LANDMARK SEC ACTION: Solarwinds Case Highlights Crucial Considerations for CISOs and Cyber Security Professionals

The Securities and Exchange Commission has commenced an action in the Southern District of New York against SolarWinds Corp. and Chief Information Security Officer (“CISO”), Timothy Brown, for allegedly defrauding SolarWinds’ investors and customers via “misstatements, omissions and schemes that concealed the Company’s poor cybersecurity practices and its heightened-and increasing-cybersecurity risks.”

According to the SEC, these failings were exploited by “one of the worst cybersecurity incidents in history” and compromised SolarWinds’ flagship IT platform, Orion.

While cybersecurity incidents and ensuing securities actions are nothing new, the SolarWinds case is a landmark in that Brown is now the first CISO to be charged in an SEC cybersecurity enforcement action. This should serve as a cautionary tale for CISOs and cybersecurity professionals during insurance placement and renewal discussions. CISOs should take the following preventative measures to protect themselves:

1.  For starters, a CISO should establish what indemnification is available from their company for any cybersecurity-related claim that could potentially implicate them personally.
2.  CISOs should also assess whether they meet the definition of “Insured Person” under the company’s Directors & Officers insurance program and whether any exclusionary language could limit their cover otherwise. If they do not, alternative paths to coverage might include specifically endorsing the CISO and other cybersecurity professionals as Insured Persons. Additionally, some cyber policies may extend coverage for these individuals when personally implicated.

For additional resources and solutions, please contact one of CAC Specialty’s D&O or cyber brokers.