The Securities and Exchange Commission has apparently thrown in the towel in its controversial campaign to use the internal control requirements of the Securities Exchange Act as a tool to sanction public companies for cybersecurity weaknesses.

In 2023, the SEC brought an enforcement action against SolarWinds Corporation and its Chief Information Security Officer, charging the company with, among other things, violating the requirement in Section 13(b)(2) of the Exchange Act to devise and maintain a system of internal accounting controls.  SolarWinds had been the victim of Russian hackers who surreptitiously inserted a vulnerability into one of its software products, making SolarWinds’ customers' IT systems susceptible to exploitation. The SEC’s theory was that the company's source code, databases, and software products were its most vital assets, but, because of poor access controls, weak internal password policies, and VPN security gaps, SolarWinds failed to limit access to those assets "only in accordance with management's general or specific authorization" as required by Section 13(b)(2).

In 2024, the SEC’s case suffered a serious setback when a federal district court held that Section 13(b)(2) does not apply to cybersecurity controls. In SEC v. SolarWinds Corp., the court stated that “the statutory requirement that a public issuer ‘devise and maintain a system of internal accounting controls’ is properly read to require that issuer to accurately report, record, and reconcile financial transactions and events. A cybersecurity control does not naturally fit within this term, as a failure to detect a cybersecurity deficiency (e.g., poorly chosen passwords) cannot reasonably be termed an accounting problem.”  See A Shift in the Winds: Court Rejects SEC’s Use of Internal Control Authority to Police Cybersecurity, August 2024 Update.

On November 20, the SEC announced that it had filed a joint stipulation with SolarWinds Corporation and its CISO to dismiss, with prejudice, the Commission’s civil enforcement action.  The announcement adds that “the Commission’s decision to seek dismissal is ‘in the exercise of its discretion’ and ‘does not necessarily reflect the Commission’s position on any other case.’”

For audit committees, the dismissal of the SEC’s SolarWinds case is good news, in that it marks the end of the Commission’s initiative to expand the scope of the Exchange Act’s internal control requirements beyond financial reporting.  Even prior to the SolarWinds judicial decision, Commissioners Peirce and Uyeda had forcefully argued against the expansive interpretation of Section 13(b(2) deployed in that case.  See Shoot the Wounded! SEC Charges that Inadequate Cybersecurity is an Internal Accounting Control Violation, July 2024 Update.

However, with or without internal accounting controls as one of its theories, cybersecurity disclosure is likely to remain an area of SEC focus.  The SolarWinds case included an allegation that the company misled investors by overstating its cybersecurity practices and downplaying risks associated with its products.  While the district court rejected the Commission’s other claims, it permitted that aspect of the case to proceed.  Moreover, since the SolarWinds case, the SEC has adopted specific new disclosure requirements on cybersecurity risk management and strategy, governance, and material incident reporting.  See SEC Adopts Cybersecurity Disclosure Rules, August-September 2023.  The Commission may actively enforce these new rules and, even if the current SEC administration does not, the rules may provide fodder for the private securities class action bar. For these reasons, oversight of cybersecurity disclosure should remain an audit committee priority.