“The agency is seeking to twist the concept of accounting controls into a sweeping mandate for it to regulate public companies’ cybersecurity controls—a role for which the SEC lacks congressional authorization or substantive expertise,” the filing added.
In addition to lacking “material evidence” for its fraud claims, the SEC’s disclosure violation charges in the October filing were unrealistic and unlawful, according to SolarWinds. The company added that it had warned its stakeholders that its systems were “vulnerable to sophisticated nation-state actors”.
“The SEC complains these disclosures were insufficient, asserting that companies must disclose detailed vulnerability information in their SEC filings,” the filing added. “But that is not the law, and for good reason: disclosing such details would be unhelpful to investors, impractical for companies, and harmful to both, by providing roadmaps for attackers.”
CISO responsibilities in focus
The case has been closely followed within the industry as it is expected to set many precedents. This is the first time a company CISO has been named in SEC charges for non-disclosure. The proceedings stand to open the CISO role to additional scrutiny and responsibilities.
“SolarWinds, as expected, is defending this saying they adequately informed investors,” said Pareekh Jain, chief analyst at Pareekh Consulting. “The question is, was the said disclosure enough, or should they have done more? This is a first-of-its-kind case where cybersecurity disclosure to the SEC is being investigated. The judgment here will act as guiding principles for CISOs for future cybersecurity disclosures to SEC.”
As Brown faces SEC charges based on his public statements and signature on internal security documents which, the federal agency alleges, helped mislead investors, SolarWinds calls the charges “unwarranted” and “inexplicable.”