Driving the news: The U.S. Securities and Exchange Commission (SEC) has charged SolarWinds and its CISO for fraud and internal control failures relating to cybersecurity risks.
Why it matters: These charges highlight the importance of implementing strong controls and disclosing known concerns to investors. In its complaint, the SEC alleges that SolarWinds and its CISO misled investors by understating cybersecurity risks and ignoring red flags about cyber risks.
Important takeaway: The SEC’s enforcement action signals a potential expansion of executive accountability in public reporting beyond the CEO and CFO.
The bottom line: Addressing this expansion of personal accountability requires companies to enable it and individual executives to perform to it. To that end:
- Companies and their executives should advocate for effective risk governance and compliance, create appropriate awareness, ensure clarity on roles and responsibilities, and enhance the disclosure process.
- Individual executives owning activities, decisions and information having significant public reporting implications should measure up to their respective responsibilities under the federal securities laws.
Our insights: In this Flash Report, we summarize the SEC’s allegations against SolarWinds and its CISO and offer nine points for executives and functional leaders with SEC registrants to consider regarding their own accountability and responsibility for public reporting.
Nick Puetz, Managing Director – Security and Privacy, also contributed to this report.