skip to main content

Amid urgent national security, cybersecurity and data privacy threats, companies require experienced counsel to advise on an ever-changing privacy and cybersecurity compliance landscape and respond to potentially crippling data incidents so they can get back to business. Led by some of the world’s leading legal advisors on national security and data-related regulatory matters, we help boards and top executives safely navigate high-impact breaches and related cyber incidents, and offer specialized regulatory advice in the transactional and compliance contexts.

Paul, Weiss Files Amicus Brief on Behalf of Over 20 Former Senior Government Officials in Landmark SEC Enforcement Action Over Cybersecurity Disclosures

On February 2, Paul, Weiss filed an amicus brief in the U.S. District Court for the Southern District of New York on behalf of over 20 of the most senior former cybersecurity government officials in the U.S. Securities and Exchange Commission’s landmark enforcement action against software company SolarWinds and its Chief Information Security Officer (CISO) Timothy Brown. The SolarWinds suit represents the first time the SEC has initiated litigation against a company for allegedly deficient cybersecurity disclosures, as well as the first time an individual CISO has been named as a defendant in an SEC action of this kind. In the brief, amici urge the court to carefully evaluate how enforcement actions such as this one may disincentivize companies from sharing critical cybersecurity information with government authorities.

The lawsuit stems from a massive, nearly two-year-long cyberattack carried out by Russian-backed hackers in what is considered to be one of the worst cyber espionage incidents in U.S. history. The attack, known as “SUNBURST,” was particularly grievous because several government agencies relied on SolarWinds’ Orion IT monitoring and management software. The incident was first disclosed by SolarWinds in December 2020.

The SEC filed its action on October 30, 2023, alleging that SolarWinds and Brown defrauded the company’s investors and customers through misstatements, omissions and schemes that concealed both SolarWinds’ purportedly poor cybersecurity practices and its increasing cybersecurity risks. A motion to dismiss is pending.

In our amicus brief, we argue that cyberattacks are a mounting threat to our national security, and that the federal government has acknowledged time and again that close cooperation and information-sharing between the public and private sectors is a key line of defense against national cyber threats. Such information-sharing and cooperation is most effective when information is shared quickly, often in the midst of a crisis when not all of the facts are known and information is likely to change. Even the shortest delay in sharing information can hamper the government’s ability to effectively respond.

We urge the court to consider the risk of chilling voluntary disclosure by companies or CISOs who may become more hesitant to share with law enforcement preliminary information about a cybersecurity incident or vulnerability if that information may be treated in hindsight as something that should have been disclosed publicly.

“Public disclosure is not a substitute for, and must not come at the expense of, voluntary confidential sharing of more detailed cyber threat information with the agencies tasked with combatting cyber threats, who have the right set of technical tools and legal authority to take effective action,” we argue.

The Paul, Weiss team includes litigation partners John Carlin, Jeannie Rhee and Melinda Haag, who are named as amici in the brief, and counsel Peter Carey.

Our brief can be found here.

 

© 2024 Paul, Weiss, Rifkind, Wharton & Garrison LLP

Privacy Policy