SolarWinds and the SEC
The SolarWinds incident, which came to light in 2020, sent shockwaves through the IT industry and government circles.
The Austin-based IT supply chain company found itself at the centre of a sprawling espionage campaign attributed to Russian hackers. The breach’s far-reaching consequences prompted the SEC to take unprecedented action, targeting not just the company but also its CISO personally.
This move by the SEC was part of a broader push to more aggressively address cyber risks. It also signalled a potentially alarming trend for cybersecurity professionals: the possibility of being held personally liable for data breaches.
The gravity of this shift is underscored by the case of Uber’s former chief security officer, Joe Sullivan, who in 2023 received a three-year probation sentence and a US$50,000 fine for covering up a 2016 data breach. This marked the first criminal prosecution of a company executive over the handling of a data breach, setting a precedent that sent ripples through the cybersecurity community.
In response to these developments, the SEC introduced new cyber rules in 2023. These regulations mandated the disclosure of data breaches and…