Today we continue our look at that lawsuit filed by the Securities and Exchange Commission against SolarWinds and its CISO for poor disclosure of the company’s cybersecurity issues. As unsettling as this case might be for compliance and audit professionals, is it really a ground-breaking moment in securities enforcement? Perhaps not.
Let’s first appreciate what the SEC is alleging in this lawsuit. The SEC claims that SolarWinds and its CISO, Timothy Brown, knew of serious cybersecurity risks within the company — and then allowed those risks to persist, even while the company’s public disclosures assured investors that SolarWinds was operating at a high level of security.
Of course, now we know that SolarWinds had glaring gaps in its security. As described in our previous post about this lawsuit, Russian operatives found those gaps and in 2020 launched a huge cyber attack against U.S. government and corporate interests.
Now the SEC wants to hold SolarWinds, and Brown personally, liable for that failure. Either they should have run a tighter cybersecurity ship and resolved those persistent risks, or they should have disclosed to investors and customers that SolarWinds had serious cybersecurity shortcomings. That’s the agency’s argument.
Compliance and internal audit professionals can see the discomfort here, I’m sure. If the SEC starts holding CISOs personally liable for failing to address cybersecurity risks in a timely manner, could the agency next start holding other risk assurance leaders — like you all — personally liable for failing to address other types of compliance risk? Why should your career be threatened, when so many other factors contribute to a company being too greedy, bureaucratic, or clumsy to solve its problems?
Critics say this lawsuit as a dramatic escalation in personal liability for corporate shortcomings beyond your control. They raise a valid point.
I just don’t think this lawsuit is surprising.
Remember Activision Blizzard
To my thinking, this lawsuit against Brown and SolarWinds is the natural successor to an enforcement action the SEC announced last February against Activision Blizzard.
That case involved Activision’s long history of sexual harassment and assault. The SEC brought civil charges against Activision, saying that since Activision routinely stressed the importance of hiring the best talent in its public disclosures, but suffered rampant harassment which chased away at least some employees, that meant the company’s internal processes to capture and escalate information about its corporate culture were ineffective.
Here’s the important passage from that SEC settlement order with Activision:
By lacking sufficient information to understand the volume and substance of employee complaints of workplace misconduct, Activision Blizzard’s management was unable to assess related risks to the company’s business, whether material issues existed that warranted disclosure to investors, or whether the disclosures it made to investors in connection with these risks were fulsome and accurate.
Now substitute “cybersecurity issues” and “SolarWinds” for “workplace misconduct” and “Activision Blizzard” in the above paragraph. It’s the same argument. The specific risks differ, but in both cases the SEC is saying that poor internal processes to capture and convey information about risk were grave enough to warrant enforcement.
The two crucial differences are that (1) the SEC did not hold anyone personally liable for those disclosure failures in the Activision case; and (2) Activision decided to settle the case, paying a $35 million civil fine.
So why did the SEC bring personal charges against Brown here, but not against anyone in the Activision case? I don’t know. Maybe the facts alleged here connect more directly and egregiously to Brown, and nothing similar existed against Activision executives; maybe when Activision settled, killing off any personal charges was part of the deal. (If you have thoughts and want to share them confidentially, email me at [email protected].)
One can also see why SolarWinds might want to fight this lawsuit in court, which so far the company says it plans to do. The fear is that SEC actions like this one will intrude too far into a company’s best judgment about how to run its cybersecurity program. You might be able to convince a judge of that, where Activision trying to defend how it managed a harassment-riddled corporate culture would look awful.
Remember Wells Fargo Too
We also have the case of three former risk and internal audit executives at Wells Fargo, facing personal liability in the millions for their sloppy oversight during the bank’s fake-account scandal in the 2010s.
In 2021 the Office of the Comptroller of the Currency brought civil proceedings against Claudia Russ Anderson, former group risk officer for Wells Fargo’s community banking division; David Julian, former chief auditor; and Paul McLinko, former executive audit director. The OCC lawsuit sought millions in penalties against all three, and in 2022 an administrative law judge published a blistering report about the conduct of all three.
One recurring theme in that judge’s report was that Anderson, Julian, and McLinko didn’t do enough to investigate and challenge the questionable sales practices at Wells Fargo in the mid-2010s — even though the bank’s problems with fake accounts was widely known by then. That “failure to provide credible challenge” (the judge used that phrase or versions of it 14 times in his report) constituted an unsafe banking practice unto itself, and a breach of the fiduciary duties that the three owed the bank.
The OCC case against these three isn’t identical to the SEC’s cases against Brown at SolarWinds, but you can see the family resemblance: If the executive knows of serious risk management shortcomings but isn’t speaking up forcefully enough, that failure to do so can breach the executive’s legal duties (to investors, to bank regulators; to somebody somewhere) and trigger personal liability.
The judge in the Wells Fargo proceedings recommended that Anderson pay $10 million in civil penalties, Julian pay $7 million, and McLinko pay $1.5 million. Last I heard, those cases are still winding their way through federal court.
My point is that what’s new in the SEC’s SolarWinds lawsuit is simply the issue of cybersecurity — not the idea of holding risk assurance executives personally responsible for poor internal risk management processes at their companies. On that point, the case against Brown is more of a natural evolution (or escalation) in what we’ve seen for years.
Compliance and internal audit executives would do well to pay attention here. Typically the latest evolution of a species tends to proliferate pretty quickly.