not required to disclose the identity of threat actors or furnish proof that the company conducted a robust post-incident investigation.

Of course, the dismissal brings significant relief to the CISO community. However, there is tension here. This Commission has been clear about its intent to hold individuals liable when it identifies a viable fraud or disclosure case. In addition, outside the public company context, the Commission has expressed continued support for enforcement of the cybersecurity rules that apply to investment advisers, broker-dealers, and other regulated entities.

CISOs can protect themselves in three ways:

• First, as was the case in the original SolarWinds filing, the act of making a public statement – even a statement not in a traditional securities filing – exposes a CISO to the risk of securities claims. That trigger applies not only in the context of SEC investigations, but also in shareholder suits by private plaintiffs. The key is to ensure that any public statement associated with the CISO is vetted carefully for accuracy and comprehensiveness.
• Second, although this Commission has retreated from overly aggressive scrutiny of internal and disclosure controls, those same disclosure controls can protect CISOs and public companies from government investigations and shareholder litigation. Those controls help to avoid a problem in the first place, and their design and implementation can provide important defenses.
• Third, in the regulatory context, CISOs should pay careful attention to compliance policies and procedures, ensuring that those policies and procedures are tailored, updated, followed, and documented.

In short, the dismissal signals a possible recalibration of the SEC’s aggressive enforcement strategy, particularly regarding its pursuit of corporate victims of cyberattacks and CISOs. Yet, the foundational SEC rules requiring timely and transparent cybersecurity disclosures are firmly in place, requiring continued diligence from public companies. Although cybersecurity executives may feel some relief, there’s no guarantee of limited liability for responses to cybersecurity incidents.

For additional information about the SEC’s SolarWinds-related suits, see McDermott Will & Schulte’s July 2024 client alert.

To learn more about navigating the SEC’s cybersecurity disclosure landscape, explore the authors’ other articles on the topic. For questions, contact your regular McDermott Will & Schulte lawyer or the authors.