The U.S. Securities and Exchange Commission (“SEC”) earlier this year adopted rules requiring public companies to provide enhanced disclosure of material cybersecurity incidents, as well as cybersecurity risk management, strategy, and governance. The deadlines for providing these disclosures are fast approaching. In addition, on October 30, 2023, the SEC filed charges against SolarWinds Corp. (“SolarWinds”) and its chief information security officer (“CISO”) for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. These new SEC rules and the SEC’s complaint against SolarWinds and its CISO underscore the fact that cybersecurity is an overall business issue, not just an IT problem, which demands proactive and ongoing attention by a company’s officers and directors.
The SEC’s complaint against SolarWinds alleges that, from its October 2018 initial public offering through its December 2020 announcement that it was the target of a nearly two-year long massive cyberattack, SolarWinds and its CISO defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or…
