News & Insights

SEC Wells Notice Underscores Shift in Responsibility for Cyber Attacks

What happened?  

The Securities and Exchange Commission (SEC) recently issued a Wells Notice to SolarWinds executives, representing a seismic shift in accountability from conventional targets (CEOs and CFOs), to also include those responsible for overseeing cyber and data security programs, as evidenced by its explicit reference to the SolarWinds chief information security officer 

The SolarWinds hack was a major event not because it affected one company, but because it triggered a much larger supply chain incident that affected thousands of organizations, including the U.S. government. The breach involved the SolarWinds Orion system. In the hack, suspected nation-state hackers gained access to the networks, systems, and data of thousands of SolarWinds customers. More than 30,000 public and private organizations—including local, state, and federal agencies—use the Orion network management system to manage their IT resources, so as a result, the hack compromised the data, networks, and systems of thousands when SolarWinds inadvertently delivered the backdoor malware as an update to the Orion software.

What does this mean for me? 

CISOs, CCOs, and those responsible for overseeing cyber and data security programs should take note of this ruling. Recent regulations, including the proposed Cybersecurity Risk Management Rule, reinforce the SEC’s continued focus on cybersecurity.    

If you are facing increased responsibility over your cybersecurity program, Fairview can help. We offer solutions that address SEC requirements for cybersecurity, and our team of regulatory experts are available to answer any questions you may have regarding the proposed rules or cybersecurity best practices. To learn more, visit our Cyber Solutions page or contact us if you’d like to speak to one of our regulatory experts.