Courts & Litigation Cybersecurity & Tech Executive Branch

Lawfare Daily: Shoba Pillay and Jennifer Lee on the Dismissal of Charges Against the SolarWinds Corporation and Timothy Brown

Stephanie Pell, Shoba Pillay, Jennifer Lee, Jen Patja
Wednesday, August 21, 2024, 8:00 AM
Why did a district court judge dismiss some of the SEC's charges against SolarWinds?

Published by The Lawfare Institute
in Cooperation With
Brookings

The fallout from the SolarWinds intrusion took a new turn with the U.S. Securities and Exchange Commission’s (SEC) decision to file a cybersecurity-related enforcement action against the SolarWinds corporation and its Chief Information Security Officer (CISO), Timothy G. Brown, in October of 2023. But In July, District Court Judge Paul A. Engelmayer dismissed a number of charges in the SEC’s complaint against SolarWinds and Brown. 

To talk about this significant development in the case, Stephanie Pell, Lawfare Senior Editor and Brookings Fellow, sat down with Shoba Pillay, a partner at Jenner & Block and a former federal prosecutor, and Jennifer Lee, also a partner at Jenner & Block and a former Assistant Director in the SEC’s Division of Enforcement. They discussed the court’s rationale for allowing some charges to stand, while dismissing others, what stood out most in the dismissal of the case, and how this case may shape the SEC’s cybersecurity enforcement actions in the future.

To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://givebutter.com/c/trumptrials.

Click the button below to view a transcript of this podcast. Please note that the transcript was auto-generated and may contain errors.

 

Transcript

[Introduction]

Jennifer Lee: The court dismissed the SEC's most novel charge about internal accounting controls violations. This claim was premised on the company's alleged weak cybersecurity controls, and the court was very focused on statutory construction, which is here in 13(b)(2)(b) of the Securities Exchange Act of 1934. And ultimately, the court said that the statute focuses on financial accounting, not cybersecurity controls.

Stephanie Pell: It's the Lawfare Podcast. I'm Stephanie Pell, Senior Editor at Lawfare, with Shoba Pillay, a partner at Jenner & Block and a former federal prosecutor, and Jennifer Lee, also a partner at Jenner & Block and a former Assistant Director in the SEC's Division of Enforcement.

Shoba Pillay: The more we put companies on their heels, on how they publicly describe their security, the more complicated it's going to get to actually be secure.

Stephanie Pell: Today, we're talking about the dismissal of several charges in the SEC's cybersecurity-related enforcement action against the SolarWinds Corporation and its Chief Information Security Officer, Timothy G. Brown.

[Main Podcast]

Shoba and Jennifer, in January, you came on the podcast to talk about a cybersecurity-related enforcement action filed by the U.S. Security and Exchange Commission against the SolarWinds Corporation and its Chief Information Officer, Timothy G. Brown, in October of last year. That enforcement action concerned public statements made by SolarWinds prior to and in the immediate aftermath of the SolarWinds intrusion, which has been attributed to Russia.

Now we have an order in that case from District Court Judge Paul A. Engelmayer, dismissing large portions of the SEC's complaint against SolarWinds and Timothy Brown. Before we get into the substance of that order, I want to briefly remind our audience about the nature of the SolarWinds intrusion. Shoba, can you start by telling us what happened there and who was impacted?

Shoba Pillay: Sure. So SolarWinds provided various IT management services to its customers. Its signature product was known as Orion, which is a networking monitoring software, which was actually used by thousands of organizations, both public and private. And according to the public reporting on this incident, a nation state-supported Russia-based threat actor gained access to SolarWinds network and injected malicious software into the software development process, including for updates to the Orion software. That was later referred to as the Sunburst attack.

Between March and June of 2020, SolarWinds deployed Orion software updates or patches to its customers, which unfortunately included this Sunburst malware without SolarWinds knowledge, permitting the threat actors access to the impacted networks of the customer. SolarWinds later disclosed that approximately 18,000 of its 33,000 Orion customers may have installed that malware, which permitted the threat actors to have access to the networks, systems, and data of thousands of customers, including government agencies and private sector companies. In December of 2020, SolarWinds Orion customer Mandiant, a cybersecurity company impacted by the compromise, notified SolarWinds of December's attack.

This is the first time malware has been deployed via software update at this magnitude. It's really changed the landscape for supply chain attacks. And so there were real national security implications and have continued to be, in large part because of the government agencies and contractors who were impacted by the compromise, and because the victims included organizations across the federal government, it's a huge intel coup for the threat actor. Massive amounts of data could have been collected before it was discovered. So coupled with threat act, other threat factors, this could be devastating to U.S. national security.

Stephanie Pell: Jennifer, what was the basis upon which the SEC brought charges against SolarWinds and Timothy Brown?

Jennifer Lee: The SEC's fraud case focused on the company's misleading statements before and after the Sunburst attack. For pre-attack disclosures, the SEC alleged that SolarWinds and its CISO misled the company's investors by overstating the strength of the company's cybersecurity practices before the attack. This claim is premised on a security statement describing five of the company's cyber security practices, which was purportedly authored by Brown and then later posted on the company's website accessible to all. And in essence, the SEC's case hinges on the argument that the company misled investors into believing the company was following cyber security best practices when it had reason to know it wasn't. So overall, this is about how a company was overstating how good it was on cybersecurity.

For post attack disclosures, the SEC focused on various SEC filings that purportedly disclosed the attack, but did not reveal sufficiently detailed information about the incident. So on this theory, the SEC was essentially arguing that the company may have deceived investors a second time by downplaying the severity of the attack. So, there are other charges and allegations, but ultimately these are the main statements that were at the core of the SEC's fraud claims.

Stephanie Pell: And Jennifer, when we talked in January, you indicated that this was an aggressive complaint by the SEC. How so?

Jennifer Lee: This is an aggressive action in the sense that the SEC presented not only its strongest charge by way of an intentional fraud charge, but also every possible theory and charge it uses in disclosure actions and essentially is testing them now in the SolarWinds case. So as I mentioned, this is the first time the SEC has sued a company for intentional fraud based on cybersecurity failures. It's the first time that the SEC has sued an individual and specifically a CISO for intentional fraud in this area. All other cases to date in cybersecurity involved companies and deficient policies and procedures, not intentional fraud.

And here I want to note, intentional fraud is a big deal for the government and the most serious charge that the SEC can bring. Normally, you have a fraud motive, typically greed or some reason why a person would intentionally deceive investors. And in this particular case, it's aggressive because the SEC is focused on a CISO that exercises at most $170,000 worth of options. So arguably not a big fraud motive.

I want to continue and say that this is also the first time that the SEC has specifically alleged that the company misled investors about the strength of its cybersecurity practices. All other cases up to this point were really about just what were you saying about a cybersecurity incident after you knew about it.

It's also the first time that the SEC alleged that a company misled investors by putting forth risk factors that identify cybersecurity as material risk but not going far enough to talk about specific vulnerabilities and outcomes that could occur. And then finally, this is the first time that the SEC has asserted that deficient cybersecurity controls could be the basis for a deficient internal accounting controls charge for failing to protect the company's assets. So all around the SEC really trying to flex and bring all of its charges and theories that it could bring the disclosure action in this particular case.

Stephanie Pell: So given all of those firsts, fair to say that this was a rather significant action on the part of the SEC.

Jennifer Lee: Yes, the SEC has stated repeatedly that cybersecurity is a priority across its enforcement program. It's no surprise that the SEC adopted the new rules requiring cybersecurity disclosures for public companies and then followed up by following the SolarWinds action a couple of months later. And it's the SEC's way of reinforcing the importance of cybersecurity rules for disclosure and risk governance.

Stephanie Pell: So now let's jump to the present. Jennifer, the court dismissed the majority of the claims against SolarWinds and its CISO, Timothy Brown. Can you summarize what the court did and also explain its reasoning?

Jennifer Lee: Yes, so I want to start with what the court permitted to proceed past the motion to dismiss stage. And not surprisingly, the court here permitted the SEC's fraud claims premised on the security statement to proceed against the company and the CISO. This is something the court signaled during the motion to dismiss hearing, and the court focused on two practices where the company's statements and the SEC's allegations as to what the company was really doing demonstrated a wide margin.

So for the first practice, which was access controls, the company, in its security statement, said that those access controls were strong. And the SEC, in its amended complaint, alleged the company, notwithstanding that representation, was freely granting administrative rights to employees and conferring access rights way beyond that was necessary for the employee's specific job functions.

So in that particular instance, the court determined those allegations were sufficient to demonstrate a wide margin between what the company said it was doing and what it was actually doing. On password protection, the company said it used strong alphanumeric passwords and cybersecurity best practices for those passwords. And here, the SEC alleged that the company at times used the password literally in quotes, password, endquote, or solarwinds123.

So again, another instance in which what the company said it was doing was not really matching up with the reality of what it was actually doing. On the other fraud and controls claims that the court dismissed, there are three things to know. So first, the court dismissed the SEC's fraud claims premised on incomplete risk factor disclosures and specifically said that the law does not require more specificity about vulnerabilities in pre-attack disclosures. Second, the court also dismissed the SEC's fraud claims based on seemingly informal and vague statements made by the CISO about how the company cared about cybersecurity. This is known in legal terms as inactionable puffery, basically general statements that really can't form the basis of a fraud claim.

And finally, what is really significant is that the court dismissed the SEC's most novel charge about internal accounting controls violations. This claim was premised on the company's alleged weak cybersecurity controls, and the court was very focused on statutory construction, which is here in 13(b)(2)(b) of the Securities Exchange Act of 1934. And ultimately, the court said that the statute focuses on financial accounting, not cybersecurity controls. I'm going to turn it over to Shoba, because I think you can talk about why this is so important.

Shoba Pillay: Yeah, I think the critical takeaway here is there was a real risk that if the court entertained this allegation and this claim, that companies would have to completely recalibrate and ensure that their cybersecurity controls were meeting this SEC standard for internal accounting controls. So, what the SEC was trying to do was really broaden the concepts underlying its inner internal accounting control standard to encompass this really complicated arena of cybersecurity controls. They just don't match up.

And so for a company to try to recalibrate its entire governance structure to basically pull all of its cybersecurity control functions into how it manages internal accounting would be really unbelievable burden on the company. So it's really important that the court did not entertain this allegation and dismissed it at this stage in the litigation.

Stephanie Pell: And Jennifer, do you have anything additional to add on that point?

Jennifer Lee: I think the hard piece of the statute is that it's about whether a company is protecting its assets. That is what the statutory language says. And when you think about it, essentially because companies are constantly under cybersecurity attack, it is essentially re-penalizing or re-victimizing a company if you say your cybersecurity controls were inadequate to basically prevent a cybersecurity incident. So I think in many ways, people were very nervous about whether the SEC could basically have broad authority to bring an enforcement action anytime a company fails to prevent a cybersecurity attack.

Stephanie Pell: So let me ask you both then, are you surprised by this outcome?

Jennifer Lee: No, I think the SEC had a core disclosure case and that was premised on the security statement which survived and the rest of it was really testing the boundaries of what the SEC could bring around cybersecurity. So it is not surprising to me at all that most of the novel theories were pared back I will say the remaining fraud claims are still remarkable.

We are talking about Scienter-based fraud claims. So that means the SEC is alleging that the company and its CISO intentionally set out to deceive investors and in a security statement that according to the company was originally intended for customers, not investors. So these are pretty breathtaking claims that people should take seriously.

Stephanie Pell: Shoba, any additional thoughts on that point?

Shoba Pillay: Yeah, I'm also not surprised. I think the court really did an exceptional job of walking through each of the SEC's allegations to assess if they met the test under the motion to dismiss standard, that the allegations properly stated a claim for relief under the law.

But it's also important to note that the standard of review at this phase in the litigation is that the court must deem all well-pled facts as true and draw reasonable inferences in favor of the plaintiff. In other words, the court's not saying what the SEC said is true, only that based on how it was pled or articulated in the complaint, the SEC has properly stated an actionable claim as to the security statement. This is important because it remains to be seen if those allegations will survive when tested on the actual event.

Stephanie Pell: Jennifer, I want to follow up on one comment you made. And I think it was that in some respects, the SEC was essentially testing the boundaries of the law in this cybersecurity context. Do you have thoughts on the efficacy or ethics of that kind of charging a case in that way?

Jennifer Lee: I think this is an administration that encourages aggressive boundary pushing, and we've seen it across all parts of the enforcement program, whether that's in disclosure actions, specifically in cybersecurity and insider trading, in the investment advisor space, so I am not surprised at all that the SCC is testing its theories in litigation.

And in many ways, I think many people in the industry celebrate this because they want there to be more daylight. They want there to be more testing of these theories before a judge, before a jury. So in many ways, I think people like this because the alternative is many registrants, many public companies, many investment advisors feel beholden to just settling. So I actually think this is a good result that these are being tested with not only allegations, but also discovery and motion practice.

Stephanie Pell: What stood out to you most from the decision?

Shoba Pillay: So what's really interesting to me is that, and this kind of goes back to my point about how it was alleged, is that it's still not clear to me that the SEC’s going to be able to prove, and their burden of proof is a preponderance of the evidence, that the actual attack- So the SEC is alleging that the threat actor exploited a vulnerability in one of SolarWinds corporate VPN accounts, and that was its threat factor for getting it. And what the SEC is going to have, so first they're going to have to prove that's actually how it, how the threat actor got in. And then prove that the deficiencies it claims in its cybersecurity, which are, the SEC claims are inconsistent with the public security statement, are the reason for that vulnerability. So, it'd be having to connect all of these pieces together. And that's not clear to me that they're going to be able to get facts sufficient to do that.

Obviously in the allegations, we see a litany of allegations about really deficient cybersecurity protocols. Even the CISO acknowledges that. But one thing to remember is, cybersecurity is very broad and very complicated. So information security and data security, protocols and procedures apply across an infrastructure in a range of ways. And a lot of what is alleged in this complaint are very particularized and very specific and very narrowly prescribed. And so whether you can really say the deficiencies identified are ultimately going to be the reason for the attack is hard to say sitting here today. And I think it's also important to note, it is going to really stifle what companies are going to be comfortable saying publicly about their security to customers, in part because that will be deemed, as it has been here, as a public statement also to investors, and whether they're going to be comfortable being at all public about their state of their cybersecurity.

Stephanie Pell: Jennifer, anything to add?

Jennifer Lee: I 100 percent agree with Shoba's sentiments. And one of the things that I thought was remarkable about the court's opinion is that, yes, the court went through just one by one, every disclosure and controls theory in a very detailed and rigorous way. One theory worked, and the more novel theories didn't survive in this context. But as Shoba points out, the two specific practices, while my point would be the court really looked at, were there sufficient allegations to show that there was daylight between what the company was representing it was doing versus what it wasn't?

I think Shoba is absolutely right that it's unclear to what extent those deficiencies really led to the attack. That's what really what this case should be about, but I don't know that's clear at this point in time. And that's one of the difficulties, I think of bringing an enforcement action in cybersecurity. The facts are not going to be 100 percent known, and it doesn't seem like they're even 100 percent known today.

Stephanie Pell: That's interesting that the facts, you said, are not fully known even today. Does that make enforcement actions in the cybersecurity context different from other kinds of enforcement actions in your experience, Jennifer?

Jennifer Lee: Yes, and I think that absolutely comes through in the risk factor disclosure that the SEC focused on, which is, and the post attack 8-K disclosure that the company made, that the SEC is looking for immediate and complete disclosure about an attack. And they are pushing companies to basically make those disclosures as soon as possible when the reality is a lot of the facts are unclear, they're mixed, maybe there are certain fragments of information coming in the door, and it's hard to know what is complete and accurate for purposes of sharing that with investors.

Shoba Pillay: And Stephanie, if I could jump in and just give an example of something that might bear to be inconsistent and not useful for the SEC downstream in its litigation.

Stephanie Pell: Absolutely.

Shoba Pillay: So the password issue that Jennifer noted is that in the security statement, it claims strong password protocols, use of alphanumeric passwords. But it specifically says in the complaint that the quote about the password protection is about user passwords. That's what it says, at least how it's quoted in the complaint. We don't have access to the entire security statement in this complaint. And some of the examples provided for deficient passwords were passwords that were used in its products. So, when it sells a software product, the customer gets that software and has a default password. So, the quote unquote password, the word password as a password was for a product that it sold to a customer. It was a default password that presumably the customer is supposed to change to a more sophisticated and secure password.

That is not a password covered by the security statement. So while it's only an example, a handful of examples in the complaint are unclear to me are passwords that would actually be covered by the security statement. Some of them might be. One of the examples was that a password for one of the third party databases that the company uses was the SolarWinds123. While true that it is alphanumeric, probably not sophisticated enough to be secure. So I think there's going to be issues, concerns, and challenges with being able to develop facts sufficient to show that A) that the conduct and the security practices by the company were actually completely inconsistent with the security statement, at least in a robust manner and not just in really small nitpicky ways. And then B) as we've both pointed out, that is direct correlation to how the threat actor was able to exploit and compromise the company.

Jennifer Lee: And fundamentally, I think what Shoba and I are both getting at is that the SEC needs to prove investor fraud. And so if you don't have the connection or sufficient connection to the ultimate reason why we're all here, which is the Sunburst attack, it may be difficult for the SEC to find that investor that will say, setting aside any connection to the Sunburst attack, would you have cared about what the company said in its security statement about its cyber security practices? It's unclear whether the SEC if it went all the way to trial could find that investor.

Shoba Pillay: I'm actually curious if they're going to be able to find any investor that has read the security statement, which is a separate issue, but I think goes to Jen's point more largely.

Stephanie Pell: Fair enough. As the court notes in its order, the motion to dismiss by SolarWinds drew support from numerous industry and public policy amici. Were some of their concerns explicitly or implicitly reflected in the court's opinion? Do you have thoughts about that, Shoba?

Shoba Pillay: I do. I think the answer is yes. And it's really quite gratifying, I think, more largely in the security industry, because a lot of the tools that the SEC attempted to use to enforce this case really go to the heart of the challenges in the security industry. This is, the threat landscape is constantly involving. No company is perfectly cyber secure. As I often say, if you want to be perfectly cyber secure, stop using computers or stop using humans. It's really the only way to do it. And that's because every time we have a new piece of software or an update to that software, there's a potential vulnerability that can be exploited.

And there's an entire industry out there that looks for those vulnerabilities. Some of those industry members are doing it for good purpose, security researchers for example, and some are doing it for the criminal purpose in order to exploit and compromise and take advantage for their own gain. And so the more we put companies on their heels on how they publicly describe their security, the more complicated it's going to get to actually be secure. And for example, one of the things that the amici really focused on is whether or not internal communications within the cybersecurity professionals should really be at risk for review by the SEC in alleging investor fraud.

Because now it's potentially going to stifle security professionals internally communicating about where gaps might be so they can fix and remediate those gaps. Now, one of the comments, in fact, are, do we really need to have a lawyer review every communication between every security professional? That creates real complications and delays in being able to properly remediate your security. Because companies are attacked thousands of times a day. Some are successful, some are not. And even when successful, they can be remediated quickly. Maybe it's through technical protocols because of the kind of security that's implemented. Maybe it's because the users have been trained not to click on the phishing link, but things fail all the time. People fail all the time. And so really putting the security professionals on the spotlight on the security professionals communications really creates a risk that they're not going to be fully honest in communicating with themselves.

So that's one of the many examples of the ways that at least the industry is really concerned about where the SEC focuses its allegations. And the court rejecting those allegations and those claims, and through this process, I think is really vindicated that there is a lot of risk, and it could be that the reason the court is rejecting it is for the reasons Jen noted may not be for the same reasons we had security concerns, but I think they come to the same ultimate conclusion, and I think that's going to be much more valuable to the industry and understanding where the lanes are and understanding what they shouldn't and should do.

Not to say though, I think more largely into Jen's earlier point, there is going to be, in light of the cyber rules more broadly, real focus on implementing stronger governance on cybersecurity. That's a good thing. That's going to be really valuable for companies. But some of the real scrutiny that the SEC focused on in SolarWinds, I think really was above and beyond and really creating risk for the industry and for our national security.

Jennifer Lee: I think the other area is in risk factor disclosures, so my understanding is that the industry groups really pushed back on to what extent do you need to really spell out your vulnerabilities and basically create a roadmap for attackers. And I think the court here adopted that reasoning and essentially said pre attack, the law does not require more specificities. You do not have to detail for the investing public, if you say you've got a cybersecurity risk, you don't have to go as far as to say here are all the ways in which that risk could manifest into terrible outcomes, which I think, again, was a nod to the industry criticisms of the SEC's pushing for more specificity in that area.

Stephanie Pell: So on that point on disclosure obligations and the detail that must be gone into when they are made, we discussed in our prior podcast back in January that this particular enforcement and action was brought after the SEC's new cyber disclosure rule was adopted in July of 2023. Jennifer, can you briefly tell us what this rule requires and then maybe talk about that at the time this particular enforcement action was brought, what it suggested about the SEC's approach and expectations regarding companies’ disclosure obligations under this rule?

Jennifer Lee: So the new rules which went into effect last year require companies to make disclosures about its top to bottom risk government measures, essentially to address cyber security. How are you handling it? And on top of that, there was a specific requirement now where within a certain amount of time, a company now needs to disclose material cybersecurity incidents to investors.

So those were new and novel and pretty significant requirements. Prior to that, there was nothing set in stone in terms of what a company needed to disclose. So I think last year was a major shift. SolarWinds was the message case to follow up on that because it focused not just on what are you saying about a major cybersecurity incident once you're aware of it? It also was about what are you telling investors about how you are handling cybersecurity?

So in my view, while the ruling pared back most of the case, SolarWinds still reinforces that number one, the SEC has enforcement authority in cybersecurity, that's now been confirmed by a district court judge, at least at the pleading stage, and that the SEC can now bring disclosure charges against a company if it overstates what it is doing to address cybersecurity. So in my mind, this still goes hand in hand with the new rules.

Stephanie Pell: And Jennifer, going forward, how do you see this case shaping the SEC's cybersecurity enforcement actions?

Jennifer Lee: I think the SEC will likely refine its theories. For the next case and future investigations, there's now, in terms of what's clear, there's a clear path for the SEC to bring a case that can survive a motion to dismiss where a company's public statements about its cybersecurity practices is demonstrably wrong.

I think on the novel theories, the SEC may still look for a case that solves the weaknesses of SolarWinds and push the boundaries again. So on internal accounting controls, if there was an insufficient link here in SolarWinds between the cybersecurity controls and internal accounting controls, the SEC may find a case where there's more of that link and where some failure in cybersecurity controls actually impacted the company's financial data or accounting systems. On risk factor disclosures, the SEC may find a case in which the company knew sufficient information about a major cybersecurity incident but still made a misleading risk factor disclosure post incident. So I think these are still areas of uncertainty. I think the SEC will be more refined going forward, but they probably will not necessarily give up on these theories whole stop.

Stephanie Pell: So Jennifer, what happens next in this case then? What should we be looking for?

Jennifer Lee: I think resolution will depend on how aggressive the SEC wants to be in SolarWinds, because they have significant fraud charges that typically go hand in hand with very tough remedies. Typically, with an intentional fraud charge against an individual, they would look for an officer or director bar against that person. They also would likely look for big penalties for the company and other remedies that could have a lot of ramifications for the company. So I think part of it depends on just how aggressive does the SEC want to continue to be in this case. And ultimately, I think there's probably two options here. Either the case is going to settle, or likely it's going to be narrowed even further at summary judgment for the reasons that we've talked about in terms of just difficulties and proof for the SEC.

Stephanie Pell: Anything else that either of you would like to share with our listeners?

Shoba Pillay: I think a couple of things are worth noting and thinking about the impact of this case more broadly. Number one, one of the largest complaints and pushback from the industry, both to the SEC cyber rule and this particular complaint, is that it's really focusing on publicly disclosing cybersecurity risks, which creates real risk for a company and really providing a potential roadmap to threat actors.

So A) some of the new cyber rules originally were requiring really detailed disclosures about the state of cybersecurity, including any, in the risk factors, what the sort of nature of the vulnerabilities were. That was ultimately pared back in what became the public cyber rule, which is great, but then in this complaint, the SEC detailed a litany of cybersecure, alleged cybersecurity failures for the company, including publicizing alleged passwords. Now, of course, we would hope the company has already, remediated all of this. But they would have to do it in response to a complaint. They may not have time to do that because threat actors read this stuff. They read Edgar. They read what's public. And they sometimes are faster. And so I think it really creates a lot of risk for companies if the SEC is going to continue in its enforcement to be really public about the nature of security for a live company.

So I'm really hoping that one of the things the SEC is thinking about is being a little bit more careful in how it brings these actions while focusing on its mandate of investor protection. It really does have some obligation to be conscious of the fact that when engaging these enforcement actions in a cybersecurity context, they're also essentially re-victimizing a victim of a crime, right?

The companies who have been attacked are victims of a crime. And so while it may be true, ultimately, the SEC can maybe show that a company's cybersecurity was not as strong as it claimed it was, and maybe that then will be successful in an enforcement action, I still think it's completely overly aggressive to publicly note every single thing that a company was unable to make secure because it gives our threat actors a real roadmap to re-victimize and potentially re-compromise that company.

Jennifer Lee: I agree with Shoba. I think this is a mixed result for both the SEC and for public companies trying to grapple with what do they need to disclose by way of cybersecurity, and there's a lot of uncertainty, mostly because it's unclear just how aggressive is the SEC going to be going forward. I do think for CISOs the message is clear. The entire case rests on the CISO because it's a fraud claim that is premised on the CISO's conduct that is then being imputed to the company. So for CISOs, they have to be aligned with the company on their disclosure and controls obligations and just know that what they're saying, approving, or even reviewing could form the basis of an SEC action. So it's really important for them to have clarity over what it is that they're doing or saying in that realm.

Stephanie Pell: We'll have to leave it there for today. Thank you both so much for joining me.

Shoba Pillay: Thank you.

Jennifer Lee: Thank you.

Stephanie Pell:  The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Chatter, Allies, and the Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org. The podcast is edited by Jen Patja, and your audio engineer this episode was Noam Osband of GoatRodeo. Our theme song is from Alibi Music. As always, thank you for listening.


Stephanie Pell is a Fellow in Governance Studies at the Brookings Institution and a Senior Editor at Lawfare. Prior to joining Brookings, she was an Associate Professor and Cyber Ethics Fellow at West Point’s Army Cyber Institute, with a joint appointment to the Department of English and Philosophy. Prior to joining West Point’s faculty, Stephanie served as a Majority Counsel to the House Judiciary Committee. She was also a federal prosecutor for over fourteen years, working as a Senior Counsel to the Deputy Attorney General, as a Counsel to the Assistant Attorney General of the National Security Division, and as an Assistant U.S. Attorney in the U.S. Attorney’s Office for the Southern District of Florida.
Shoba Pillay is a partner at Jenner & Block and a former federal prosecutor. Her areas of focus include data privacy, cybersecurity, and national security.
Jennifer Lee is a partner at Jenner & Block and a former Assistant Director in the SEC’s Division of Enforcement. Her areas of focus include business litigation, data prviacy, cybersecurity, and investors and securities litigation.
Jen Patja is the editor and producer of the Lawfare Podcast and Rational Security. She currently serves as the Co-Executive Director of Virginia Civics, a nonprofit organization that empowers the next generation of leaders in Virginia by promoting constitutional literacy, critical thinking, and civic engagement. She is the former Deputy Director of the Robert H. Smith Center for the Constitution at James Madison's Montpelier and has been a freelance editor for over 20 years.

Subscribe to Lawfare