TheCorporateCounsel.net

Last month, SolarWinds filed an 8-K disclosing that certain of its current and former executive officers and employees, including its Chief Financial Officer and Chief Information Security Officer, received “Wells Notices” from the SEC’s Division of Enforcement in connection with agency’s investigation of the massive Russian cyberattack against the company. A recent BankInfoSecurity.com article says that the SEC’s unusual decision to name a corporate CISO as a potential target in an enforcement action might be a signal as to what the agency is focusing on:

It’s unusual for a CISO to receive a Wells Notice, and this SEC move could signal a whole new set of potential liabilities for CISOs, Equifax CISO Jamil Farshchi wrote in a LinkedIn post on Monday. Usually, a Wells Notice names a CEO or CFO for issues such as Ponzi schemes, accounting fraud or market manipulation, but those are unlikely to apply to a CISO, he said.

Farshchi speculated that the notice might be related to “a failure to disclose material information – things like failing to disclose the gravity of an incident or failing to do so in a timely manner could conceivably fall into this category,” he said, adding that it’s too early to know if any action will follow the Wells Notice.

“But if this is about disclosure, it shows the SEC isn’t sitting around waiting for cyber regs to be issued,” he added. “They’re taking action today.”

The issuance of a Wells Notice to SolarWinds’ CISO has attracted a lot of attention in the cybersecurity industry – and that’s likely not an unintended consequence. Maybe I’m just a cynic, but SolarWinds CISO strikes me as exactly the kind of high-profile individual that the SEC’s Division of Enforcement likes to have as a poster child when it wants to send a message through an enforcement action.

– John Jenkins