New York, NY – February 2, 2024 – Cooley, alongside co-counsel Freshfields Bruckhaus Deringer US LLP, filed an amicus brief on behalf of thirty current and former chief information security officers (CISOs) and cybersecurity organizations in Securities and Exchange Commission v. SolarWinds Corp. and Timothy G. Brown, which is pending in the US District Court for the Southern District of New York. Lawyers Andrew Goldstein, Josef Ansorge and Matt Nguyen led the Cooley effort.

This US Securities and Exchange Commission (SEC) action arises out of sustained cyberattacks between 2018 and 2020 perpetrated by Russian government-backed hackers against SolarWinds – which industry experts have described as among the most sophisticated cyberattacks in history. In October 2023, the SEC charged SolarWinds and its CISO Timothy Brown for allegedly misrepresenting the company's cybersecurity risks before, during, and after the cyberattacks.

Representing CISOs and the broader cybersecurity community, Cooley's amicus brief argues that CISOs play an indispensable role in national security and cybersecurity, and that the SEC's action threatens to undermine the flexibility needed for CISOs to effectively triage cybersecurity risks. The brief points to the harmful consequences of the SEC's flawed theory of CISO liability – including its reliance on Brown's efforts to identify cybersecurity vulnerabilities and resolve them proactively. According to the brief, by asserting liability under the facts alleged in its complaint, the SEC's action risks undermining core CISO job functions. And, given the SEC's expansive theory of liability against CISOs and organizations that fall victim to such attacks, the brief highlights powerful evidence that this action is dangerous and counterproductive for cybersecurity and US national security.

The brief's signers are a who's who of the cybersecurity community, and they include top cybersecurity organizations such as SINET, Internet Security Alliance, TAG Infosphere and the Secure Policy Coalition. It's also signed by 20+ cybersecurity leaders who have served as CISOs and in other senior cybersecurity roles at major companies – including Activision Blizzard, AMD, Albertsons, Amazon Prime Video, Avangrid, AXIS Capital, BBVA USA, Blackstone, City National Bank, Clorox, DataRobot, Exelon, HP, Intel, NTT, Salesforce, SAP, Siemens, and Staples – who signed solely in their personal capacities and not on behalf of their affiliated companies.

Read the full brief

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.