In a recent post in which I discussed the cyber incident-related enforcement action the SEC brought against the software company SolarWinds, I noted that the defendants named in the action included the company’s Chief Information Security Officer(CISO), adding that the SEC’s naming of the CISO as an enforcement action defendants “is sure to send a shiver down the collective spines of the CISO community.” In the following guest post, Priya Cherian Huskins, Senior Vice President and Partner, Woodruff Sawyer, takes a detailed look at the agency’s action against the SolarWinds CISO, and considers the key liability and insurance implications. A version of this article previously published on Woodruff Sawyer’s D&O Notebook here. I would like to thank Priya for allowing me to publish her article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Priya’s article.Continue Reading Guest Post: CISO Liability in Focus: SEC Enforcement, Insurance, and [Personal] Risk Mitigation
SolarWinds
SEC Files Cybersecurity Disclosure Suit Against SolarWinds and Exec
In what the Wall Street Journal called a “milestone” in the SEC’s efforts to address public companies’ cybersecurity disclosures, the SEC has filed a civil enforcement action against software company SolarWinds and its Chief Information Security Officer, Timothy Brown. The agency alleges that the company repeatedly misled investors by understating the company’s cyber vulnerabilities and the ability of hackers to penetrate the company’s systems. According to statements from agency officials, the action is intended to send a message about cybersecurity disclosures and disclosure controls. A copy of the SEC’s complaint can be found here. A copy of the SEC’s October 30, 2023, press release about the action can be found here.Continue Reading SEC Files Cybersecurity Disclosure Suit Against SolarWinds and Exec
Guest Post: SolarWinds Agrees to $26 Million Payout Over Massive Data Breach
As I have noted in numerous posts on this site (most recently here), plaintiffs’ lawyers seem drawn to filing D&O claims against companies that have experience cybersecurity incidents. But as I have also noted, the plaintiffs’ lawyers’ track record in these cases is not particularly good. However, as discussed in the following guest post by Jarett Sena, Director of Litigation Analysis, ISS Securities Class Action Services, the cybersecurity-related securities class action lawsuit pending against SolarWinds recently resulted in a significant and noteworthy settlement. This article previously was published on ISS Securities Services’ ISS Insights. I would like to thank Jarett and ISS Securities Class Action Services for allowing me to publish this article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Jarett’s article.
Continue Reading Guest Post: SolarWinds Agrees to $26 Million Payout Over Massive Data Breach
Dismissal Motion Largely Denied in the SolarWinds Cybersecurity-Related Securities Suit
As I have noted in prior posts on this site (most recently here), plaintiffs’ lawyers’ claims in cybersecurity-related D&O lawsuits recently have fared poorly. A number of these suits recently have failed to clear the initial pleading hurdles. However, in a ruling last week, the federal judge presiding over the SolarWinds cybersecurity-related securities suits substantially denied the defendants’ motions to dismiss in an opinion that has a number of interesting features, as discussed below. Western District of Texas Judge Robert Pitman’s March 30, 2022 opinion in the case can be found here.
Continue Reading Dismissal Motion Largely Denied in the SolarWinds Cybersecurity-Related Securities Suit
Cybersecurity-Related Breach of the Duty of Oversight Claim Filed Against SolarWinds Board
In the latest example of claimants seeking to assert the newly revitalized type of claim for breach of the duty of oversight against corporate boards, plaintiff shareholders have filed a derivative lawsuit in Delaware Chancery Court against certain past and current directors of technology company SolarWinds, based on the massive cybersecurity incident involving the company’s software and systems discovered in December 2020. As discussed below, there are several interesting features of this lawsuit in light of recent developments involving claims for alleged breaches of the duty of oversight. A copy of the heavily redacted publicly available version of the plaintiffs’ complaint against the SolarWinds board can be found here.
Continue Reading Cybersecurity-Related Breach of the Duty of Oversight Claim Filed Against SolarWinds Board
Guest Post: SolarWinds – Einstein Failed Us, and the Cyber Insurance Markets will Feel the Squeeze
As I noted in a prior post, the recent state-sponsored cyber incident carried out through an attack on SolarWinds has a number of important implications. As noted in the following guest post from Paul Ferrillo, the incident could also have important implications for the cyber insurance marketplace. Paul is a partner in the McDermott, Will & Emery law firm. I would like to thank Paul for allowing me to publish this article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
Continue Reading Guest Post: SolarWinds – Einstein Failed Us, and the Cyber Insurance Markets will Feel the Squeeze
SolarWinds Hit with Securities Suit Based on Third-Party Governmental Actor Cyber Attack
In my round-up of the Top D&O Stories of 2020, which I published earlier this week, I noted that the recent massive state-actor hack of U.S. government agencies and technology companies underscored the fact that cybersecurity represents a significant operational and management risk for organization of every type. I also noted that cybersecurity-related issues represent an ongoing D&O claims risk. As if to confirm these propositions, the first securities class action lawsuit of the New Year was filed against Solar Winds, the network infrastructure management company whose breached software is believe to have contributed to the recent massive hack. As discussed below, the newly filed complaint highlights the fact that cybersecurity represents a significant potential source of management liability risk.
Continue Reading SolarWinds Hit with Securities Suit Based on Third-Party Governmental Actor Cyber Attack