The Lawfare Podcast

Shoba Pillay and Jennifer Lee on the SEC SolarWinds Enforcement Action

Jan 23, 2024

Shoba Pillay and Jennifer Lee discuss the cybersecurity and national security implications of the SolarWinds hack, the SEC's enforcement action against SolarWinds and its CISO, challenges faced by companies in addressing cybersecurity and accurate disclosures, SolarWinds' response to the SEC complaint, and the impact of the SolarWinds case on cybersecurity disclosures.

37:52

Creator website

Episode guests

Jennifer Lee

Shoba Pillay

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The SolarWinds intrusion showcased the vulnerabilities in software updates, highlighting the need for enhanced protection measures against supply chain attacks.

The SEC's enforcement action against SolarWinds emphasizes the importance of accurate disclosure of cybersecurity risks and raises the potential for increased accountability for CISOs in the future.

Deep dives

Overview of the SolarWinds intrusion

The SolarWinds Corporation, a software as a service company, experienced a cyber attack in which a nation-state-sponsored Russia-based threat actor gained access to its network and injected malware into its software development process. The malware, known as sunburst, was unknowingly distributed to SolarWinds customers through software updates. This allowed the threat actor to gain access to the networks, systems, and data of thousands of government agencies and private sector companies using SolarWinds' Orion software. The intrusion went undetected for several months before being discovered.

Introduction

3min

The SolarWinds Intrusion: A Nefarious Attack on Government Networks and Private Companies

14min

SEC's SolarWinds Enforcement Action and Companies' Cybersecurity Obligations

4min

SEC's Action in the SolarWinds Case

7min

SolarWinds' Response to SEC Enforcement Action

7min

Targeting Cybersecurity Disclosures and the Impact of the Solar Winds Case

4min

The fallout from the SolarWinds intrusion took a new turn with the U.S. Security and Exchange Commission’s (SEC) decision to file a cybersecurity-related enforcement action against the SolarWinds corporation and its Chief Information Security Officer (CISO), Timothy G. Brown, on October 30 of last year. To talk about the details and significance of this enforcement action, Lawfare Senior Editor Stephanie Pell sat down with Shoba Pillay, a partner at Jenner & Block and a former federal prosecutor, and Jennifer Lee, also a partner at Jenner & Block and a former Assistant Director in the SEC’s Division of Enforcement. They discussed the cybersecurity and national security implications of the SolarWinds hack, what the SolarWinds enforcement action suggests about the SEC’s expectations for disclosure obligations of companies, and whether the SEC or another agency is best suited to determine whether and how SolarWinds should be held accountable. They also discussed larger takeaways and messages sent by the SEC’s decision to charge a CISO in this case.

Support this show http://supporter.acast.com/lawfare.

Hosted on Acast. See acast.com/privacy for more information.