In what the Wall Street Journal called a “milestone” in the SEC’s efforts to address public companies’ cybersecurity disclosures, the SEC has filed a civil enforcement action against software company SolarWinds and its Chief Information Security Officer, Timothy Brown. The agency alleges that the company repeatedly misled investors by understating the company’s cyber vulnerabilities and the ability of hackers to penetrate the company’s systems. According to statements from agency officials, the action is intended to send a message about cybersecurity disclosures and disclosure controls. A copy of the SEC’s complaint can be found here. A copy of the SEC’s October 30, 2023, press release about the action can be found here.Continue Reading SEC Files Cybersecurity Disclosure Suit Against SolarWinds and Exec
In the agency’s latest move underscoring its emphasis on cybersecurity disclosure, the SEC has filed settled charges against the U.K. educational publishing and services company Pearson plc, alleging that the company misled investors about a 2018 data breach. The company, which neither admitted nor denied the charges, agreed to pay a $1 million civil money penalty. The administrative enforcement action, while not the first of its type, does highlight the agency’s heightened focus on cybersecurity disclosure issues. The agency’s August 16, 2021 cease and desist order can be found 
On June 15, 2021, the SEC announced that that it had settled charges that a title insurance company’s cybersecurity disclosure controls and procedures violated the agency’s public company reporting requirements. The title insurance company, First American Financial Corp., which neither admitted or denied the charges, agreed to a cease-and-desist order and to pay a penalty. The charges do not represent the first time the SEC has pursued actions against a company for cybersecurity-related disclosures, but they do underscore the agency’s focus on cybersecurity disclosure-related issues, a topic that may be a source of increased focus ahead.