USA Trends and Developments Contributed by: Beth George, Timothy Howard, Brock Dahl and Megan Kayo, Freshfields
Current Cybersecurity Threats Faced by US Companies and How to Minimise Liability in the Event of a Cyber-Attack Top of mind for many US cybersecurity execu - tives has been the threat of personal liability for cybersecurity incidents. In late 2023, the SEC charged SolarWinds’ chief information security officer Timothy Brown for defrauding investors by making public statements regarding the com - pany’s cybersecurity standards that he alleg - edly knew was not accurate. SolarWinds pro - vides cybersecurity software to thousands of companies. In 2020, it suffered a supply chain attack whereby nation state threat actors were able to insert code into a software update that allowed the threat actors to access SolarWinds customers’ networks, leveraging the accesses that SolarWinds’ software was given on these systems. Relying on internal communications between information security engineers at SolarWinds, in addition to accusing the company of having inadequate internal accounting controls, the SEC alleged that Brown defrauded investors by falsely touting SolarWinds’ cybersecurity strength. Specifically, the SEC alleged Brown was aware that the company’s security controls were weak but he nevertheless approved the company’s risk factors on cybersecurity – which the government described as “generic” – and supported a number of other public statements about the company’s high cybersecurity stand - ards, including blogs and a security statement that was provided to actual and prospective customers. In 2024, a federal district court dismissed some – but not all – of the charges against Brown. Even though the court disagreed with the SEC’s accusation that the risk factors were “generic”, it did find that the company’s public “security
statement” (which was posted on its website and discussed its cybersecurity standards) could be a material statement. Whether the statement was inaccurate, and whether Brown was aware the statement was inaccurate, are issues that the court allowed to proceed to trial. The SEC case is not the only case in which sen - ior executives have faced personal liability. In 2023, the Federal Trade Commission (FTC) final - ised a settlement with Drizly, an app for the deliv - ery of alcohol, that imposed personal liability on its CEO for the company’s security failures. The FTC alleged that Drizly and its CEO implemented woefully inadequate cybersecurity practices at the company, resulting in a data breach affecting more than 2.5 million customers. In the settlement, which included a consent decree binding the company, the FTC reached an agreement that Drizly CEO James Cory Rel - las would be required to implement an informa - tion security programme at any future company where he was a majority owner, CEO, or senior officer with information security responsibilities, if that company collected consumer information from more than 25,000 individuals. The settle - ment ensured that these requirements would follow Rellas to future companies, likely due in part to the fact that Drizly had been acquired by another company. These cases highlight a newly aggressive pos - ture of regulators towards executives who have cybersecurity responsibility. In the aftermath of the SolarWinds charges, many companies have reviewed their directors’ and officers’ liability insurance to ensure it covers senior security pro - fessionals. The cases also highlight the impor - tance of ensuring that executives understand their legal obligations regarding accurate dis - closures, including with regard to cybersecurity
360 CHAMBERS.COM
Powered by FlippingBook