TheCorporateCounsel.net

The SEC’s litigation against SolarWinds has gotten a lot of attention — largely due to the high-profile nature of the breach that brought issues to light and the SEC’s decision to individually charge the company’s CISO. As Liz shared, much of the original 68-page complaint boiled down to the basic notion that disclosures can’t be materially misleading, but, in mid-May, the parties presented oral arguments on the defendants’ motion to dismiss that, together with the SEC’s amended complaint, give us a better picture of the SEC’s allegations. This HLS blog from Jenner & Block says the SEC is also arguing that the company’s cybersecurity weaknesses amounted to internal accounting control failures.

The SEC was similarly criticized for alleging that the “internal accounting controls” provisions of the Exchange Act apply to cybersecurity controls and suggesting that companies and individuals can be charged with a securities violation for failing to protect company assets from cybersecurity attacks. Section 13(b)(2)(B), which was enacted as part of the Foreign Corrupt Practices Act in response to concerns about bribery of foreign officials by US business interests, requires public companies to maintain internal accounting controls “sufficient to provide reasonable assurances that . . . access to assets is permitted only in accordance with management’s general or specific authorization.”

In response to the SEC’s inclusion of this claim, the US Chamber of Commerce and Business RoundTable filed an amicus brief arguing that cybersecurity controls are unrelated to the reliability of financial reporting for purposes of the statute and that the use of this charge would unfairly penalize companies that are victims of a cyberattack. […]

The SEC also sought to defend their allegation that Defendants violated the internal accounting controls provision of the Exchange Act by failing to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances” to prevent unauthorized access of SolarWinds’ assets—i.e., its software code and technology infrastructure.

The SEC’s amended complaint expounded on this novel charge, explaining that “[t]he cybersecurity controls at issue here were ‘internal accounting controls’ in that they were plans, procedures, and records of SolarWinds concerned with the safeguarding of corporate assets. Cybersecurity policies must be designed and implemented to provide shareholders with reasonable assurances that access to corporate assets—including technology assets, computer code and software for distribution to customers—are limited to authorized users, and thus support the twin goals of corporate accountability and management stewardship over corporate assets underlying Rule 13(b)(2)(B).”

While the court seemed to question the SEC’s position here during oral arguments, the blog warns that more disclosure actions are likely to come if the Enforcement Division is successful. It recommends that companies take a cautious approach to how they describe cybersecurity practices and ensure the CISO’s responsibility for disclosure and controls is clearly defined.

– Meredith Ervine