The SEC’s Charges Against SolarWinds and its Chief Information Security Officer Provide Important Cybersecurity Lessons for Public Companies
10 min read
On October 30, 2023, the US Securities and Exchange Commission ("SEC") announced that it filed charges against SolarWinds Corp. ("SolarWinds" or the "Company") and its Chief Information Security Officer ("CISO") in connection with the SEC Division of Enforcement's ("Enforcement Division") investigation of a cyberattack. The complaint alleges that the Company "defrauded SolarWinds' investors and customers through misstatements, omissions, and schemes that concealed both the Company's poor cybersecurity practices and its heightened—and increasing—cybersecurity risks."1
This lawsuit is notable as the first in which the SEC has brought cybersecurity enforcement claims against an individual. It is also the first time the SEC has leveled intentional fraud charges in a cybersecurity disclosure case.
SolarWinds has publicly denied the SEC's charges, and its chief executive officer characterized the action as "misguided and improper . . ., representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages."2
This action comes as comprehensive SEC cybersecurity disclosure rules are set to take effect in December and indicates that the SEC will actively enforce not only the new disclosure requirements but also other possible violations, such as insufficient internal controls, that stem from inadequate cybersecurity practices.3 The Director of the Enforcement Division emphasized that this enforcement action "not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company's 'crown jewel' assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns."4
Background
SolarWinds is an Austin, Texas-based corporation that develops software for large companies and government agencies to manage their information technology infrastructure. In December 2020, it was widely publicized that software made by SolarWinds had been subject to a cyberattack, commonly referred to as "SUNBURST." SUNBURST is believed to have been conducted by Russian state-sponsored hackers and resulted in one of the most extensive cyberattacks ever, impacting not only SolarWinds but its customers.5
The SEC's Complaint
The SEC's complaint ("Complaint"), filed in the Southern District of New York, alleges that SolarWinds and its CISO, Timothy G. Brown, violated the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934 ("Exchange Act"). The Complaint also alleged that SolarWinds violated reporting, internal control, and disclosure controls provisions of the Exchange Act; and Brown aided and abetted the Company's violations. A key theme of the Complaint is that management was allegedly aware of ongoing cybersecurity issues and failures over several years and did not disclose and address them – rather, management lied to its customers and investors about its cybersecurity practices and threats. The SEC stated in its Complaint that "SolarWinds' poor controls, Defendants' false and misleading statements . . . would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack."6 The Complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown. Key allegations from the Complaint are discussed in more detail below.
Poor Cybersecurity Practices, Not Disclosed
The Complaint alleges that from its 2018 initial public offering ("IPO") through at least December 2020, when SolarWinds publicly disclosed the SUNBURST breach, the Company's public statements about its cybersecurity practices and risks “painted a starkly different picture from internal discussions and assessments about the Company's cybersecurity policy violations, vulnerabilities, and cyberattacks.”7 This allegedly included the “Security Statement” on SolarWinds' website promoting its cybersecurity practices, as well as its IPO registration and subsequent periodic SEC reports and a Form 8-K with initial disclosures of the SUNBURST attack.
Specifically, the Complaint alleges that the Security Statement failed to disclose what the SEC characterizes as the company's "poor cybersecurity practices." These include:
- Misleading claims that SolarWinds follows the National Institute of Standards and Technology Cybersecurity Framework ("NIST Framework"), when in fact it “had no program/practice in place for the majority of the controls";8
- Not maintaining a Secure Development Lifecycle for the software it developed and sold to its customers, despite disclosure in its Security Statement posted on its website touting strong cybersecurity practices;9
- Lacking procedures for maintaining strong passwords on critical systems in contrast to claims made in its Security Statement – for example “passwords were not individually stored in an encrypted state or 'salted as hashed,' as SolarWinds and Brown represented in the Security Statement," and "Sarbanes-Oxley ('SOX') audits in 2018 and 2019 documented additional instances in which '[p]assword requirements' and 'password history' requirements were not met";10 and
- Failing "for years" to address and resolve "significant" access problems and misleading investors about these practices, including "expansive use of 'admin' privileges and a virtual private network vulnerability that was exacerbated by the Company's failure to enforce its remote access policies."11
As to the Company's SEC filings, the Complaint emphasizes that the cybersecurity risk disclosures were "generic and hypothetical" and did not address the issues listed above, and other known risks, rendering the disclosures "materially misleading." For example, the Company warned of an inability to defend against 'unanticipate[d]… techniques' but failed to disclose that SolarWinds had already determined that it was not taking adequate steps to protect against anticipated and known risks, including failing to follow the steps outlined in the [Company's] Security Statement.”12 In October 2018, the same month that SolarWinds conducted its IPO through a registration statement with only "generic and hypothetical" cybersecurity risk disclosures, the Company's CISO wrote in "an internal presentation that SolarWinds' 'current state of security leaves us in a very vulnerable state for our critical assets'."13 Thereafter, for the next two years, the Company repeated the same generalized risk disclosures in multiple SEC reports, despite, in the SEC's view, accumulating red flags which made the static disclosures worse over time.
Inadequate Disclosures Regarding The 2020 SUNBURST Breach
Over the course of 2020, according to the Complaint, Brown and SolarWinds learned of a series of security breaches experienced by their customers, including a US government agency and two cybersecurity companies. Further, in October and November 2020, SolarWinds learned of at least eight other high-risk vulnerabilities affecting their platform. The Company did not make any specific disclosures about these events or vulnerabilities. In December 2020, a customer identified a vulnerability in SolarWinds' software as a result of malicious code, which linked to the previous attacks suffered by other customers. The Company then filed a Current Report on Form 8-K with the SEC disclosing that it had "been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server…" (emphasis added in the Complaint).14 The Complaint states that this disclosure was false and misleading, because "[i]n fact, SolarWinds knew that attackers had already utilized the vulnerability to do so on at least three occasions."15
Internal Control & Disclosure Controls Failures
The Complaint alleges that SolarWinds failed to devise and maintain a system of controls sufficient to protect its critical assets. SolarWinds failed to follow its own certification controls "including failing to use and document a list of controls in connection with certifications by Company officials" and, while the CISO certified to the effectiveness of the Company's technology controls over financial reporting, he was unable to identify the relevant controls and instead "certified based on his general sense of the quality of those controls, while failing to identify the Company's extensive shortcomings in areas such as access controls."16 Further, despite being aware of issues and deficiencies, "[the CISO] signed sub-certifications relied on by senior executives, confirming that all material incidents had been disclosed to the executives responsible for the Company's securities filings."17
The Complaint also points out repeated examples of how SolarWinds lacked disclosure controls and procedures "to ensure that information regarding potentially material cybersecurity risks, incidents, and vulnerabilities was reported to the executives responsible for disclosures."18 For example, "[i]nternal emails, messages, and documents describe numerous known material cybersecurity risks, control issues, and vulnerabilities" yet these were not reported in the Company’s public disclosures.19 Further, "[n]o one, including [the CISO], raised the issue[s] with SolarWinds' Disclosure Committee, nor did SolarWinds have sufficient procedures and controls in place to ensure that he did so. Nor did he, or anyone else at SolarWinds, ensure that SolarWinds enforced its existing internal guidelines".20
According to the SEC, the Company's cybersecurity deficiencies "reflected a culture that did not take cybersecurity issues with sufficient seriousness, and a scheme to conceal these issues from investors and customers." The SEC further noted that the culture at SolarWinds was, instead, one of "recklessness, negligence, and scienter."21
Lessons for Public Companies
The SEC's enforcement action against SolarWinds, should alert public companies to the SEC's heightened focus on cybersecurity. This is particularly important in light of the comprehensive new cybersecurity incident reporting and cybersecurity risk management and governance disclosure that will be required of public companies.
Key takeaways include:
- Evaluate and address cybersecurity risks and weaknesses and implement appropriate controls: Boards of directors and management teams should be kept informed and should address any identified issues, and design and implement controls and procedures to ensure that cybersecurity vulnerabilities are appropriately escalated to senior management.
- Review all public statements: The SEC will consider all public disclosures, not just SEC filings, when assessing compliance. This includes a company's privacy policy or other online representations that appear on a company's website. As such, companies need to ensure that their representations about the adequacy and scope of their cybersecurity programs are internally consistent, accurate, and transparent.
- Avoid generalized disclosures: Vague, boilerplate statements as to risks and consequences are inadequate. When there are identified issues or failures, hypothetical and/or partial disclosure can be misleading, and if additional red flags develop, the disclosure should be modified, as appropriate, over time.
- Evaluate the totality of cybersecurity practices: The total impact of a company's cybersecurity practices, remedial efforts, identified risks and known threats or attacks needs to be evaluated collectively when crafting disclosure, rather than looking at isolated incidents individually. Materiality will be heightened when there are numerous related issues. Particular attention should be paid to disclosure of cybersecurity risks and issues relating to "crown jewel" or flagship products or services that account for a significant portion of a company's revenues.
- Individuals may be charged: The fraud and aiding and abetting claims against the SolarWinds CISO highlight the imperative for public company CISOs and other officers to communicate vulnerabilities to senior executives, participate in the disclosure committee process and ensure that public disclosures are specific, detailed, timely and consistent with internal communications. Officers should confirm that escalation procedures are documented and implemented.
- Significant monetary penalties may be imposed: Failure to ensure disclosures are accurate and conform to actual practices can lead to significant monetary penalties.22 Over the past 5 years, the SEC has imposed civil monetary penalties for failing to adequately disclose cyber incidents ranging from $1 million to $35 million.23
- Private shareholder actions may be brought: Parallel private shareholder actions are common and show the risks to Boards of Directors. In 2021, following the steep decline in SolarWinds' share price, a group of individual and pension fund investors sued the SolarWinds Board of Directors, and the Company derivatively, in Delaware state court. They alleged breach of fiduciary duties for failure to oversee cybersecurity risks.24 That suit was ultimately dismissed – and dismissal upheld by the Delaware Supreme Court in May 2023. Separately, SolarWinds settled for $26 million a class action lawsuit brought against it in Texas federal court relating to the SUNBURST cyberattack.25 Public company directors are well advised to closely follow corporate cybersecurity practices, vulnerabilities, and disclosures, as we could see more such private shareholder actions in the future.
- Evaluate Insurance Coverage: As the SEC has made clear, it is actively scrutinizing inadequate cybersecurity disclosures, and shareholder actions are likely to increase alleging the same. Companies should evaluate both their existing and anticipated directors & officers and cyber liability insurance policies to ensure claims arising from or relating to cybersecurity disclosures are covered.
1 Complaint, SEC v. SolarWinds Corp. and Brown, No. 1:23-cv-9518 (S.D.N.Y. Oct. 30, 2023) at 1.
2 See Sudhakar Ramakrishna, Transparency, Information-Sharing, and Collaboration Make the Software Industry More Secure. We Must Not Risk Our Progress, (Oct 30, 2023), https://orangematter.solarwinds.com/2023/10/30/transparency-information-sharing.
3 For more details on these rules, see our alert here: https://www.whitecase.com/insight-alert/sec-adopts-mandatory-cybersecurity-disclosure-rules
4 Press Release, US SEC. & EXCH. COMM'N, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2023) https://www.sec.gov/news/press-release/2023-227.
5 See David E. Sanger et. al, Scope of Russian Hacking Becomes Clear: Multiple US Agencies Were Hit, (Dec. 14, 2020),
https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html.
6 Complaint at 7.
7 Id. at 2.
8 Id. at 16.
9 Id. at 19.
10 Id. at 24.
11 Id. at 28.
12 Id. at 3-4.
13 Id. at 36. 14 Id. at 56.
15 Id. at 56-57.
16 Id. at 60.
17 Id. at 51.
18 Id. at 25-26.
19 Id. at 4.
20 Id. at 32.
21 Id. at 20.
22 The penalties for criminal (willful) violations of the Securities Act, which can include material omissions, are up to $5 million and up to 20 years in jail for individuals, and up to $25 million for corporations. 15 U.S.C. § 78ff(a). The penalty for civil violations is set by FCC policy and is currently capped at $510,962 for fraudulent actions by corporations.
23 See Atalba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million, https://www.sec.gov/news/press-release/2018-71; see also SEC Charges Pearson plc for Misleading Investors About Cyber Breach, https://www.sec.gov/news/press-release/2021-154.
24 Construction Industry Laborers Pension Fund et al v. Bingle et. al. (Del. Ch. No. 2021-0940).
25 SolarWinds $26 Million Investor Deal Warrants Nod, Court Told, https://news.bloomberglaw.com/litigation/solarwinds-26-million-investor-deal-warrants-nod-court-told.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP