Last week, Freshfields and co-counsel Cooley LLP filed an amicus brief in SEC v. SolarWinds, No. 23-cv-09518 (S.D.N.Y. Oct 30, 2023) on behalf of Modern Fortis’ Secure Policy Coalition, and other organizations and individuals that seek to promote the interests of the cybersecurity community and challenge the SEC’s unprecedented theories of liability for companies and Chief Information Security Officers (CISOs).
As discussed in our prior blog post here, the SEC filed its complaint in October 2023 against both SolarWinds and Timothy Brown, the company’s CISO, in connection with a 2020 Russian-state sponsored cyberattack that compromised the networks of more than 18,000 SolarWinds customers. The complaint alleges that Mr. Brown and SolarWinds made material misrepresentations and omissions that “concealed both the Company’s poor cybersecurity practices and its heightened—and increasing cybersecurity risks,” which allegedly culminated in the 2020 attack. Despite the fact that the company disclosed the risk of cyberattacks and promptly reported the breach in an 8-K filing, the SEC cites various internal communications among Mr. Brown and others at the company—aimed at identifying and resolving cybersecurity issues—as evidence that he and SolarWinds concealed the company’s cybersecurity deficiencies from investors.
This action is the first time the SEC has ever sought to hold a CISO personally liable for the content of public corporate disclosures. The outcome carries meaningful consequences for the cybersecurity ecosystem, not only in terms of how companies approach cybersecurity governance and disclosures, but also how they collaborate with government entities to prevent, identify, and control cyberattacks. With this in mind, the amicus brief aims to: (1) educate the Court about the complex risks that CISOs must balance on a daily basis, (2) highlight potential policy implications of imposing personal liability on CISOs, and (3) give voice to concerns within the CISO community about the uncertainties that SEC enforcement could introduce to their compliance efforts. The brief’s key issues are summarized below.
CISOs know there is an inherent level of risk in cybersecurity. History and experience show that there is no such thing as perfect security against cyberattacks. As such, a robust cybersecurity program is not one that eliminates every possible risk, but one that promotes transparent communication, both internally and externally. Such communications enable CISOs and their teams to keep abreast of the latest cyber threats, identify vulnerabilities within their own organization, and triage risks using finite resources. In a dynamic environment where bad actors can bring the full weight of a foreign military intelligence operation to bear against a private company, government organizations and industry leaders agree that proper risk management is crucial.
The SEC is sending CISOs conflicting messages on public disclosure obligations. The SEC’s attempt to regulate via enforcement action (beyond the requirements of their recently adopted rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure) risks creating substantial uncertainty as to the appropriate level of detail in public disclosures concerning a company’s cyber practices and vulnerabilities. The SEC’s theory of liability in this action presents CISOs with an impossible choice: either they over-disclose details about a company’s security, thereby reducing the risk of personal liability but potentially providing threat actors with information that could be used in an attack; or they minimize the detail of public disclosures, thereby increasing the risk of personal liability but diminishing the chances of tipping off hackers. This potential conflict is all the more puzzling given that the SEC itself emphasized the importance of not providing a “roadmap for threat actors” in its response to public comments on drafts of the recently promulgated incident disclosure rule.
The SEC’s position risks chilling internal discussions and self-assessments in the private sector. By citing internal communications among cybersecurity personnel concerning areas of improvement or instances of potential noncompliance with corporate security policies, the SEC risks discouraging the very efforts CISOs and others take to improve company security. In response to this lawsuit, cybersecurity personnel may be deterred from engaging in critical communications to assess and address risk, for fear that an internal email or presentation may be taken out of context and used to argue, via fraud-by-hindsight, that a CISO deliberately misled investors.
This litigation comes amid a critical shortage of cybersecurity professionals. While demand for cybersecurity employees has grown 200 percent in the last 10 years,[1] there remains a dearth of qualified candidates. The risk of personal liability for CISOs under the SEC’s novel and aggressive legal theories will exacerbate companies’ existing struggle to hire and retain talent.
The Court must consider the importance of public-private cooperation. The government relies on transparent communication both from and within the private sector in order to protect against cyber threats. If the SEC’s claim proceeds, CISOs may fear that the information they provide to other companies or to the government in a good faith attempt to shore up national security and/or supply chain resilience will later serve as evidence that they failed to timely disclose to investors a known breach or vulnerability.
* * *
In short, the SEC’s claims are novel and may have policy effects extending far beyond any single case. As the Court evaluates the complaint, it should consider the perspectives of cybersecurity personnel who serve as the front line of defense in a rapidly expanding arms race against sophisticated adversaries. Freshfields welcomes the opportunity to give CISOs and other cybersecurity professionals a voice at this crucial juncture in federal cyber regulation.
[1] Growing the National Cybersecurity Talent Pipeline: Hearing Before the Subcomm. on Cybersecurity & Infrastructure Prot. of the H. Comm. on Homeland Sec., 118th Cong. 118-19, 15 (statement of Will Markow) (2023).
