{"id":5870,"date":"2023-10-16T09:26:37","date_gmt":"2023-10-16T14:26:37","guid":{"rendered":"https:\/\/www.bbrown.com\/?post_type=insight&#038;p=5870"},"modified":"2023-10-16T09:26:37","modified_gmt":"2023-10-16T14:26:37","slug":"cisos-in-the-secs-legal-crosshairs","status":"publish","type":"insight","link":"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/","title":{"rendered":"CISOs in the SEC\u2019s Legal Crosshairs"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row row_style=&#8221;page-hero&#8221; full_width=&#8221;stretch_row_content&#8221;][vc_column]\n\t<div class=\"hero hero--wrap    \">\n\n\t\t<div class=\"hero--background-image hero--background-image-blur\">\n\t\t\t<div class=\"hero--overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"hero-background\" style=\"background: url(https:\/\/www.bbrown.com\/wp-content\/uploads\/2023\/10\/CISOs-in-the-SECs-Legal-Crosshairs-Brown-Brown-External_web-image.png) center center no-repeat; background-size: cover;\"><\/div>\n\t\t\t\t\t<\/div>\n\n\t\t<div class=\"hero--container\">\n\t\t\t<div class=\"container\">\n\t\t\t\t<div class=\"hero--inner width-100\">\n\n\t\t\t\t\t\n  <div class='content-heading  100%  '>\n    <p class='text-white subheading'>Property &amp; Casualty<\/p>\n    <h1 class='text-white    '>\n      CISOs in the SEC\u2019s Legal Crosshairs\n    <\/h1>\n\t\n  <\/div>\t\t\t\t\t\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\n\t<\/div>\n\n\t\n[\/vc_column][\/vc_row][vc_row][vc_column width=&#8221;2\/3&#8243;]\n  <div class='content-heading  100% content-heading--ruled '>\n    \n    <h1 class='text-brand-dark-blue    h2'>\n      CISOs in the SEC\u2019s Legal Crosshairs\n    <\/h1>\n\t\n  <\/div>[vc_column_text]Recent U.S. Securities and Exchange Commission (SEC) actions have ignited concerns that the scope of liability related to commercial data breaches now applies to individual members of targeted companies. The SEC\u2019s issuance of Wells Notices to the Chief Information Security Officer (CISO) and Chief Financial Officer (CFO) of SolarWinds marks a shift in tactics for the agency taking direct investigation into a company\u2019s handling of cybersecurity and response to an incident.<\/p>\n<p>Previous SEC notices and actions were generally directed to companies rather than individual employees. Beyond the immediate legal implications, this development is reverberating with executives and cybersecurity professionals concerned by the potential for litigation and risk managers who may need to adapt their approach towards directors and officers coverage and cyber risk controls.<\/p>\n<h3>What is a Wells Notice?<\/h3>\n<p>A Wells Notice is a formal notice from the SEC informing a recipient that the agency plans to bring enforcement actions against them, likely regarding possible violations of securities laws. It is usually a formal letter or telephone call in which the staff enforcement attorneys of the SEC notify a target entity that they are planning to recommend enforcement action. While not indicative of any specific violation, the notice provides the potential target of a proposed enforcement action of the commission\u2019s plans and provides for a response.<sup>1<\/sup><\/p>\n<h3>What Exactly Happened at SolarWinds?<\/h3>\n<p>SolarWinds, known for its Orion network monitoring platform, was under immense scrutiny after a 2020 cyberattack impacted its digital infrastructure, disseminated malicious updates and compromised customer data. On June 23, 2023, SolarWinds released a legal response, publicly revealing that they had received an SEC Wells notice on October 28, 2022. The SEC alleged a breach of duty on the part of SolarWinds directors, among other claims related to SolarWinds\u2019 cybersecurity disclosures and public statements, internal controls and disclosure controls.<sup>\u00b2<\/sup><\/p>\n<p>The SolarWinds Wells notice follows earlier prosecution of Uber\u2019s Chief Security Officer (CSO), who, in October 2022, was found guilty of obstruction of proceedings and commission of a felony related to the 2016 Uber hack. The 2016 Uber hack resulted in massive numbers of sensitive records being compromised. Data belonging to approximately 57 million Uber users and 600,000 driver license numbers was stolen by hackers. Uber\u2019s CSO was sentenced to serve a three-year term of probation and ordered to pay a fine of $50,000 for his role in attempting to cover up the hack and obstructing the Federal Trade Commission\u2019s (FTC) investigation. The CSO\u2019s sentence sparked vigorous debate and attention from within the cybersecurity community over the potential personal liability of an individual executive.<\/p>\n<h3>A Paradigm Shift: CISOs in the Legal Crosshairs<\/h3>\n<p>What distinguishes these cases is the inclusion of the CISO in the Wells Notices and cybersecurity as a cause for SEC prosecution. Traditionally, Wells Notices have primarily targeted CEOs or CFOs in matters unrelated to cybersecurity. However, the SEC\u2019s decision to encompass the CISO signifies a pivotal shift towards holding cybersecurity professionals individually accountable for their actions. This new landscape raises questions about the role and responsibilities of CISOs, especially concerning the timely disclosure of material information related to cybersecurity incidents. As cyber insurance policies typically include coverage for privacy violations and data breaches, the SEC\u2019s action may prompt organizations to review and reassess their cyber insurance, the regulatory coverage therein (and the breadth of that coverage), and the interplay of cyber and directors and officers coverage.[\/vc_column_text]\t<div class='wpb_content_element text-left btn-container'>\n\t\t\t\t\t<a class='btn btn-brand-green  '\n\t\t\t\thref='https:\/\/www.bbrown.com\/wp-content\/uploads\/2023\/10\/CISOs-in-the-SECs-Legal-Crosshairs-Brown-Brown-External_web.pdf' target='_blank' data-toggle=''>\n\t\t\t\t<span class=\"btn-text-color--default\">Download PDF<\/span>\n\t\t\t<\/a>\n\t\t\t<\/div>\n[vc_column_text]<em>\u00b9 SEC.GOV | INVESTOR BULLETIN: SEC INVESTIGATIONS. (2014, OCTOBER 22). <a href=\"https:\/\/www.sec.gov\/oiea\/investor-alerts-bulletins\/ib_investigations\" target=\"_blank\" rel=\"noopener\">https:\/\/www.sec.gov\/oiea\/investor-alerts-bulletins\/ib_investigations<\/a><\/em><br \/>\n<em>\u00b2 UNITED STATES SECURITIES AND EXCHANGE COMMISSION, FORM 8-K <a href=\"https:\/\/d18rn0p25nwr6d.cloudfront.net\/CIK-0001739942\/02aed9ff-6065-4158-8efd-6b5e31f7eb89.pdf\" target=\"_blank\" rel=\"noopener\">0001739942-23-000079 (d18rn0p25nwr6d.cloudfront.net<\/a>) <\/em>[\/vc_column_text][\/vc_column][vc_column width=&#8221;1\/3&#8243;][vc_single_image image=&#8221;5646&#8243; alignment=&#8221;center&#8221; style=&#8221;vc_box_circle_2&#8243;][vc_separator border_width=&#8221;2&#8243; el_width=&#8221;60&#8243;][vc_column_text]<\/p>\n<h6 style=\"text-align: center;\">Britt Eilhardt<\/h6>\n<p style=\"text-align: center;\">Managing Director<\/p>\n<p>[\/vc_column_text][vc_single_image image=&#8221;5652&#8243; alignment=&#8221;center&#8221; style=&#8221;vc_box_circle_2&#8243;][vc_separator border_width=&#8221;2&#8243; el_width=&#8221;60&#8243;][vc_column_text]<\/p>\n<h6 style=\"text-align: center;\">Miles Crawford<\/h6>\n<p style=\"text-align: center;\">Intern<\/p>\n<p>[\/vc_column_text]\t<div class='wpb_content_element text-center btn-container'>\n\t\t\t\t\t<a class='btn btn-brand-dark-blue  '\n\t\t\t\thref='\/us\/contact\/contact-general\/' target='' data-toggle=''>\n\t\t\t\t<span class=\"btn-text-color--default\">Connect Now<\/span>\n\t\t\t<\/a>\n\t\t\t<\/div>\n[\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>[vc_row row_style=&#8221;page-hero&#8221; full_width=&#8221;stretch_row_content&#8221;][vc_column][\/vc_column][\/vc_row][vc_row][vc_column width=&#8221;2\/3&#8243;][vc_column_text]Recent U.S. Securities and Exchange Commission (SEC) actions have ignited concerns that the scope of liability related to commercial data breaches now applies to individual members of [&hellip;]<\/p>\n","protected":false},"author":66,"featured_media":5871,"template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"insight_category":[34],"class_list":["post-5870","insight","type-insight","status-publish","has-post-thumbnail","hentry","insight_category-property-casualty"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>CISOs in the SEC\u2019s Legal Crosshairs - Brown &amp; Brown<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CISOs in the SEC\u2019s Legal Crosshairs\" \/>\n<meta property=\"og:description\" content=\"[vc_row row_style=&#8221;page-hero&#8221; full_width=&#8221;stretch_row_content&#8221;][vc_column][\/vc_column][\/vc_row][vc_row][vc_column width=&#8221;2\/3&#8243;][vc_column_text]Recent U.S. Securities and Exchange Commission (SEC) actions have ignited concerns that the scope of liability related to commercial data breaches now applies to individual members of [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/\" \/>\n<meta property=\"og:site_name\" content=\"Brown &amp; Brown\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.bbrown.com\/wp-content\/uploads\/2023\/10\/CISOs-in-the-SECs-Legal-Crosshairs-Brown-Brown-External_web-image.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"667\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/\",\"url\":\"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/\",\"name\":\"CISOs in the SEC\u2019s Legal Crosshairs - Brown &amp; Brown\",\"isPartOf\":{\"@id\":\"https:\/\/www.bbrown.com\/us\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.bbrown.com\/wp-content\/uploads\/2023\/10\/CISOs-in-the-SECs-Legal-Crosshairs-Brown-Brown-External_web-image.png\",\"datePublished\":\"2023-10-16T14:26:37+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/#breadcrumb\"},\"inLanguage\":\"us\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"us\",\"@id\":\"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/#primaryimage\",\"url\":\"https:\/\/www.bbrown.com\/wp-content\/uploads\/2023\/10\/CISOs-in-the-SECs-Legal-Crosshairs-Brown-Brown-External_web-image.png\",\"contentUrl\":\"https:\/\/www.bbrown.com\/wp-content\/uploads\/2023\/10\/CISOs-in-the-SECs-Legal-Crosshairs-Brown-Brown-External_web-image.png\",\"width\":1000,\"height\":667},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.bbrown.com\/us\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Insights\",\"item\":\"https:\/\/www.bbrown.com\/us\/news-events\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"CISOs in the SEC\u2019s Legal Crosshairs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.bbrown.com\/us\/#website\",\"url\":\"https:\/\/www.bbrown.com\/us\/\",\"name\":\"Brown &amp; Brown\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.bbrown.com\/us\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.bbrown.com\/us\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"us\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.bbrown.com\/us\/#organization\",\"name\":\"Brown &amp; Brown\",\"url\":\"https:\/\/www.bbrown.com\/us\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"us\",\"@id\":\"https:\/\/www.bbrown.com\/us\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.bbrown.com\/wp-content\/uploads\/2021\/12\/cropped-BBRetail002-RGBrevs.png\",\"contentUrl\":\"https:\/\/www.bbrown.com\/wp-content\/uploads\/2021\/12\/cropped-BBRetail002-RGBrevs.png\",\"width\":1000,\"height\":136,\"caption\":\"Brown &amp; Brown\"},\"image\":{\"@id\":\"https:\/\/www.bbrown.com\/us\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"CISOs in the SEC\u2019s Legal Crosshairs - Brown &amp; Brown","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/","og_locale":"en_US","og_type":"article","og_title":"CISOs in the SEC\u2019s Legal Crosshairs","og_description":"[vc_row row_style=&#8221;page-hero&#8221; full_width=&#8221;stretch_row_content&#8221;][vc_column][\/vc_column][\/vc_row][vc_row][vc_column width=&#8221;2\/3&#8243;][vc_column_text]Recent U.S. Securities and Exchange Commission (SEC) actions have ignited concerns that the scope of liability related to commercial data breaches now applies to individual members of [&hellip;]","og_url":"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/","og_site_name":"Brown &amp; Brown","og_image":[{"width":1000,"height":667,"url":"https:\/\/www.bbrown.com\/wp-content\/uploads\/2023\/10\/CISOs-in-the-SECs-Legal-Crosshairs-Brown-Brown-External_web-image.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/","url":"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/","name":"CISOs in the SEC\u2019s Legal Crosshairs - Brown &amp; Brown","isPartOf":{"@id":"https:\/\/www.bbrown.com\/us\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/#primaryimage"},"image":{"@id":"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/#primaryimage"},"thumbnailUrl":"https:\/\/www.bbrown.com\/wp-content\/uploads\/2023\/10\/CISOs-in-the-SECs-Legal-Crosshairs-Brown-Brown-External_web-image.png","datePublished":"2023-10-16T14:26:37+00:00","breadcrumb":{"@id":"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/#breadcrumb"},"inLanguage":"us","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/"]}]},{"@type":"ImageObject","inLanguage":"us","@id":"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/#primaryimage","url":"https:\/\/www.bbrown.com\/wp-content\/uploads\/2023\/10\/CISOs-in-the-SECs-Legal-Crosshairs-Brown-Brown-External_web-image.png","contentUrl":"https:\/\/www.bbrown.com\/wp-content\/uploads\/2023\/10\/CISOs-in-the-SECs-Legal-Crosshairs-Brown-Brown-External_web-image.png","width":1000,"height":667},{"@type":"BreadcrumbList","@id":"https:\/\/www.bbrown.com\/us\/insight\/cisos-in-the-secs-legal-crosshairs\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.bbrown.com\/us\/"},{"@type":"ListItem","position":2,"name":"Insights","item":"https:\/\/www.bbrown.com\/us\/news-events\/"},{"@type":"ListItem","position":3,"name":"CISOs in the SEC\u2019s Legal Crosshairs"}]},{"@type":"WebSite","@id":"https:\/\/www.bbrown.com\/us\/#website","url":"https:\/\/www.bbrown.com\/us\/","name":"Brown &amp; Brown","description":"","publisher":{"@id":"https:\/\/www.bbrown.com\/us\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.bbrown.com\/us\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"us"},{"@type":"Organization","@id":"https:\/\/www.bbrown.com\/us\/#organization","name":"Brown &amp; Brown","url":"https:\/\/www.bbrown.com\/us\/","logo":{"@type":"ImageObject","inLanguage":"us","@id":"https:\/\/www.bbrown.com\/us\/#\/schema\/logo\/image\/","url":"https:\/\/www.bbrown.com\/wp-content\/uploads\/2021\/12\/cropped-BBRetail002-RGBrevs.png","contentUrl":"https:\/\/www.bbrown.com\/wp-content\/uploads\/2021\/12\/cropped-BBRetail002-RGBrevs.png","width":1000,"height":136,"caption":"Brown &amp; Brown"},"image":{"@id":"https:\/\/www.bbrown.com\/us\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/www.bbrown.com\/us\/wp-json\/wp\/v2\/insight\/5870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bbrown.com\/us\/wp-json\/wp\/v2\/insight"}],"about":[{"href":"https:\/\/www.bbrown.com\/us\/wp-json\/wp\/v2\/types\/insight"}],"author":[{"embeddable":true,"href":"https:\/\/www.bbrown.com\/us\/wp-json\/wp\/v2\/users\/66"}],"version-history":[{"count":0,"href":"https:\/\/www.bbrown.com\/us\/wp-json\/wp\/v2\/insight\/5870\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.bbrown.com\/us\/wp-json\/wp\/v2\/media\/5871"}],"wp:attachment":[{"href":"https:\/\/www.bbrown.com\/us\/wp-json\/wp\/v2\/media?parent=5870"}],"wp:term":[{"taxonomy":"insight_category","embeddable":true,"href":"https:\/\/www.bbrown.com\/us\/wp-json\/wp\/v2\/insight_category?post=5870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}