November 6, 2023

Winds of Change: SEC's SolarWinds Lawsuit Signals Hotter Cybersecurity Enforcement

Holland & Knight SECond Opinions Blog
Allison Kernisky
Gavel and scale resting on desk

The SEC on Oct. 30, 2023, filed a landmark cybersecurity enforcement action against SolarWinds Corp. (SolarWinds) and the company's current Chief Information Security Officer (CISO) Timothy Brown. The SEC's complaint alleges violations of the scienter-based antifraud provisions of the federal securities laws and various internal control failures concerning the company's statements and disclosures about its cybersecurity architecture and a cyberattack effectuated by foreign actors. The enforcement action is one of many firsts for the agency, including the SEC's first scienter fraud charges related to public company cybersecurity disclosures, its first litigated enforcement action involving the same, and its first cybersecurity lawsuit against an individual. Coming on the heels of the agency recently finalizing disclosure requirements for public companies, the lawsuit is equal parts illuminating and unsettling. In today's post, we'll provide an overview of the SEC's lawsuit and some initial key takeaways.

Overview of SEC Complaint

SolarWinds is a public company based in Texas that develops monitoring software and cybersecurity products for several customers, including several government agencies. Between 2018 and 2020, SolarWinds had more than 300,000 customers, including 499 of the Fortune 500 companies. According to the SEC, SolarWinds' primary product was Orion, an information technology infrastructure and management platform. During the relevant period in the SEC's complaint, Brown served as the company's Vice President of Security and Architecture.

In January 2019, months after SolarWinds' initial public offering (IPO), foreign "threat actors" (or hackers) accessed SolarWinds' virtual private network (VPN) using an unmanaged third-party device and stolen credentials. According to the SEC, from January 2019 through approximately November 2020, the hackers conducted reconnaissance, identified product and network vulnerabilities, harvested additional login credentials and planned additional attacks. Furthermore, they were able to access SolarWinds' entire network without detection, including several million emails of SolarWinds personnel. Starting in November 2019, the hackers then inserted malicious code (known as SUNBURST) into SolarWinds' Orion software. This code was ultimately included in versions of the software sent to SolarWinds' customers.

The SEC alleges that SolarWinds learned in the middle of 2020 that some of its customers (including government agencies) had suffered attacks that potentially could be traced back to Orion. After additional notifications from customers and an internal investigation, SolarWinds concluded in December 2020 that malicious code had been inserted into the Orion platform. Thereafter, SolarWinds filed a Form 8-K on Dec. 14, 2020 that publicly disclosed the SUNBURST attack.

As detailed below, the SEC alleges that SolarWinds and Brown defrauded SolarWinds' investors and customers through false and misleading statements about both the company's cybersecurity risks and practices and the cyberattack itself. Generally speaking, the SEC alleges that the hackers exploited vulnerabilities that SolarWinds and Brown knew about months – or even years – before the cyberattack, and these allegedly known vulnerabilities were never disclosed to investors (and thus contrary to various statements made to investors).

The SEC alleges three main buckets of evidence to support its claims that SolarWinds and Brown violated (or, in certain cases for Brown, aided and abetted the violations of) the antifraud, reporting, internal accounting control, and disclosure controls and procedures (DCP) provisions of the federal securities laws:

  • SolarWinds Security Statement: The SEC asserts that the company's Security Statement, which it included on its website, misled investors by touting purportedly strong cybersecurity practices concerning (among other things) its: 1) compliance with the National Institute of Standards and Technology Cybersecurity (NIST) framework,1 2) secure development lifecycle (SDL),2 3) software products and password policy, and 4) access controls. The SEC alleges that the Security Statement applied to the company's "information system assets" (which included Orion). The company purportedly used the Security Statement to respond to inquiries from the public and customers about SolarWinds' cybersecurity practices. The SEC alleges that Brown was the "owner" or "approver" of the Security Statement.
  • SEC Filed Public Reports and Press Releases:3 The SEC alleges that SolarWinds issued "general, high-level risk disclosures that lumped cyberattacks in a list of risks …." The company purportedly made disclosures that were "generic and hypothetical" and "failed to address that the company allegedly determined it was not taking steps to protect against known risks." The agency alleged that Brown signed sub-certifications relied upon by more senior executives confirming that all material incidents had been disclosed. Similarly, the SEC alleges that several of the company's press releases where it made general claims about its commitment to cybersecurity were false and misleading in light of …
  • Internal Correspondence/Documents/Instant Messages in Focus: … a heavy collection of internal correspondence and documents purportedly showing the company and Brown knew or were severely reckless in not knowing that the company had several cybersecurity vulnerabilities. These vulnerabilities allegedly existed, in part, due to Brown and the company ignoring red flags dating back to 2017. The general emphasis of these communications in the SEC's 68-page complaint is that SolarWinds and Brown knew that the statements made in the company's Security Statement, public reports and elsewhere were false and misleading because the company had several cybersecurity risks it never properly disclosed.

For example, the SEC alleges that several internal emails, presentations, instant messages and documents suggest internal knowledge about the company's failure to satisfy most NIST standards, that its password policy was not enforced, and the company knew about poor access controls (including around VPN access, which was ultimately exploited by the hackers). Additionally, the SEC lists several filings as containing misrepresentations, although the basis for misrepresentations in each of the filings is largely the boilerplate risk factors – which were often repeated verbatim without any update – that treated risks as hypothetical without any disclosure of purportedly present risks allegedly known by in-house security personnel (including Brown).

Notably, these internal communications are often alleged without much context and without any insight into whether additional, later correspondence or actions reached different conclusions or otherwise remediated some of the perceived vulnerabilities expressed by individual employees. Without that additional information, the selected communications portray a collection of vulnerabilities allegedly not addressed or remediated by the defendants.

Key Takeaways

  • First Scienter Fraud Action – and First Litigated Action – Involving PubCo Cybersecurity Disclosures: Although the SEC's focus on cybersecurity rules for both public companies (and regulated entities) has put its cybersecurity policing front and center over the last few years, SEC enforcement of public company cybersecurity and cyberattack disclosures has been relatively marginal. Prior to the SolarWinds filing, the SEC never had charged a public company with scienter-based fraud charges related to a cyberattack or its corresponding cybersecurity disclosures. As detailed further below, between 2018 and 2023, the SEC settled three enforcement actions involving negligence-based violations of the Securities Act of 1933 (Securities Act), but this is the agency's first foray into the more egregious fraud tier.4

More broadly, this is the SEC's first litigated action involving any aspect of a public company's cybersecurity disclosures, further underscoring the seriousness with which the agency views the conduct in this matter. The SEC filed this litigated action despite real questions about the materiality of some of the purportedly misleading statements to a reasonable investor (such as those concerning the company's password policy). Additionally, the agency's aggressive posture is further illustrated by its claim that the alleged misconduct "would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack," a claim it reinforces by alleging that most of the public reports at issue were misleading by virtue of generalized risk disclosures even though they were issued long before the occurrence or knowledge of the cyberattack.

In response, the company has already levied a public rebuke of the SEC's enforcement action as "a misguided and improper enforcement action [] representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages." Although the agency has been long criticized as further victimizing the victims when charging public companies with cybersecurity disclosure violations, this will be the first time seeing how this plays out in front of a judge and jury.

Note: SolarWinds reached out following this post and provided SECond Opinions with the following statement: “We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments."

  • First Individual Charged in SEC PubCo Cybersecurity Enforcement: Earlier this year, the former chief security officer of a large public company was sentenced to a three-year term of probation and ordered to pay a fine of $50,000 after being convicted of two charges related to his attempted cover-up of a 2016 cybersecurity incident. That matter certainly raised anxieties for in-house cybersecurity professionals. On the SEC side, until now, the agency has avoided charging any individuals – CISOs or otherwise – in connection with public company cybersecurity disclosures. The SEC's aggressive approach in this matter should raise alarms for all public company CISOs and cybersecurity professionals, particularly when Brown seemingly had little direct responsibility for the content of the company's public reports.
  • First Internal Accounting Controls Charge Since 21(a) Report: In October 2018, the Commission issued an investigative report pursuant to Section 21(a) of the Exchange Act (21(a) Report) that detailed several business email compromises. As is customary with 21(a) reports, the Commission did not charge the entities referenced in the report. Rather, as then-SEC Director for Enforcement Stephanie Avakian noted at the time "[i]n light of the facts and circumstances, we did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations." Within the 21(a) Report, the Commission emphasized, among other things, that unauthorized intrusions on company systems could implicate the internal accounting control provisions of Exchange Act Section 13(b)(2)(B) concerning, among other things, access to company assets only being permitted with management's general or specific authorization.

Notably, the Commission's conclusion in its 21(a) Report suggested a more limited application of this provision to cyberattacks than a surface reading of the statute might suggest:

By this report, the Commission is not suggesting that every issuer that is the victim of a cyber-related scam is, by extension, in violation of the internal accounting controls requirements of the federal securities laws. What is clear, however, is that internal accounting controls may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds.

Since then, the Commission has not utilized Section 13(b)(2)(B) in any cybersecurity enforcement matter. The question of what exactly constitutes "internal accounting controls" is a thorny issue subject to much debate. The SEC alleges here that the company's technology environment and source code are the type of "assets" covered by this provision, even though there are no allegations about SolarWinds' accounting in the complaint. We expect this issue will be explored heavily in the litigation, with potential ramifications beyond the cybersecurity arena.

  • Heavy Emphasis on Cybersecurity Statements Outside Public Reports: It is not uncommon for the SEC to file enforcement actions based on public company statements on websites or other statements outside of public reports. Similarly, the SEC has leveraged statements by public company executives on social media and at earnings announcements as a basis for scienter- and negligence-based fraud claims.

We have observed the SEC use statements on websites as a basis for cybersecurity enforcement actions before, but those statements were in the context of specifically responding to a breach. Here, the SEC leaned heavily into the company's Security Statement that did not directly address the hack at issue and further leveraged the company's internal correspondence to support its claims about the true state of SolarWinds' cybersecurity systems and protocols. These statements will take on added importance in this litigation given the relative generality of company statements in their public reports.5

Similar to how public companies have been scrutinizing corporate sustainability reports in the wake of environmental-related investigations, public companies will be well served by scrutinizing their public-facing claims outside of their public reports about their cybersecurity infrastructure.

  • New Phase in Aggressive Progression of SEC PubCo Cybersecurity Enforcement: Since the SEC's initial cybersecurity enforcement action in 2018, there have been several discrete phases of SEC cyber enforcement; each signals an expanded view on enforcement.
    • First, the agency engaged in a measure of restrained enforcement, where the Division of Enforcement touted it would not "second-guess good faith exercises of judgment about cyber-incident disclosure." This included the rare 21(a) Report eschewing charges against public companies while providing guidance to the market.
    • Next, following a three-year lull in any cybersecurity enforcement activity, the agency filed its first ever cyber-related standalone DCP case, signaling a willingness under Chair Gary Gensler to more aggressively police company controls related to cybersecurity incidents.
    • Then, two months later, the Commission filed its first settled action combining negligence-based fraud, reporting, and DCP violations, based in large part on statements made by the company on its website.
    • The agency has now progressed to its highest level of enforcement, a federal district court action involving litigated scienter-fraud charges and charges against individuals. Additionally, the SolarWinds complaint is the SEC pulling the trigger on its 21(a) warnings five years earlier about the potential ramifications of internal accounting control failures.

The SECond Opinions Blog will continue monitoring cybersecurity enforcement in both the public company and regulated entity space. If you need additional information on this topic – or any topic related to securities enforcement or investigations – please contact the authors or other members of Holland & Knight's Securities Enforcement Defense Team.

Notes

1 The NIST Framework is a set of cybersecurity activities and outcomes that are common across various sectors and are designed to help entities "align and prioritize cybersecurity activities with its business/mission requirements, risk tolerances and resources."

2 SDL is a software production methodology that standardizes industry best practices with the goal of creating secure software products.

3 The SEC also focuses on a September 2020 blog post authored by Brown and located on the company's website. Based on the allegations, it appears that the SEC takes issue with Brown's general statements about the company's focus on cybersecurity (such as the company "places a premium on the security of its products and makes sure everything is backed by sound security processes, procedures, and standards.").

4 Given that the other negligence-based fraud actions were settled, it is possible the SEC staff viewed those actions as worthy of scienter-fraud charges but settled for lesser charges. Either way, the SEC has never filed an enforcement action involving Section 17(a)(1) of the Securities Act or Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act) until now.

5 Another area to monitor will be allegations that the Company's Dec. 14, 2020, Form 8-K was actually false and misleading. Given that this disclosure is seemingly similar to the types of disclosures companies will make in accordance with the new rules after learning about a material cybersecurity incident, there may be broader implications for how disclosures of this type are viewed going forward.

Related Insights