SEC Cyber Enforcement Update: Which Way Are the SolarWinds Blowing?
Part 2: Disclosure and Internal Controls
This Holland & Knight blog post is the second installment in a two-part series that examines the challenges to the U.S. Securities and Exchange Commission's (SEC) charges in its landmark case against SolarWinds Corp. (SolarWinds) and the company's Chief Information Security Officer (CISO) Timothy Brown. Part 1 examined the SEC's material misrepresentation claims and provided a detailed background on the case and its current status. This article explores the challenges to the SEC's deficient disclosure and internal controls claims and the potential impact of the Court's decision on these issues to the future of SEC cyber enforcement actions.
On Feb. 16, 2024, the SEC filed an amended complaint (Complaint) that charged SolarWinds and Brown with scienter-based antifraud provisions of the federal securities laws, violations of disclosure controls and violations of internal controls. In its Complaint, the SEC claims that SolarWinds and Brown made material misrepresentations and omissions concerning its cybersecurity program and associated risks. The SEC also alleges that SolarWinds, aided and abetted by Brown, failed to maintain disclosure controls concerning cybersecurity risks and internal accounting controls due to the lack of effective cybersecurity safeguards.
On July 18, 2024, the Court issued its opinion dismissing a substantial portion of the SEC's Complaint. For more information, see Holland & Knight's blog post, "Court in SolarWinds Case Blows Down SEC's Cyber Enforcement Authority," July 24, 2024.
Allegations and Challenges
Deficient Disclosure Controls
Exchange Act Rule 13a-15(a) requires companies to maintain disclosure controls and procedures that are designed to ensure that information required to be disclosed is accumulated and communicated to management to allow for timely decisions regarding disclosure. In its cyber enforcement actions, the SEC often charges that companies violate this provision when they fail to make timely disclosures of material cybersecurity incidents.1 The SolarWinds case is no exception. In its Complaint, the SEC alleges that SolarWinds failed to maintain appropriate disclosure controls to ensure information regarding potentially material cybersecurity risks, incidents and vulnerabilities were reported to those executives responsible for disclosure.
As alleged in court filings, SolarWinds maintained an Incident Response Plan (IRP) that contained a classification system. If an incident was classified as a level 2 / moderate incident, the IRP required the incident response team to escalate the incident to the CEO, chief technical officer (CTO) and others to allow the company to assess its disclosure obligations. Since SolarWinds was unable to determine the root cause of the U.S. Trustee Program (USTP) and the Palo Alto events,2 both incidents were classified at level 0, which corresponded to an undetermined security event. However, under the IRP, a product security incident that could affect multiple customers was to be classified as a level 2 / moderate incident. As a result, the SEC charged that SolarWinds allegedly maintained deficient disclosure controls because the USTP and Palo Alto events allegedly were misclassified as a level 0 instead of a level 2.
In their motion to dismiss, applied, which is not a violation of Rule 13a-15(a). SolarWinds and Brown argue that the company had disclosure controls and that the IRP classification system is evidence of such controls. The defendants further argue that the SEC is not claiming that these controls were unreasonably designed; rather, the SEC is alleging that the controls were not accurately
The SEC counters that the mere existence of disclosure controls is not sufficient. Relying on 17 C.F.R. § 240.13a-15(b), which requires management to evaluate the effectiveness of the company's controls, the SEC argues that Rule 13a-15(a) requires that the company's controls were "effective" in ensuring disclosure of material cybersecurity risks and incidents. According to the SEC, since Brown and others recognized that the USTP and Palo Alto events were linked, they should have escalated the incidents to appropriate decision-makers and their failure to do so violated Rule 13a-15(a). The motion to dismiss has been fully briefed since May 2024 and the Court's decision is pending.
Failure to Maintain Internal Accounting Controls
Exchange Act Section 13(b) requires companies to maintain a system of internal accounting controls sufficient to provide reasonable assurances that access to assets is permitted only in accordance with management's general or specific authorization.3 In the Complaint, the SEC alleges that SolarWinds failed to maintain sufficient internal controls because the company had deficient cybersecurity practices to prevent and detect unauthorized access to its information system.
In cybersecurity, access controls are policies and procedures to ensure that only authorized users can access and use the information system and that authorized users are granted the appropriate level of access to the data within such systems. According to the SEC, SolarWinds was required to maintain cybersecurity policies designed and implemented to provide reasonable assurance that access to corporate assets, including information technology (IT) assets and the Orion software code, were limited to authorized users. The SEC alleges that SolarWinds had significant lapses around access controls and, thus, had deficient internal accounting controls.
In response, SolarWinds and Brown argue that the SEC reads the word "accounting" out of internal accounting controls. Looking at the legislative history of the internal accounting controls provision, the defendants note that the language of 15 U.S.C. § 78m(b)(2)(B) comes directly from a statement on auditing standards published by the American Institute of Certified Public Accountants (AICPA) and that the primary purpose of the internal controls provisions is to assure accurate corporate recordkeeping. The defendants argued that "access to assets," the key language relied upon by the SEC, refers to access to financial assets and the reliability of financial records, and not IT assets.4 Rather, SolarWinds and Brown view the SEC's broad interpretation of the internal accounting controls provision as an attempt to shoe horn regulatory authority over a company's cybersecurity practices that Congress has not granted to the SEC.5
Key Takeaways
The above arguments concerning disclosure and internal controls are not premised on factual disputes between the parties. Rather, these arguments concern the scope of the law, which often is appropriate for resolution at the motion to dismiss stage. Thus, the Court may decide these issues in its forthcoming opinion, which could have significant impact on the future of SEC cyber enforcement actions.
The Effectiveness of Disclosure Controls
The Court must decide whether Rule 13a-15(a) contains an effectiveness prong that creates liability for errors in the application of a company's reasonable disclosure controls.6 Notably, the rule does not require the SEC to establish intent, and the SEC does not allege that any individual intentionally misclassified the USTP and Palo Alto events to circumvent the company's disclosure controls or that SolarWinds' IRP was not a reasonable escalation policy. In other words, the SEC does not allege that the defendants acted with scienter concerning the misapplication of the disclosure controls or lacked reasonable controls. Such an effectiveness prong would create securities liability where information security (IS) and IT personnel make innocent mistakes in their assessment of a cybersecurity incident that results in the nondisclosure to those executives responsible for assessing disclosure.
This approach would create a heavy burden on companies. Assessing a cybersecurity incident is not an exact science, as new facts are emerging in real time. Rule 13a-15(a), as the SEC would have it, provides little room for innocent mistakes or even adequate time to make a proper assessment in many instances. To avoid violating securities law and a potential SEC enforcement against them personally (as occurred with Brown), IS/IT personnel may likely over-disclose cybersecurity incidents to executives, which will bog down corporate executives with reports of minor incidents and divert their time and attention away from the daily task of managing the company.
Overreporting is not merely a hypothetical concern. In the short time since the SEC rule requiring public companies to disclose material cybersecurity incidents within four business days after determining materiality came into effect, the SEC already has noticed overreporting of incidents. SEC Division of Corporate Finance Director Erik Gerding recognized this concern in his recent statements that companies are disclosing incidents before making a materiality determination. If companies are opting to disclose cybersecurity incidents out of an overabundance of caution, certainly CISOs, concerned about being the subject of an SEC enforcement action, are likely to err on the side of caution and overreport incidents to decisionmakers.
The SEC often alleges disclosure control violations in cyber enforcement actions, which is consistent with the agency's recent trend to deal with disclosure-related matters through disclosure controls rather than through materiality determinations.7 Thus, if the Court determines that disclosure controls do not require effectiveness as broadly as the SEC claims, it may significantly limit the SEC's ability to bring Rule 13a-15(a) enforcement actions – not only in cyber matters but in other disclosure-related cases.
Violation of Internal Accounting Controls
The Court also must decide whether 15 U.S.C. § 78m(b)(2)(B) requires companies to maintain cybersecurity access controls to prevent and detect unauthorized access to a company's information system. Although the SEC does not allege a misrepresentation concerning internal controls, it defines internal controls to encompass cybersecurity controls. Thus, in reaching a determination, the Court likely will have to assess whether "internal accounting controls" is limited in any way by the term "accounting" and how broadly the phase "access to assets" should be interpreted. The outcome of these inquiries could significantly limit or broaden the SEC's authority to regulate a company's cybersecurity policies and procedures.
Moreover, the SEC's attempt to expand the scope of internal controls to encompass cybersecurity controls leaves open the possibility that the SEC will attempt to kitchen sink the rule to include other areas traditionally outside the scope of SEC enforcement. A decision by the Court that reins in the SEC's interpretation could impact enforcement actions involving internal controls violations more broadly.
Holland & Knight's Securities Enforcement Defense Team and Data Strategy, Security & Privacy Team will continue to monitor the developments of the SEC's action against SolarWinds and other cybersecurity enforcement developments. For more information about this case, contact the authors.
Notes
1 See "SEC Issues First-Ever Penalties for Deficient Cybersecurity Risk Controls," Holland & Knight alert, June 22, 2021; In the Matter of R.R. Donnelley & Sons Co.
2 See "SEC Cyber Enforcement Update: Which Way Are the SolarWinds Blowing?," Holland & Knight blog post, July 8, 2024.
3 15 U.S.C. § 78m(b)(2)(B)(iii).
4 SEC Commissioners Hester M. Peirce and Mark T. Uyeda have since issued a statement addressing a recent SEC settlement with R.R. Donnelley & Sons Co., supporting this argument concerning the SEC's attempt to expand the definition of "assets." See "SEC Expands Scope of Internal Accounting Controls in Cybersecurity Breach Settlement," Holland & Knight blog post, July 9, 2024.
5 In light of the U.S. Supreme Court's case in Loper Bright Enterprise v. Raimondo, which overturned the principles of Chevron deference, it is not settled how much deference the Court will give the SEC interpretation of internal accounting controls.
6 The SEC has provided interpretive guidance regarding management's reporting on internal controls but it was issued in 2007 and understandably does not mention cybersecurity. It is somewhat instructive on what the SEC considers to be required to allow management to have "reasonable assurance" regarding the reliability of financial reporting under the rules. The release underscores this somewhat flexible standard by noting that the SEC "has long held that 'reasonableness' is not an 'absolute standard of exactitude for corporate records,'" and acknowledges that "there is a range of judgments that an issuer might make as to what is 'reasonable.'"
7 See "SEC Issues First-Ever Penalties for Deficient Cybersecurity Risk Controls," Holland & Knight alert, June 22, 2021. ("[T]his action continues the SEC's recent trend to deal with disclosure-related matters through rules related to internal control over financial reporting and disclosure controls and procedures. By eschewing claims under securities disclosure laws, such as Sections 10 and 18 of the Exchange Act and rules thereunder, the SEC avoids the need to establish whether a disclosure was materially misleading or whether the disclosure failure involved scienter or other culpable behavior or knowledge of the persons making the disclosure. Rather, the SEC simplifies its inquiry to determine whether corporate controls and procedures alerted senior executives of particular facts and information.")