Press Release

Cooley, Cybersecurity Leaders File Brief Opposing SEC’s SolarWinds Cyberattack Case

February 2, 2024

New York, NY – February 2, 2024 – Cooley, alongside co-counsel Freshfields Bruckhaus Deringer US LLP, filed an amicus brief on behalf of thirty current and former chief information security officers (CISOs) and cybersecurity organizations in Securities and Exchange Commission v. SolarWinds Corp. and Timothy G. Brown, which is pending in the US District Court for the Southern District of New York. Lawyers Andrew Goldstein, Josef Ansorge and Matt Nguyen led the Cooley effort.

This US Securities and Exchange Commission (SEC) action arises out of sustained cyberattacks between 2018 and 2020 perpetrated by Russian government-backed hackers against SolarWinds – which industry experts have described as among the most sophisticated cyberattacks in history. In October 2023, the SEC charged SolarWinds and its CISO Timothy Brown for allegedly misrepresenting the company’s cybersecurity risks before, during, and after the cyberattacks.

Representing CISOs and the broader cybersecurity community, Cooley’s amicus brief argues that CISOs play an indispensable role in national security and cybersecurity, and that the SEC’s action threatens to undermine the flexibility needed for CISOs to effectively triage cybersecurity risks. The brief points to the harmful consequences of the SEC’s flawed theory of CISO liability – including its reliance on Brown’s efforts to identify cybersecurity vulnerabilities and resolve them proactively. According to the brief, by asserting liability under the facts alleged in its complaint, the SEC’s action risks undermining core CISO job functions. And, given the SEC’s expansive theory of liability against CISOs and organizations that fall victim to such attacks, the brief highlights powerful evidence that this action is dangerous and counterproductive for cybersecurity and US national security.

The brief’s signers are a who’s who of the cybersecurity community, and they include top cybersecurity organizations such as SINET, Internet Security Alliance, TAG Infosphere and the Secure Policy Coalition. It’s also signed by 20+ cybersecurity leaders who have served as CISOs and in other senior cybersecurity roles at major companies – including Activision Blizzard, AMD, Albertsons, Amazon Prime Video, Avangrid, AXIS Capital, BBVA USA, Blackstone, City National Bank, Clorox, DataRobot, Exelon, HP, Intel, NTT, Salesforce, SAP, Siemens, and Staples – who signed solely in their personal capacities and not on behalf of their affiliated companies.

Read the full brief

***

Cooley counsels corporate and individual clients on all aspects of cybersecurity – including strategy, governance, risk management, disclosures, incident response, investigations and enforcement actions.

In the event of a suspected data incident, members of Cooley’s 24/7 data incident and breach response team can be reached at any time using the contact information below.

Cooley Incident Response Hotline
cyber/data/privacy

incident.response@cooley.com
+1 844 476 1248
+ 1 415 693 2888

For additional resources, visit Cooley’s SEC Cybersecurity Disclosure Rules Resources page.

About Cooley LLP

Clients partner with Cooley on transformative deals, complex IP and regulatory matters, and high-stakes litigation, where innovation meets the law.

Cooley has more than 1,300 lawyers across 19 offices in the United States, Asia and Europe, and a total workforce of more than 3,000.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.