On July 18, Judge Paul Engelmayer of the U.S. District Court for the Southern District of New York granted in part a motion by SolarWinds Corporation and its Chief Information Security Officer to dismiss fraud and internal controls charges brought by the Securities and Exchange Commission. The SEC brought the charges in the aftermath of a compromise of the company’s software product.
Critically, the court ruled that the SEC has no authority to bring “internal controls” charges under Section 13(b)(2)(B) of the Securities Exchange Act that do not concern a public company’s financial accounting controls. The ruling tracked the arguments in an amicus brief that S&C submitted on behalf of the U.S. Chamber of Commerce and Business Roundtable urging dismissal of the SEC’s claim. The court rejected the SEC’s expansive theory that it could charge any public company that experiences a cyber intrusion with violating the federal securities laws.
This is the first case in which the SEC’s interpretation of its authority under Section 13(b)(2)(B) has been challenged in court. The ruling has significant implications for public companies beyond the cybersecurity context, as the SEC has increasingly charged companies in recent years with “internal controls” violations under Section 13(b)(2)(B) on alleged deficiencies in any legal, compliance, or risk-management controls, not limited to financial accounting controls.
The S&C team representing the U.S. Chamber of Commerce and Business Roundtable included Nicole Friedlander, Jeff Wall, and Paulena Prager.