A lawsuit filed by the Securities and Exchange Commission (SEC) against a software company hacked by Russian agents in 2020 is worrying chief security information officers and their companies around the country, The New York Times reported.

The SEC’s suit, filed in October, accused Austin, Tex.-based SolarWinds Corporation and its CISO, Timothy G. Brown, of defrauding investors by not disclosing allegedly known cybersecurity risks and vulnerabilities.

The regulatory agency’s action has worried other CISOs, who may be at increased personal risk.

“I’ve been doing this for 25 years, and I’ve always been protecting others,” George Gerchow, the chief security officer and senior vice president of information technology at Sumo Logic, a software company, told the Times, “Now, all of a sudden, I’m in a weird position where I’m having to protect myself.”

SolarWinds did disclose some cybersecurity risks as required, but the SEC no longer considers those boilerplate disclosures to be sufficient if the company knows of more specific risks, the Times reported. The lawsuit is the first in which the SEC has charged a company with intentional fraud related to cybersecurity disclosures, according to the law firm White & Case.

The lawsuit could “actually make CISOs more fearful, not more emboldened to raise their voice,” SolarWinds CEO Sudhakar Ramakrishnahe told the Times. Other experts interviewed by the Times were divided over whether it will encourage better or worse practices.

One such expert, Josephine Wolff, an associate professor of cybersecurity policy at Tufts University, said that “[t]here were some serious warning signs that [Solar Winds CISO Brown] and his team had surfaced … [a]nd now that’s being used against him specifically to say, ‘You knew about this, you didn’t disclose it in the SEC filings.’ Which I think really does create an incentive to never document or never find any vulnerabilities anywhere.” That could make it difficult for the IT department to ask for money for cybersecurity, she told the Times.

Jake Williams, another security expert, who consults with companies when they have experienced a data breach, told the Times that he regularly saw CISOs being asked to “paint a rosy or maybe rosier-than-aligned-with-reality picture.” But he added: “That practice, I think, died the day the SolarWinds lawsuit was filed by the agency. No CISO can now risk basically painting an unrealistically positive picture of cybersecurity.”

The SEC’s new cybersecurity disclosure requirements are set to take effect in December. They require companies to report material attacks within four days and to make yearly disclosures about their cybersecurity risk management, strategy and governance. The SEC’s enforcement director, Gurbir Grewal, said in June that the agency had “zero tolerance for gamesmanship” around cybersecurity disclosures.

Given the debate over how much is too much and how little is too little to disclose, the question for Wolff is whether the SEC can define a clear middle ground.

To learn how to be more effective in dealing with risk, fraud, cybersecurity, and other matters, attend the Foundation for Accounting Education's CFO Series: Staying Ahead in a Dynamic Economy Webinar on Nov. 27.