In a recent post in which I discussed the cyber incident-related enforcement action the SEC brought against the software company SolarWinds, I noted that the defendants named in the action included the company’s Chief Information Security Officer(CISO), adding that the SEC’s naming of the CISO as an enforcement action defendants “is sure to send a shiver down the collective spines of the CISO community.” In the following guest post, Priya Cherian Huskins, Senior Vice President and Partner, Woodruff Sawyer, takes a detailed look at the agency’s action against the SolarWinds CISO, and considers the key liability and insurance implications. A version of this article previously published on Woodruff Sawyer’s D&O Notebook here. I would like to thank Priya for allowing me to publish her article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Priya’s article.Continue Reading Guest Post: CISO Liability in Focus: SEC Enforcement, Insurance, and [Personal] Risk Mitigation
CISO
SEC Files Cybersecurity Disclosure Suit Against SolarWinds and Exec
In what the Wall Street Journal called a “milestone” in the SEC’s efforts to address public companies’ cybersecurity disclosures, the SEC has filed a civil enforcement action against software company SolarWinds and its Chief Information Security Officer, Timothy Brown. The agency alleges that the company repeatedly misled investors by understating the company’s cyber vulnerabilities and the ability of hackers to penetrate the company’s systems. According to statements from agency officials, the action is intended to send a message about cybersecurity disclosures and disclosure controls. A copy of the SEC’s complaint can be found here. A copy of the SEC’s October 30, 2023, press release about the action can be found here.Continue Reading SEC Files Cybersecurity Disclosure Suit Against SolarWinds and Exec