Our thinking

Cybersecurity: Legal implications and risk management

What's inside

In an increasingly interconnected world, cyber risk is firmly at the top of the boardroom agenda, and having an effective data breach response programme is no longer optional.

Cybersecurity crisis management

The internet knows no borders, neither do we. Our global team of cybersecurity response experts work across borders, combining data protection, privacy, regulatory, white collar and litigation expertise in order to deliver seamless crisis management and legal advice, whenever and wherever needed.

The digitalization and free flow of information has transformed global business. However, with increased opportunities have come new and increased risks, together with complex legislative regimes that can vary significantly by jurisdiction, and are constantly evolving. Even the most conscientious company can become the victim of a cybersecurity incident, such as the stealing of client or company information, or a ransomware attack. We work with a wide range of multinational companies to manage their cybersecurity risks, developing rapid response plans, providing time-critical crisis management advice, and working with clients to manage any resulting legal issues that may arise. 

Key issues

Why?

  • Reputation
  • Fines
  • Breach of contract
  • M&A due diligence
  • Insurance
  • Proprietary information
  • Litigation
  • Criminal offences
  • Negligence

Be prepared

Risk Assessment

  • Key Information
  • Assets
  • Key Systems
  • Threat Analysis
  • Security Measures

Toolkit

  • Scripts
  • Internal and 
    External
  • Communications
  • Employee contacts
  • Response Plan
  • Live Training
  • Business Continuity Plan

Key considerations

Customer/individual rights

  • Requests for data
  • Data Protection Authority Complaints
  • Group litigation orders
  • Resolution mechanisms

B2B relationships

  • Contractual obligations
  • Contractual liability
  • Tort

Reputation management

  • Media strategy
  • Customer interaction
  • Employee engagement

Commercial

  • Proprietary
  • Information/Trade Secrets
  • System Disruption

Regulatory issues

  • Data Protection Authority
  • Financial Regulators
  • Market authorities
  • Other regulators

Privacy & data protection

  • Jurisdictions involved
  • Reporting obligations
    • individuals
    • authorities

Evidence

  • Law Enforcement Involvement
  • Legal Privilege
  • Preservation of Evidence

Response

Crisis Team

  • Legal (internal and external)
  • IT/IT Forensics
  • PR
  • Regulatory
  • DPO
  • Executive committee
  • HR
  • Vendor manager

Key Actions

  • Work with forensic investigators to:
    • Identify and contain breach
    • Gather/preserve evidence
    • Maximise legal privilege coverage
  • Contact crisis team
  • Bring in external partners
  • Identify key risks and priorities based on nature of breach
  • Assess notification requirements
  • Communications
  • Regulatory notifications

 

Articles

2024

SEC Enforcement Heats up on Key Public Company Topics: Cyber Disclosure, Director Independence and Regulation FD

The U.S. Securities and Exchange Commission's ("SEC") Division of Enforcement has recently brought a spate of enforcement actions relating to key topics for public companies. These include enforcement actions related to cybersecurity incident disclosure, director independence and Regulation Fair Disclosure ("Reg FD") violations, which are described below, and actions based on Section 13 and 16 beneficial ownership filings, as discussed in our prior alert.

Judge Rejects SEC’s Aggressive Approach to Cybersecurity Enforcement

On July 18, 2024, a New York federal judge dismissed most of the US Securities and Exchange Commission's ("SEC") claims against SolarWinds Corp. ("SolarWinds" or the "Company") and its Chief Information Security Officer ("CISO"), Timothy G. Brown, in connection with the Company's cybersecurity practice.

NIS 2 Directive: Navigating the challenges of implementation, impact, and scope

The NIS 2 directive establishes a regulatory framework aimed at improving the level of cybersecurity across the EU.

SEC’s Corp Fin Director Issues Statement on Cybersecurity Incident Disclosures

On May 21, 2024, the SEC's Director of the Division of Corporation Finance issued a statement on cybersecurity incident disclosures in light of the SEC's new cybersecurity disclosure rules. Our summary of this statement and key take-aways from White & Case's survey of cybersecurity disclosures is below.

2023

The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies

On October 30, 2023, the US Securities and Exchange Commission ("SEC") announced that it filed charges against SolarWinds Corp. ("SolarWinds" or the "Company") and its Chief Information Security Officer ("CISO") in connection with the SEC Division of Enforcement's ("Enforcement Division") investigation of a cyberattack.

SEC Adopts Mandatory Cybersecurity Disclosure Rules

On July 26, 2023, the Securities and Exchange Commission ("SEC"), in a 3-2 vote, adopted rules that will require public companies to make prescribed cybersecurity disclosures.

Shaping the future of digital and cybersecurity governance

In this brief three-minute video, London-based partner Lawson Caisley, Chair of White & Case's Global Cyber Risk Committee, shares his insights on governing cyber risk at the corporate level and some of the challenges of cyber risk management in the boardroom. Filmed at the Digital Directors Network (DDN) Domino 2023 conference on digital and cybersecurity governance.

cybersecurity_square_800x800_4

Prioritizing cybersecurity at the corporate level

In this short three-minute video, Washington, DC–based partner F. Paul Pittman discusses the implications of the proposed new SEC rules on cybersecurity governance and what corporate boards can do now. Filmed at the Digital Directors Network (DDN) Domino 2023 conference on digital and cybersecurity governance.

digital mesh

Cybersecurity Developments and Legal Issues

The potential for cybersecurity threats and attacks looms large and the technology companies developing new products and services play a constant game of cat-and-mouse with hackers and cybercriminals for control of cyberspace. Here are six points to consider when analyzing cybersecurity risks and protections.

client alert image

Directors face personal liability over cybersecurity failures

In an article for The Times, White & Case partner Lawson Caisley discusses why it could become increasingly common for UK directors to "face personal liability and regulatory censure as a result of their company suffering or mishandling a cyberbreach".

wafer circuit detail

2022

Director liability for cyber breaches: transatlantic warning signs?

Two legal cases in the US in the past month suggest that regulators and prosecutors are becoming more determined to take personal action against directors and senior executives who fail to deal adequately with cyber security breaches.  

arrow

SEC Proposes Mandatory Cybersecurity Disclosure Rules

On March 9, 2022, the Securities and Exchange Commission ("SEC") proposed rules that would require public companies to make prescribed cybersecurity disclosures.

2021

Legal 500's In-House Lawyer Magazine Autumn - Commercial Litigation Focus (Germany)

In The Legal 500's newly released In-House Lawyer Magazine a group of White & Case lawyers has contributed a legal briefing on trends in German commercial litigation.

magazine pile

AAA plc & ors v Persons Unknown: Cyber Activism or Blackmail?

In recent years, demands for payments in cryptocurrencies have become the ransom of choice for cyber extortionists and other online frauds. As a result, the English Court's powers are increasingly being called upon.

orange background

Time to Revisit Risk Factors in Periodic Reports

Ninth Circuit Decision Highlights Importance of Updating Risk Factors to Address Material Developments, including those relating to Cybersecurity Risks.

Alert 800x800

Cybersecurity Enforcement: New York Department of Financial Services issues first penalty under Cybersecurity Regulation

Consistent with its increasing activity in the cybersecurity enforcement space, in March 2021, the NYDFS issued its first penalty under the Cybersecurity Regulation. This client alert explores the settlement and offers takeaways on the areas of focus by the NYDFS in enforcement actions under the Cybersecurity Regulation.

Compensating non-material damages based on Article 82 GDPR

Is a data subject entitled to compensation from a controller or processor if the data subject's GDPR rights have been infringed, even if they have not suffered any kind of material damage? 

Corporate Boards Must Ask Key Cybersecurity Questions

Cybersecurity has been a mainstay of quarterly board agendas for years.

2020

Cybersecurity Risk: Top 5 strategies to build resilience

The fourth webinar in our 2020 Autumn Webinar Series covered crucial steps you should be taking to protect against cybersecurity threats and what you should do when disaster strikes.

Before the Dust Settles: The California Privacy Rights Act Ballot Initiative Modifies and Expands California Privacy Law

Hot on the heels of the California Attorney General's rulemaking process for the California Consumer Privacy Act ("CCPA"), California voters have passed a ballot initiative to expand and create new privacy rights for consumers.

stack of paper

US Cybersecurity Standards to Get Tougher and More Specific

In the past few years, cybersecurity has taken on increasing importance in the eyes of lawmakers and regulators.

Data Sharing Without Borders

UK law enforcement can now obtain an order against a person in or operating in the US for the production of or access to electronic data under a new ‘landmark’ US-UK data sharing agreement.

Alert 800x800

Responding to a cyber-incident

The COVID-19 crisis has exposed many companies to more cyber threats. Tim Hickman and John Timmons discuss what businesses need to do should a major incident occur.

Trending: Legal protection for cryptoasset stakeholders

Recent decisions in Singapore and New Zealand confirm that the courts are prepared to act to provide greater certainty and support to stakeholders in cryptoassets.

Recovering the ransom: High Court confirms Bitcoin status as property

The High Court has determined that Bitcoin (and other similar cryptocurrencies) can be considered property under English law, and could be the subject of a proprietary injunction. The Court granted the injunction to assist an insurance company to recover Bitcoin that it had transferred in order to satisfy a malware ransom demand.

2019

Navigating Privacy and Cyber Incident Notification and Disclosure Requirements

Organisations are facing increasing uncertainty in assessing global notification and disclosure obligations and making a determination of whether to notify or disclose a privacy violation or security incident in today's complex regulatory environment. This article offers six steps companies should consider when navigating this complex process.

Proposal on the Application of the NIS Regulations post-Brexit

This article examines the impact of the UK Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations) on organisations post Brexit and their obligations under applicable cybersecurity law.

Contacts

Judge Rejects SEC’s Aggressive Approach to Cybersecurity Enforcement

Alert
|
10 min read

On July 18, 2024, a New York federal judge dismissed most of the US Securities and Exchange Commission’s ("SEC") claims against SolarWinds Corp. ("SolarWinds" or the "Company") and its Chief Information Security Officer ("CISO"), Timothy G. Brown, in connection with the Company’s cybersecurity practice. The ruling dismissed all allegations related to SolarWinds’ pre-SUNBURST cyberattack risk factor disclosure and post-SUNBURST Form 8-K disclosure, as well as claims concerning SolarWinds’ internal accounting and disclosure controls. The Court, however, allowed the SEC to move forward with its claim that SolarWinds committed securities fraud due to misrepresentations on the Company’s website regarding cybersecurity vulnerabilities. 

This decision is a significant blow to the SEC’s aggressive approach to cybersecurity enforcement. Not only did the Court find the SEC failed to allege intentional fraud based on the disclosure in the Company’s SEC filings, but the Court also found the SEC cannot use its internal accounting controls provision to regulate cybersecurity controls.

Background

SolarWinds, a NYSE-listed public company that went public in 2018, develops software for companies and government agencies to manage their information technology infrastructure. In December 2020, it was publicized that SolarWinds had been the victim of the “SUNBURST” cyberattack, which is believed to have been conducted by Russian state-sponsored hackers.1

On October 30, 2023, the SEC filed its Complaint in the Southern District of New York, alleging that SolarWinds and its CISO, Brown, violated the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934 ("Exchange Act"). The Complaint also alleged that SolarWinds violated reporting, internal accounting control, and disclosure controls provisions of the Exchange Act; and that Brown aided and abetted the Company's violations. The SEC alleged that SolarWinds and Brown defrauded investors by overstating the Company’s cybersecurity practices and understating or failing to disclose known cybersecurity risks. For more details on the SEC’s claims, see our prior article at: White & Case Client Alert “The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies” (November 2023).2

Internal Accounting Controls Claim

Among the claims dismissed by the Court was the SEC’s allegation that SolarWinds failed to “devise and maintain appropriate ‘internal accounting controls’” sufficient to protect its most critical assets from unauthorized access, violating Section 13(b)(2)(B)(iii) of the Exchange Act.3 Section 13(b)(2)(B)(iii) requires companies to have “internal accounting controls” sufficient to assure that companies’ assets are accessed only with management’s authorization. Relying on this provision, the SEC argued that SolarWinds’ source code, databases, and products were its most vital assets.4 The SEC alleged that because of the Company’s poor access controls, weak internal password polices, and VPN security gaps, hackers were able to access SolarWinds’ assets without management’s authorization.5 SolarWinds countered that as a matter of statutory construction, “internal accounting controls” cannot reasonably be interpreted to cover a company’s cybersecurity controls.6 The Court agreed, finding the SEC’s reading of the provision to be “not tenable” because the term “internal accounting controls” refers to a company’s “financial accounting,” which is “one element of a control system implemented to safeguard assets and promote reliable financial records.”7 As “internal accounting controls” are controls to ensure companies “accurately report, record, and reconcile financial transactions and events,” cybersecurity controls do not reasonably fit within this term.”8 The Court did not deny the vital importance of cybersecurity controls.9 However, the Court found, the SEC’s interpretation would mean that Section 13(b)(2)(B)(iii) would “broadly cover all systems public companies use to safeguard their valuable assets,” and would have “sweeping ramifications” as to how public companies are regulated.10

Disclosure Controls and Procedures Claim

The Court also dismissed the SEC’s allegations that SolarWinds violated Rule 13a-15(a) by failing to “maintain disclosure controls and procedures.”11 The Court found that the Company had a system in place to facilitate timely and accurate disclosure.12 The mere mischaracterization of two incidents in the Company’s incident response plan, without more, did not amount to deficient disclosure controls, as “errors happen without systemic deficiencies.”13

SEC Filing Disclosure Claims

The Court also dismissed all the SEC’s charges related to SolarWinds’ allegedly inadequate cybersecurity risk factor disclosures prior to the 2020 SUNBURST cyberattack, as well as the Form 8-K disclosure that reported on the SUNBURST cyberattack.14

In its Complaint, the SEC alleged that SolarWinds’ risk factor disclosure was “unacceptably boilerplate and generic” and inadequate given the Company’s internal recognition that its security systems were faulty.15 The disclosure started with allegedly generic disclosure that SolarWinds “could suffer a loss of revenue and increased costs, exposure to significant liability, reputational harm and other serious negative consequences” if the Company was subject to cyberattacks against its systems or its products.16 But the disclosure went further to list specific risks SolarWinds faced given its business model, which included the Company’s vulnerability to “damage or interruption” from hackers and that “SolarWinds might prove unable to anticipate, prevent, or detect such attacks.”17 The disclosure also alerted investors to the damaging consequences to the Company as a result of a security breach.18 The Court found that the Company’s risk factor disclosure was sufficient to alert investors about the “types and nature of the cybersecurity risks SolarWinds faced and the grave potential consequences” to the Company.19 Although some of the disclosure was “formulaic,” the Court found that “viewed in totality,” the disclosure provided acceptable “breadth, specificity, and clarity.”20

The SEC also alleged that the risk disclosure was inadequate because SolarWinds did not update it after learning of two cyber incidents from customers.21 The Court found that SolarWinds did not have the duty to update its cybersecurity risk disclosure concerning the two incidents in light of the Company’s already fulsome disclosure because the adequacy of the Company’s “pre-SUNBURST risk disclosure must be evaluated based on the information the [C]ompany had in real time and the conclusion it reasonably drew from that information.”22 The Court found that, at the time the Company made the disclosure, it did not have enough information about the two incidents to “reliably draw [a] conclusion.”23

Regarding SolarWinds’ Form 8-K disclosure following the SUNBURST cyberattack, the Court ruled that the SEC failed to plausibly allege actionable deficiencies in SolarWinds’ disclosures because those allegations “impermissibly rely on hindsight and speculation.”24 The Court found that “[t]he disclosure was made at a time when SolarWinds was at an early stage of its investigation, and when its understanding of that attack was evolving.”25 The Court further found that the first Form 8-K disclosure was promptly made just two days after the Company’s CEO was updated on the vulnerability in the Company’s product resulting from the attack.26 Considering the short turnaround, the Court concluded that the disclosure fairly captured the known facts at the time as to the severity of the attack and the potential for grave harm as a result.27

Claims Against the CISO

The Court also dismissed the SEC’s claims against the CISO, Brown, over the disclosure made in the Company’s SEC filings, because the SEC fell far short of pleading with particularity the CISO’s scienter through “conscious behavior,” and it did not "attempt to plead his scienter based on motive and opportunity.”28 The Court found that Brown did not deliberately withhold information from the persons responsible for creating risk disclosure, and did not have a duty to disclose additional information to Company officials given the facts available at the time.29 As such, the Court found that Brown’s conduct was not "highly unreasonable" or "an extreme departure from the standards of ordinary care."30

Security Statement Disclosure Claims

The Court, however, did not dismiss the SEC’s case entirely. The Court sustained the SEC’s claim that SolarWinds’ Security Statement, which was posted on the Company’s website, misrepresented to the public the adequacy of its cybersecurity practices even though the Company knew the vulnerabilities of such practices, which included poor access control and password protection.31 The Court found that “[g]iven the centrality of cybersecurity to SolarWinds' business model as a company pitching sophisticated software products to customers for whom computer security was paramount these misrepresentations were undeniably material,” thus constituting a sustained claim of a public misrepresentation.32 The Court also upheld claims over the CISO, Brown’s, role in the SolarWinds’ allegedly false and misleading representations in the Security Statement about the Company’s cybersecurity practice.33

Key Takeaways

  • The case represents a setback for the SEC in its aggressive enforcement efforts. Recently, the SEC has started to expansively apply Section 13(b)(2)(B)’s “internal accounting controls” provision to compel public companies to adopt policies and practices that do not directly involve the financial statements.34 Just one month prior to the SolarWinds opinion, the SEC settled similar internal accounting controls charges, finding that R.R. Donnelly & Sons, Co. failed to maintain adequate cybersecurity controls.35 The SEC had also previously brought similar charges for an issuer’s alleged failure to maintain internal controls to adequately monitor its stock repurchase plans.36 The SolarWinds decision reflects judicial acknowledgement that there are limits on the application of Section 13(b)(2)(B)’s accounting controls provision. The implications of the dismissal of the internal accounting controls claims remain uncertain, however, as the SEC may continue to attempt to apply the internal accounting controls provision to a broad range of public company practices.
  • Clear, specific, and broad-based risk factor disclosure carried the day. The case provides guidance as to the relevant disclosure standards for companies’ cyber risk factor and 8K event disclosure. Vague, boilerplate statements as to risks and consequences are inadequate. Risk factor disclosure should sufficiently alert investors about the types and nature of the specific cybersecurity risks faced, taking into account the specific business model, and the grave potential consequences to the company stemming from a cyber incident. Although the SEC does not require a company to disclose incidents for which it does not have sufficient information to reliably draw a conclusion, the total impact of a company's cybersecurity practices, remedial efforts, identified risks and known threats or attacks needs to be evaluated collectively when crafting a disclosure, with all information available at the time, rather than looking at isolated incidents individually. Particular attention should be paid to disclosure of cybersecurity risks and issues relating to "crown jewel" or flagship products or services that account for a significant portion of a company's revenues. 
  • Individuals may be charged with fraud in the disclosure context, but “scienter” must be present. The fraud and aiding and abetting claims against the SolarWinds CISO highlight the imperative for public company CISOs and other officers to communicate vulnerabilities to senior executives, participate in the disclosure committee process and ensure that public disclosures are specific, detailed, timely and consistent with internal communications. “Scienter” is likely not to be found if a CISO does not deliberately withhold information from the persons responsible for creating the disclosure, and if there is no clear duty to disclose particular cybersecurity incidents given the facts available at the time.
  • Statements on websites, such as security statements, are fair game for claims of misrepresentation. This decision underscores the necessity for public companies to review and scrutinize all public disclosures regarding their cybersecurity practices. The SEC will consider all public disclosures, not just SEC filings, when assessing compliance. This includes a company's privacy policy or other online representations regarding the company’s cybersecurity practices that appear on a company's website. As such, companies need to ensure that their representations about the adequacy and scope of their cybersecurity programs are internally consistent, accurate, and transparent. 
  • Cyber disclosure remains an important area that companies need to focus on. This requires appropriate controls, adequate governance, determination of materiality and assessment of the sufficiency of the disclosure as a whole. Boards of directors and management teams should be kept informed and should address any identified issues, and design and implement controls and procedures to ensure that cybersecurity incidents and risks are identified and appropriately escalated to senior management. This also includes maintaining a written incident response plan that formalizes and evidences a company’s systematic approach to responding to a cyber incident and facilitates the appropriate and timely reporting to the SEC or other regulators.

The following White & Case attorneys authored this alert: Tami Stark, Maia Gez, F. Paul Pittman, Michelle Rutta, and Shuhang Liu.

1 See David E. Sanger et. al, Scope of Russian Hacking Becomes Clear: Multiple US Agencies Were Hit, (Dec. 14, 2020), https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html.
2 White & Case Client Alert “The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies” (Nov. 14, 2023),
https://www.whitecase.com/insight-alert/secs-charges-against-solarwinds-and-its-chief-information-security-officer-provide. 
3 SEC v. SolarWinds Corp., No. 1:23-cv-9518 (S.D.N.Y. July 18, 2024), at 94, 102.
4 Id. at 94.
5 Id. at 94–95.
6 Id. at 95.
7 Id. at 95–96, 98 (internal quotations omitted).
8 Id. at 98.
9 Id.
10 Id. at 100.
11 Id. at 102.
12 Id. at 103–04.
13 Id.
14 Id. at 69–72, 94.
15 Id. at 71.
16 Id.
17 Id.
18 Id. at 72.
19 Id. 
20 Id. 
21 Id. at 74.
22Id. at 75–76.
23 Id. at 76.
24 Id. at 3. 
25 Id. at 86.
26 Id.
27 Id. at 86–90.
28 Id. at 80.
29 Id. at 81, 93.
30 Id. at 81–82, 92–93.
31 Id. at 50–67.
32 Id. at 56.
33 Id. at 65.
34 See Statement of Commissioners Hester M. Peirce and Mark T. Uyeda, Hey, look, there’s a hoof cleaner! Statement on R.R. Donnelley & Sons, Co. (June 18, 2024),
https://www.sec.gov/newsroom/speeches-statements/peirce-uyeda-statement-rr-donnelley-061824#_ftn1. 
35 R.R. Donnelley & Sons, Co., Rel. No. 34-100365, (June 18, 2024),
https://www.sec.gov/files/litigation/admin/2024/34-100365.pdf. 
36 See Statement of Commissioners Hester M. Peirce and Mark T. Uyeda, The SEC’s Swiss Army Statute: Statement on Charter Communications, Inc. (Nov. 14, 2023),
https://www.sec.gov/newsroom/speeches-statements/peirce-uyeda-statement-charter-communications-111423; see also Statement of Commissioners Hester M. Peirce and Mark T. Uyeda, Statement of Commissioners Hester M. Peirce and Elad L. Roisman - Andeavor LLC (Nov. 13, 2020), https://www.sec.gov/newsroom/speeches-statements/peirce-roisman-andeavor-2020-11-13.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2024 White & Case LLP

Top