Notably, the CISO is the only individual defendant named in the SEC’s suit, even though the Commission previously sent Wells Notices to other SolarWinds officers and employees. As we discussed in a prior post, SolarWinds previously disclosed that “certain current and former executive officers and employees” had received Wells Notices stating “that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws.”
The SEC does not normally file suits against defendants in a piecemeal fashion, and likely won’t here, given that its investigation appears to be over. If the SEC’s enforcement staff were still investigating other potential defendants, we would expect the SEC’s press release to disclose the existence of an ongoing investigation. The fact that the SEC did not charge other executives is a standout feature of this action. It sends CISOs and other information security professionals a message that, in at least some cases, the buck stops with them for cyber control deficiencies and cyber disclosures.
‘Enforcement 40’ for 2020
Join Us On LinkedIn
Join the Securities Litigation and Enforcement Group on LinkedIn