S&C Partners Bob Downes, Nicky Friedlander and Tony Lewis, and associate Peter Charnell, co-authored an article for Law360 discussing the extent to which the SEC has authority to punish a company for alleged accounting controls failures in relation to a cybersecurity breach. The article discusses actions taken against SolarWinds Corp. and R.R. Donnelley & Sons, in which the SEC asserts that “account controls” include those that protect companies’ information systems.
Nicky co-authored an amicus brief on behalf of the U.S. Chamber of Commerce and Business Roundtable urging dismissal of the SEC’s claim against SolarWinds. On July 18, a New York federal judge dismissed substantial portions of the SEC’s case, including the accounting controls charge, adopting many of the arguments in the brief.
The ruling has significant implications for public companies beyond the cybersecurity context because the SEC’s interpretation of “accounting controls,” as the authors note in the article, enabled the agency to penalize public companies for any perceived failure of any type of controls, not limited to accounting controls.
Read: “Navigating the Extent of SEC Cybersecurity Breach Authority”