Partial Dismissal of SEC Charges Against SolarWinds Raises Questions on Cybersecurity Rule Scope

A partial dismissal of charges by the Securities and Exchange Commission (SEC) against SolarWinds has raised doubts about the scope of the SEC's Cybersecurity Rule. U.S. District Court Judge Paul Engelmayer for the Southern District of New York ruled that the SEC’s assertion that a company’s “system of internal accounting controls” includes cybersecurity controls was “not tenable.” The judge stated in his opinion and order, signed July 18, that “To state the obvious, cybersecurity controls are not–and could not have been expected to be–part of the apparatus necessary to the production of accurate” financial reports.

The case stems from a December 2020 incident where Russian-backed hackers infiltrated SolarWinds, a company providing network management software to numerous large companies and government agencies. The SEC’s complaint indicated that the improper access might have begun as early as January 2019.

In October, SolarWinds described the SEC charges as an “overreach,” warning that they should “alarm all public companies and committed cybersecurity professionals across the country.” A spokesperson for SolarWinds expressed satisfaction with the dismissal, saying the company was “pleased” and “grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed.”

Law firm Gibson Dunn, in a July 25 blog post, highlighted the ruling's significance, referencing R.R. Donnelley & Sons’ $2.1 million settlement in June over the theory that internal accounting controls-related regulations could cover traditional IT assets unrelated to financial systems or data. The post noted, “The SolarWinds decision will likely impact how the SEC thinks about its broad use of accounting controls as a basis to charge a violation related to a cyber incident.”

Conversely, in a July 29 legal alert, law firm White & Case took a more cautious stance, stating that the implications of the dismissal “remain uncertain,” and that the SEC may “continue to attempt to apply the internal accounting controls provision to a broad range of public company practices.” The alert emphasized, “This decision underscores the necessity for public companies to review and scrutinize all public disclosures regarding their cybersecurity practices. The SEC will consider all public disclosures, not just SEC filings, when assessing compliance.”

An SEC spokesperson declined to comment when contacted via email.

By fLEXI tEAM