New SEC Disclosure Rules Can Help Cybersecurity: Lessons from SolarWinds

The SEC (Securities and Exchange Commission) voted to accept a final rule on cybersecurity risk management, strategy, governance, and incident disclosure on July 26, 2023. The rule covered disclosures in Form 10-K for annual disclosures and Form 8-K for ongoing disclosures. Foreign organizations that list on U.S. exchanges must file similar disclosures on Forms 20-F and 6-K.

So, how does the new rule affect disclosures? A good example is the massive, sophisticated cyber attack on software company SolarWinds in 2020. Although the hack occurred before the effective date of the new SEC rule – December 2023 – we will discuss what SolarWinds’s disclosure would have looked like under the new rule.

Overview of the SolarWinds cyber attack

In September 2018, SolarWinds went through a second IPO after three years of being owned by private equity companies. The organization completed its public offering on October 19, 2018. This second IPO meant that SolarWinds was required to file disclosure documents with the SEC, including Forms 10-K and 8-K.

Between March and June of 2020, SolarWinds released a patch for its best-selling software, Orion. The patch had been corrupted with malware that became known as Sunburst.

SolarWinds disclosure – what could have been different?

SolarWinds’s Form 8-K was filed on December 14, 2020. Under the new rules, it would have included a description of the “material aspects of the nature, scope, and timing of the incident, and the material impact on the registrant, including its financial condition and results of operations.”

Instead, SolarWinds’s draft of the 8-K focused on the technical nature of the hack rather than its impact. The draft did not tell investors what management thought about the impact of the hack on the organization’s operations, which would have been far more relevant to investors. Consequently, investors assumed the worst, and the stock lost 35% by the end of the month.

SolarWinds’s 2020 Form 10-K lacked even more detail. It used generic language to state that the “Cyber Incident has and is likely to continue to have an adverse effect on our business, reputation, customer, employee and partner relations.” It did not discuss any of the issues in the new §229.106, including how and by whom the risk would be managed. Nor did it cover the ultimate impact of the hack and how the organization was dealing with it.

Since then, SolarWinds’s management has attempted to clarify the hack’s impact, stating that it will have a continued “adverse effect on the business” that may never stop. This is unlikely to reassure investors.

When disclosing issues with cybersecurity, registrants should map a way forward. For example, the registrant has not fully addressed risks associated with its use of third-party service providers. Registrants should also state that updated risks will be mitigated by using a regularly audited cybersecurity framework.

Before the new SEC disclosure rule, registrants were lumping cybersecurity risks in with all sorts of generic risks like market conditions, interest rate fluctuations, earthquakes, and the weather – risks beyond the registrant’s control.

This was the wrong approach. Cybersecurity risks can be controlled. The Sunburst attack was novel, but that doesn’t mean SolarWinds couldn’t have done something about it.

By its own admission, SolarWinds was not a security-minded organization. It could have chosen to enforce a better password system. It did not. It could have chosen to have procedures for the three quarters of the NIST controls it was missing. It did not. It could have implemented a secure development cycle. It did not.

The new SEC rules will require the registrant to make certain declarations about the state of its cybersecurity, which will give the market a clearer understanding of the registrant’s posture. They will also give the registrant a firm incentive to adopt better cybersecurity practices.

Good cybersecurity takes work. It requires discipline and vigilance. SolarWinds could have selected a less comprehensive set of NIST controls, but instead it chose a framework that it only partially implemented. The compliance required by the new SEC rules will add a sorely needed incentive for registrants to use more resources to enhance their cybersecurity, hopefully leading to a more robust compliance culture.

How IT Governance USA can help you meet your SEC cybersecurity disclosure obligations

We are experts on information securitycybersecurity, and cyber incident response management, and have been helping organizations around the world implement and maintain best practices for over 20 years.

If you need help with your cybersecurity program, or with identifying and responding to a cybersecurity incident – including reporting – we have everything you need.