Our thinking

Cybersecurity: Legal implications and risk management

What's inside

In an increasingly interconnected world, cyber risk is firmly at the top of the boardroom agenda, and having an effective data breach response programme is no longer optional.

Cybersecurity crisis management

The internet knows no borders, neither do we. Our global team of cybersecurity response experts work across borders, combining data protection, privacy, regulatory, white collar and litigation expertise in order to deliver seamless crisis management and legal advice, whenever and wherever needed.

The digitalization and free flow of information has transformed global business. However, with increased opportunities have come new and increased risks, together with complex legislative regimes that can vary significantly by jurisdiction, and are constantly evolving. Even the most conscientious company can become the victim of a cybersecurity incident, such as the stealing of client or company information, or a ransomware attack. We work with a wide range of multinational companies to manage their cybersecurity risks, developing rapid response plans, providing time-critical crisis management advice, and working with clients to manage any resulting legal issues that may arise. 

Key issues

Why?

  • Reputation
  • Fines
  • Breach of contract
  • M&A due diligence
  • Insurance
  • Proprietary information
  • Litigation
  • Criminal offences
  • Negligence

Be prepared

Risk Assessment

  • Key Information
  • Assets
  • Key Systems
  • Threat Analysis
  • Security Measures

Toolkit

  • Scripts
  • Internal and 
    External
  • Communications
  • Employee contacts
  • Response Plan
  • Live Training
  • Business Continuity Plan

Key considerations

Customer/individual rights

  • Requests for data
  • Data Protection Authority Complaints
  • Group litigation orders
  • Resolution mechanisms

B2B relationships

  • Contractual obligations
  • Contractual liability
  • Tort

Reputation management

  • Media strategy
  • Customer interaction
  • Employee engagement

Commercial

  • Proprietary
  • Information/Trade Secrets
  • System Disruption

Regulatory issues

  • Data Protection Authority
  • Financial Regulators
  • Market authorities
  • Other regulators

Privacy & data protection

  • Jurisdictions involved
  • Reporting obligations
    • individuals
    • authorities

Evidence

  • Law Enforcement Involvement
  • Legal Privilege
  • Preservation of Evidence

Response

Crisis Team

  • Legal (internal and external)
  • IT/IT Forensics
  • PR
  • Regulatory
  • DPO
  • Executive committee
  • HR
  • Vendor manager

Key Actions

  • Work with forensic investigators to:
    • Identify and contain breach
    • Gather/preserve evidence
    • Maximise legal privilege coverage
  • Contact crisis team
  • Bring in external partners
  • Identify key risks and priorities based on nature of breach
  • Assess notification requirements
  • Communications
  • Regulatory notifications

 

Articles

2024

Judge Rejects SEC’s Aggressive Approach to Cybersecurity Enforcement

On July 18, 2024, a New York federal judge dismissed most of the US Securities and Exchange Commission's ("SEC") claims against SolarWinds Corp. ("SolarWinds" or the "Company") and its Chief Information Security Officer ("CISO"), Timothy G. Brown, in connection with the Company's cybersecurity practice.

NIS 2 Directive: Navigating the challenges of implementation, impact, and scope

The NIS 2 directive establishes a regulatory framework aimed at improving the level of cybersecurity across the EU.

SEC’s Corp Fin Director Issues Statement on Cybersecurity Incident Disclosures

On May 21, 2024, the SEC's Director of the Division of Corporation Finance issued a statement on cybersecurity incident disclosures in light of the SEC's new cybersecurity disclosure rules. Our summary of this statement and key take-aways from White & Case's survey of cybersecurity disclosures is below.

2023

The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies

On October 30, 2023, the US Securities and Exchange Commission ("SEC") announced that it filed charges against SolarWinds Corp. ("SolarWinds" or the "Company") and its Chief Information Security Officer ("CISO") in connection with the SEC Division of Enforcement's ("Enforcement Division") investigation of a cyberattack.

SEC Adopts Mandatory Cybersecurity Disclosure Rules

On July 26, 2023, the Securities and Exchange Commission ("SEC"), in a 3-2 vote, adopted rules that will require public companies to make prescribed cybersecurity disclosures.

Shaping the future of digital and cybersecurity governance

In this brief three-minute video, London-based partner Lawson Caisley, Chair of White & Case's Global Cyber Risk Committee, shares his insights on governing cyber risk at the corporate level and some of the challenges of cyber risk management in the boardroom. Filmed at the Digital Directors Network (DDN) Domino 2023 conference on digital and cybersecurity governance.

cybersecurity_square_800x800_4

Prioritizing cybersecurity at the corporate level

In this short three-minute video, Washington, DC–based partner F. Paul Pittman discusses the implications of the proposed new SEC rules on cybersecurity governance and what corporate boards can do now. Filmed at the Digital Directors Network (DDN) Domino 2023 conference on digital and cybersecurity governance.

digital mesh

Cybersecurity Developments and Legal Issues

The potential for cybersecurity threats and attacks looms large and the technology companies developing new products and services play a constant game of cat-and-mouse with hackers and cybercriminals for control of cyberspace. Here are six points to consider when analyzing cybersecurity risks and protections.

client alert image

Directors face personal liability over cybersecurity failures

In an article for The Times, White & Case partner Lawson Caisley discusses why it could become increasingly common for UK directors to "face personal liability and regulatory censure as a result of their company suffering or mishandling a cyberbreach".

wafer circuit detail

2022

Director liability for cyber breaches: transatlantic warning signs?

Two legal cases in the US in the past month suggest that regulators and prosecutors are becoming more determined to take personal action against directors and senior executives who fail to deal adequately with cyber security breaches.  

arrow

SEC Proposes Mandatory Cybersecurity Disclosure Rules

On March 9, 2022, the Securities and Exchange Commission ("SEC") proposed rules that would require public companies to make prescribed cybersecurity disclosures.

2021

Legal 500's In-House Lawyer Magazine Autumn - Commercial Litigation Focus (Germany)

In The Legal 500's newly released In-House Lawyer Magazine a group of White & Case lawyers has contributed a legal briefing on trends in German commercial litigation.

magazine pile

AAA plc & ors v Persons Unknown: Cyber Activism or Blackmail?

In recent years, demands for payments in cryptocurrencies have become the ransom of choice for cyber extortionists and other online frauds. As a result, the English Court's powers are increasingly being called upon.

orange background

Time to Revisit Risk Factors in Periodic Reports

Ninth Circuit Decision Highlights Importance of Updating Risk Factors to Address Material Developments, including those relating to Cybersecurity Risks.

Alert 800x800

Cybersecurity Enforcement: New York Department of Financial Services issues first penalty under Cybersecurity Regulation

Consistent with its increasing activity in the cybersecurity enforcement space, in March 2021, the NYDFS issued its first penalty under the Cybersecurity Regulation. This client alert explores the settlement and offers takeaways on the areas of focus by the NYDFS in enforcement actions under the Cybersecurity Regulation.

Compensating non-material damages based on Article 82 GDPR

Is a data subject entitled to compensation from a controller or processor if the data subject's GDPR rights have been infringed, even if they have not suffered any kind of material damage? 

Corporate Boards Must Ask Key Cybersecurity Questions

Cybersecurity has been a mainstay of quarterly board agendas for years.

2020

Cybersecurity Risk: Top 5 strategies to build resilience

The fourth webinar in our 2020 Autumn Webinar Series covered crucial steps you should be taking to protect against cybersecurity threats and what you should do when disaster strikes.

Before the Dust Settles: The California Privacy Rights Act Ballot Initiative Modifies and Expands California Privacy Law

Hot on the heels of the California Attorney General's rulemaking process for the California Consumer Privacy Act ("CCPA"), California voters have passed a ballot initiative to expand and create new privacy rights for consumers.

stack of paper

US Cybersecurity Standards to Get Tougher and More Specific

In the past few years, cybersecurity has taken on increasing importance in the eyes of lawmakers and regulators.

Data Sharing Without Borders

UK law enforcement can now obtain an order against a person in or operating in the US for the production of or access to electronic data under a new ‘landmark’ US-UK data sharing agreement.

Alert 800x800

Responding to a cyber-incident

The COVID-19 crisis has exposed many companies to more cyber threats. Tim Hickman and John Timmons discuss what businesses need to do should a major incident occur.

Trending: Legal protection for cryptoasset stakeholders

Recent decisions in Singapore and New Zealand confirm that the courts are prepared to act to provide greater certainty and support to stakeholders in cryptoassets.

Recovering the ransom: High Court confirms Bitcoin status as property

The High Court has determined that Bitcoin (and other similar cryptocurrencies) can be considered property under English law, and could be the subject of a proprietary injunction. The Court granted the injunction to assist an insurance company to recover Bitcoin that it had transferred in order to satisfy a malware ransom demand.

2019

Navigating Privacy and Cyber Incident Notification and Disclosure Requirements

Organisations are facing increasing uncertainty in assessing global notification and disclosure obligations and making a determination of whether to notify or disclose a privacy violation or security incident in today's complex regulatory environment. This article offers six steps companies should consider when navigating this complex process.

Proposal on the Application of the NIS Regulations post-Brexit

This article examines the impact of the UK Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations) on organisations post Brexit and their obligations under applicable cybersecurity law.

Contacts

The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies

Alert
|
10 min read

On October 30, 2023, the US Securities and Exchange Commission ("SEC") announced that it filed charges against SolarWinds Corp. ("SolarWinds" or the "Company") and its Chief Information Security Officer ("CISO") in connection with the SEC Division of Enforcement's ("Enforcement Division") investigation of a cyberattack. The complaint alleges that the Company "defrauded SolarWinds' investors and customers through misstatements, omissions, and schemes that concealed both the Company's poor cybersecurity practices and its heightened—and increasing—cybersecurity risks."1

This lawsuit is notable as the first in which the SEC has brought cybersecurity enforcement claims against an individual. It is also the first time the SEC has leveled intentional fraud charges in a cybersecurity disclosure case.

SolarWinds has publicly denied the SEC's charges, and its chief executive officer characterized the action as "misguided and improper . . ., representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages."2

This action comes as comprehensive SEC cybersecurity disclosure rules are set to take effect in December and indicates that the SEC will actively enforce not only the new disclosure requirements but also other possible violations, such as insufficient internal controls, that stem from inadequate cybersecurity practices.3 The Director of the Enforcement Division emphasized that this enforcement action "not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company's 'crown jewel' assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns."4

Background

SolarWinds is an Austin, Texas-based corporation that develops software for large companies and government agencies to manage their information technology infrastructure. In December 2020, it was widely publicized that software made by SolarWinds had been subject to a cyberattack, commonly referred to as "SUNBURST." SUNBURST is believed to have been conducted by Russian state-sponsored hackers and resulted in one of the most extensive cyberattacks ever, impacting not only SolarWinds but its customers.5

The SEC's Complaint

The SEC's complaint ("Complaint"), filed in the Southern District of New York, alleges that SolarWinds and its CISO, Timothy G. Brown, violated the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934 ("Exchange Act"). The Complaint also alleged that SolarWinds violated reporting, internal control, and disclosure controls provisions of the Exchange Act; and Brown aided and abetted the Company's violations. A key theme of the Complaint is that management was allegedly aware of ongoing cybersecurity issues and failures over several years and did not disclose and address them – rather, management lied to its customers and investors about its cybersecurity practices and threats. The SEC stated in its Complaint that "SolarWinds' poor controls, Defendants' false and misleading statements . . . would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack."6 The Complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown. Key allegations from the Complaint are discussed in more detail below.

Poor Cybersecurity Practices, Not Disclosed

The Complaint alleges that from its 2018 initial public offering ("IPO") through at least December 2020, when SolarWinds publicly disclosed the SUNBURST breach, the Company's public statements about its cybersecurity practices and risks “painted a starkly different picture from internal discussions and assessments about the Company's cybersecurity policy violations, vulnerabilities, and cyberattacks.”7 This allegedly included the “Security Statement” on SolarWinds' website promoting its cybersecurity practices, as well as its IPO registration and subsequent periodic SEC reports and a Form 8-K with initial disclosures of the SUNBURST attack.

Specifically, the Complaint alleges that the Security Statement failed to disclose what the SEC characterizes as the company's "poor cybersecurity practices." These include:

  • Misleading claims that SolarWinds follows the National Institute of Standards and Technology Cybersecurity Framework ("NIST Framework"), when in fact it “had no program/practice in place for the majority of the controls";8
  • Not maintaining a Secure Development Lifecycle for the software it developed and sold to its customers, despite disclosure in its Security Statement posted on its website touting strong cybersecurity practices;9
  • Lacking procedures for maintaining strong passwords on critical systems in contrast to claims made in its Security Statement – for example “passwords were not individually stored in an encrypted state or 'salted as hashed,' as SolarWinds and Brown represented in the Security Statement," and "Sarbanes-Oxley ('SOX') audits in 2018 and 2019 documented additional instances in which '[p]assword requirements' and 'password history' requirements were not met";10 and
  • Failing "for years" to address and resolve "significant" access problems and misleading investors about these practices, including "expansive use of 'admin' privileges and a virtual private network vulnerability that was exacerbated by the Company's failure to enforce its remote access policies."11

As to the Company's SEC filings, the Complaint emphasizes that the cybersecurity risk disclosures were "generic and hypothetical" and did not address the issues listed above, and other known risks, rendering the disclosures "materially misleading." For example, the Company warned of an inability to defend against 'unanticipate[d]… techniques' but failed to disclose that SolarWinds had already determined that it was not taking adequate steps to protect against anticipated and known risks, including failing to follow the steps outlined in the [Company's] Security Statement.”12 In October 2018, the same month that SolarWinds conducted its IPO through a registration statement with only "generic and hypothetical" cybersecurity risk disclosures, the Company's CISO wrote in "an internal presentation that SolarWinds' 'current state of security leaves us in a very vulnerable state for our critical assets'."13 Thereafter, for the next two years, the Company repeated the same generalized risk disclosures in multiple SEC reports, despite, in the SEC's view, accumulating red flags which made the static disclosures worse over time.

Inadequate Disclosures Regarding The 2020 SUNBURST Breach

Over the course of 2020, according to the Complaint, Brown and SolarWinds learned of a series of security breaches experienced by their customers, including a US government agency and two cybersecurity companies. Further, in October and November 2020, SolarWinds learned of at least eight other high-risk vulnerabilities affecting their platform. The Company did not make any specific disclosures about these events or vulnerabilities. In December 2020, a customer identified a vulnerability in SolarWinds' software as a result of malicious code, which linked to the previous attacks suffered by other customers. The Company then filed a Current Report on Form 8-K with the SEC disclosing that it had "been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server…" (emphasis added in the Complaint).14 The Complaint states that this disclosure was false and misleading, because "[i]n fact, SolarWinds knew that attackers had already utilized the vulnerability to do so on at least three occasions."15

Internal Control & Disclosure Controls Failures

The Complaint alleges that SolarWinds failed to devise and maintain a system of controls sufficient to protect its critical assets. SolarWinds failed to follow its own certification controls "including failing to use and document a list of controls in connection with certifications by Company officials" and, while the CISO certified to the effectiveness of the Company's technology controls over financial reporting, he was unable to identify the relevant controls and instead "certified based on his general sense of the quality of those controls, while failing to identify the Company's extensive shortcomings in areas such as access controls."16 Further, despite being aware of issues and deficiencies, "[the CISO] signed sub-certifications relied on by senior executives, confirming that all material incidents had been disclosed to the executives responsible for the Company's securities filings."17

The Complaint also points out repeated examples of how SolarWinds lacked disclosure controls and procedures "to ensure that information regarding potentially material cybersecurity risks, incidents, and vulnerabilities was reported to the executives responsible for disclosures."18 For example, "[i]nternal emails, messages, and documents describe numerous known material cybersecurity risks, control issues, and vulnerabilities" yet these were not reported in the Company’s public disclosures.19 Further, "[n]o one, including [the CISO], raised the issue[s] with SolarWinds' Disclosure Committee, nor did SolarWinds have sufficient procedures and controls in place to ensure that he did so. Nor did he, or anyone else at SolarWinds, ensure that SolarWinds enforced its existing internal guidelines".20

According to the SEC, the Company's cybersecurity deficiencies "reflected a culture that did not take cybersecurity issues with sufficient seriousness, and a scheme to conceal these issues from investors and customers." The SEC further noted that the culture at SolarWinds was, instead, one of "recklessness, negligence, and scienter."21

Lessons for Public Companies

The SEC's enforcement action against SolarWinds, should alert public companies to the SEC's heightened focus on cybersecurity. This is particularly important in light of the comprehensive new cybersecurity incident reporting and cybersecurity risk management and governance disclosure that will be required of public companies.

Key takeaways include:

  • Evaluate and address cybersecurity risks and weaknesses and implement appropriate controls: Boards of directors and management teams should be kept informed and should address any identified issues, and design and implement controls and procedures to ensure that cybersecurity vulnerabilities are appropriately escalated to senior management.
  • Review all public statements: The SEC will consider all public disclosures, not just SEC filings, when assessing compliance. This includes a company's privacy policy or other online representations that appear on a company's website. As such, companies need to ensure that their representations about the adequacy and scope of their cybersecurity programs are internally consistent, accurate, and transparent.
  • Avoid generalized disclosures: Vague, boilerplate statements as to risks and consequences are inadequate. When there are identified issues or failures, hypothetical and/or partial disclosure can be misleading, and if additional red flags develop, the disclosure should be modified, as appropriate, over time.
  • Evaluate the totality of cybersecurity practices: The total impact of a company's cybersecurity practices, remedial efforts, identified risks and known threats or attacks needs to be evaluated collectively when crafting disclosure, rather than looking at isolated incidents individually. Materiality will be heightened when there are numerous related issues. Particular attention should be paid to disclosure of cybersecurity risks and issues relating to "crown jewel" or flagship products or services that account for a significant portion of a company's revenues.
  • Individuals may be charged: The fraud and aiding and abetting claims against the SolarWinds CISO highlight the imperative for public company CISOs and other officers to communicate vulnerabilities to senior executives, participate in the disclosure committee process and ensure that public disclosures are specific, detailed, timely and consistent with internal communications. Officers should confirm that escalation procedures are documented and implemented.
  • Significant monetary penalties may be imposed: Failure to ensure disclosures are accurate and conform to actual practices can lead to significant monetary penalties.22 Over the past 5 years, the SEC has imposed civil monetary penalties for failing to adequately disclose cyber incidents ranging from $1 million to $35 million.23
  • Private shareholder actions may be brought: Parallel private shareholder actions are common and show the risks to Boards of Directors. In 2021, following the steep decline in SolarWinds' share price, a group of individual and pension fund investors sued the SolarWinds Board of Directors, and the Company derivatively, in Delaware state court. They alleged breach of fiduciary duties for failure to oversee cybersecurity risks.24 That suit was ultimately dismissed – and dismissal upheld by the Delaware Supreme Court in May 2023. Separately, SolarWinds settled for $26 million a class action lawsuit brought against it in Texas federal court relating to the SUNBURST cyberattack.25 Public company directors are well advised to closely follow corporate cybersecurity practices, vulnerabilities, and disclosures, as we could see more such private shareholder actions in the future.
  • Evaluate Insurance Coverage: As the SEC has made clear, it is actively scrutinizing inadequate cybersecurity disclosures, and shareholder actions are likely to increase alleging the same. Companies should evaluate both their existing and anticipated directors & officers and cyber liability insurance policies to ensure claims arising from or relating to cybersecurity disclosures are covered.

1 Complaint, SEC v. SolarWinds Corp. and Brown, No. 1:23-cv-9518 (S.D.N.Y. Oct. 30, 2023) at 1.
2 See Sudhakar Ramakrishna, Transparency, Information-Sharing, and Collaboration Make the Software Industry More Secure. We Must Not Risk Our Progress, (Oct 30, 2023), https://orangematter.solarwinds.com/2023/10/30/transparency-information-sharing.
3 For more details on these rules, see our alert here: https://www.whitecase.com/insight-alert/sec-adopts-mandatory-cybersecurity-disclosure-rules
4 Press Release, US SEC. & EXCH. COMM'N, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2023) https://www.sec.gov/news/press-release/2023-227.
5 See David E. Sanger et. al, Scope of Russian Hacking Becomes Clear: Multiple US Agencies Were Hit, (Dec. 14, 2020),
https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html.
6 Complaint at 7.
7 Id. at 2.
8 Id. at 16.
9 Id. at 19.
10 Id. at 24.
11 Id. at 28.
12 Id. at 3-4.
13 Id. at 36. 14 Id. at 56.
15 Id. at 56-57.
16 Id. at 60.
17 Id. at 51.
18 Id. at 25-26.
19 Id. at 4.
20 Id. at 32.
21 Id. at 20.
22 The penalties for criminal (willful) violations of the Securities Act, which can include material omissions, are up to $5 million and up to 20 years in jail for individuals, and up to $25 million for corporations. 15 U.S.C. § 78ff(a). The penalty for civil violations is set by FCC policy and is currently capped at $510,962 for fraudulent actions by corporations.
23 See Atalba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million, https://www.sec.gov/news/press-release/2018-71; see also SEC Charges Pearson plc for Misleading Investors About Cyber Breach, https://www.sec.gov/news/press-release/2021-154.
24 Construction Industry Laborers Pension Fund et al v. Bingle et. al. (Del. Ch. No. 2021-0940).
25 SolarWinds $26 Million Investor Deal Warrants Nod, Court Told, https://news.bloomberglaw.com/litigation/solarwinds-26-million-investor-deal-warrants-nod-court-told.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2023 White & Case LLP

Top