Blogs

Further to our recent report on the R.R. Donnelley enforcement action: “SEC Order Links Ransomware Response to Internal Controls Failure” and SEC Commissioners Peirce’s and Uyeda’s statement of dissent, a new decision on the high profile SolarWinds case coming out of the U.S. District Court for the Southern District of New York rejected the SEC’s attempts to base an Exchange Act internal accounting controls violation on an alleged failure of corporate cybersecurity controls, with the court affirming that the “history and purpose of the statute confirm that cybersecurity [and other non-financial accounting] controls are outside the scope of Section 13(b)(2)(B).”

Equally noteworthy, the court dismissed the SEC’s charge against SolarWinds of a disclosure controls and procedures violation based on its hindsight assessment of the company’s allegedly deficient incident response:

[However,] errors happen without systemic deficiencies. Without more, the existence of two misclassified incidents is an inadequate basis on which to plead deficient disclosure controls…That this one lapse was not elevated to the company's top rung does not, without more, plausibly impugn the company's disclosure controls systems.

See these summaries of this important decision from Sullivan & Cromwell and Morrison & Foerster and these articles: “Judge deals major blow to SEC’s cybersecurity enforcement stance” (CFO Dive), “SolarWinds Ruling Hits SEC for Using Old Accounting Law on Hacks” (Bloomberg Law), “SEC Lawsuit Against SolarWinds Gutted” (Radical Compliance), “SolarWinds beats most of US SEC lawsuit over Russia-linked cyberattack” (Reuters), and “SolarWinds Defeats Part of SEC’s Fraud Case Over Hack” (WSJ).

                             This post first appeared in the weekly Society Alert!