The US Securities and Exchange Commission (SEC) shocked the cybersecurity world when it announced that the agency may pursue legal actions against SolarWinds.
The chief financial officer (CFO) and chief information security officer (CISO), plus other employees have received Wells Notices from the SEC regarding their violations of federal laws for the actions they took in response to a prior attack on the company’s infrastructure.
SolarWinds notes that a Wells Notice isn’t a final charge, ruling, or even proof that someone has violated the law. That said, it does mean that the SEC is investigating their employees for any wrongdoings.
SolarWinds product, Orion, was hacked and used to distribute trojan viruses by an actor believed to be affiliated with Russia in 2020 — this isn’t the first time they’ve received this notice, earlier this year, SolarWinds company received its own Wells Notice.
“(for) violations of certain provisions of the U.S. federal securities laws with respect to our cybersecurity disclosures and public statements, as well as our internal controls and disclosure controls and procedures,” the filing alleges.
Depending on how things play out, it may be a landmark case that holds a CISO more accountable.
“Though it doesn’t mean that the CISO has been charged, it is a new milestone. From today onwards, CISOs will increasingly be made accountable for the decisions they take or did not take,” says Agnidipta Sarkar, a previous CISO at Biocom.
“Before issuing the notice, the SEC may have considered a variety of factors, including specific circumstances, and legal frameworks, or may have demonstrated negligence if CISO failed to implement adequate security measures, neglected SEC policies, guidelines, and practices, or ignored known vulnerabilities,” she states.
“We will continue to explore a potential resolution of this matter before the SEC makes any final decision. And if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves,” a SolarWinds representative replied in a recent statement to reporters.