SEC Sues SolarWinds and its CISO for Fraud and Other Violations Related to Massive Data Breach | Katten Muchin Rosenman LLP – JDSupra

Notably, the CISO is the only individual defendant named in the SEC’s suit, even though the Commission previously sent Wells Notices to other SolarWinds officers and employees.  As we discussed in a prior post, SolarWinds previously disclosed that “certain current and former executive officers and employees” had received Wells Notices stating “that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws.”

The SEC does not normally file suits against defendants in a piecemeal fashion, and likely won’t here, given that its investigation appears to be over.  If the SEC’s enforcement staff were still investigating other potential defendants, we would expect the SEC’s press release to disclose the existence of an ongoing investigation.  The fact that the SEC did not charge other executives is a standout feature of this action.  It sends CISOs and other information security professionals a message that, in at least some cases, the buck stops with them for cyber control deficiencies and cyber disclosures.

Source: SEC Sues SolarWinds and its CISO for Fraud and Other Violations Related to Massive Data Breach | Katten Muchin Rosenman LLP – JDSupra