**Title: Court Dismisses Majority of SEC's Claims Against SolarWinds and CISO: Key Takeaways for Cybersecurity and Securities Law**

**Introduction:**
In a landmark decision on July 18, 2024, the U.S. District Court for the Southern District of New York dismissed the majority of the U.S. Securities and Exchange Commission’s (SEC) claims against SolarWinds Corporation and its Chief Information Security Officer (CISO), Tim Brown. This case, which stemmed from the 2020 SUNBURST cyberattack on SolarWinds' Orion platform, marks the first time the SEC has alleged a CISO violated securities laws in connection with a company’s cybersecurity practices. The court's decision has significant implications for publicly traded companies and their cybersecurity leaders, particularly regarding how they communicate their cybersecurity practices.

**Key Points from the Court’s Decision:**

1. **Customer-Facing Statements Are Actionable Under Securities Laws:**
The court held that customer-facing statements, such as SolarWinds' Security Statement posted on its website, are actionable under securities laws. This decision emphasizes that public statements, regardless of their intended audience, can be scrutinized for accuracy and materiality in the eyes of investors. Companies should be vigilant in ensuring that any public information is truthful and not misleading.

2. **Scrutinizing Public Statements on Cyber Practices:**
The court’s decision underscores the importance of carefully crafting public statements about cybersecurity practices. Although the court dismissed many of the SEC's claims related to informal communications like blog posts and press releases, it upheld allegations regarding specific claims in SolarWinds' Security Statement. Companies must ensure that any assertions about cybersecurity controls are accurate and supported by internal practices.

3. **Internal Communications Can Undermine Public Statements:**
The SEC’s allegations heavily relied on internal emails and presentations that contradicted SolarWinds' public claims about its cybersecurity practices. This highlights the importance of consistent internal and external communications and the need for training employees on the potential legal ramifications of internal communications.

4. **Cybersecurity Controls Not Mandated by the Exchange Act’s Internal Controls Provisions:**
The court rejected the SEC’s novel argument that Section 13(b)(2)(B)(iii) of the Exchange Act mandates the adoption of cybersecurity controls as part of a company’s internal accounting controls. This decision limits the SEC’s authority to regulate cybersecurity practices through the Exchange Act, though companies must still comply with broader securities laws and disclosure obligations.

5. **Incident Response Plans and Disclosure Controls:**
The court found that isolated errors in classifying cybersecurity incidents do not necessarily equate to inadequate disclosure controls. However, companies should ensure their incident response plans are robust enough to escalate significant incidents to management for disclosure evaluation.

**Conclusion:**
The court’s ruling is a substantial setback for the SEC’s cybersecurity enforcement efforts, particularly in the context of securities fraud claims related to cybersecurity practices. Nevertheless, the decision serves as a critical reminder for companies to carefully manage both their public and internal communications about cybersecurity. As the SEC continues to prioritize cybersecurity in its enforcement activities, companies must remain vigilant in ensuring compliance with securities laws and maintaining accurate and consistent communications.

**Call to Action:**
If your company is navigating the complexities of cybersecurity disclosures and SEC compliance, our experienced legal team is here to help. Contact us today to ensure your practices and communications align with current legal standards and to protect your business from potential securities law violations.