SEC Cyber Enforcement Update: Which Way Are the SolarWinds Blowing?
The SEC has been aggressively pursuing cybersecurity investigations and enforcement actions against public companies and foreign private issuers. In these actions, the SEC often alleges one of two theories: 1) that the company made material misrepresentations in its disclosures about cybersecurity risks or concerning a material cybersecurity incident1 and 2) that the company maintains deficient disclosure and/or internal controls to ensure material cybersecurity risks are timely and accurately assessed and disclosed by appropriate decision-makers.2
Both theories are on full display in the SEC's landmark enforcement action against SolarWinds Corp. (SolarWinds or the Company) and the Company's Chief Information Security Officer (CISO) Timothy Brown, through a complaint it filed last year in the U.S. District Court for the Southern District of New York (Court). The complaint represents the SEC's first-ever litigated action against a public company concerning its cybersecurity disclosures and the first-ever charges against any individual in connection with public company cybersecurity disclosures. On Feb. 16, 2024, the SEC filed an amended complaint (Complaint) that charges SolarWinds and Brown with scienter-based antifraud provisions of the federal securities laws and violations of rules governing disclosure controls and internal controls.
In the Complaint, the SEC alleges both theories described above. The SEC alleges that SolarWinds and Brown made material misrepresentations concerning the Company's cybersecurity posture, material omissions concerning cybersecurity risks and material omissions in its initial Form 8-K disclosure of the SUNBURST cybersecurity incident. In addition, the SEC alleges that SolarWinds, aided and abetted by Brown, failed to maintain adequate disclosure controls concerning cybersecurity risks and internal accounting controls due to the lack of effective cybersecurity safeguards.
In their joint motion to dismiss, SolarWinds and Brown aggressively challenge the SEC's claims on all counts. With the motion to dismiss fully briefed, the matter is now before the Court and awaiting a decision.
This two-part series will consider challenges to the SEC's charges and the potential impact of the Court's decision on the future of the SEC's cybersecurity enforcement actions. This article explores the challenges to the SEC's material misrepresentation claims, and the second installment will explore the challenges to the SECs claims that SolarWinds maintained deficient disclosure and internal controls.
Background
SolarWinds is a software development Company with a flagship network monitoring and management product known as the Orion Platform (Orion).3 The Company went public in October 2018.
As early as January 2019, suspected nation-state hackers exploited a cybersecurity vulnerability to gain unauthorized access to SolarWinds' systems. Thereafter, these cybercriminals inserted malicious code into the Orion software builds for three product updates, allowing access to the systems of SolarWinds' customers who used the latest versions of Orion. This attack became known as the SUNBURST attack. SolarWinds unwittingly delivered the compromised updates to more than 18,000 customers worldwide.
SolarWinds received three notifications of suspicious activity associated with Orion in 2020. First, after installing Orion on a trial basis, the Executive Office of the U.S. Trustee Program (USTP) observed suspicious activity associated with the software and notified SolarWinds in June 2020. However, SolarWinds was unable to determine the root cause of this incident. Second, in October 2020, the cybersecurity firm Palo Alto Networks (Palo Alto) notified SolarWinds that it observed suspicious activity associated with the Orion software as part of a red-team (i.e., simulated cybersecurity) exercise. (Notably, the SEC's decision not to describe this notification as being part of a simulation exercise in the Complaint has led to contentious filings alleging the agency of being intentionally misleading). SolarWinds, again, was unable to determine the root cause of this incident. On Dec. 12, 2020, the cybersecurity firm Mandiant notified SolarWinds about malicious activity associated with Orion and identified the malicious code in the Orion software.
On Dec. 14, 2020, the first business day following the Mandiant notification, SolarWinds filed a Form 8-K with the SEC disclosing a cyberattack that inserted a vulnerability within Orion that could potentially allow an attacker to compromise servers using Orion. SolarWinds stated that it was investigating the matter and looking into whether the vulnerability had been exploited as a point of infiltration of any customer systems. The Form 8-K further explained that fewer than 18,000 customers were believed to have installed the infected version of Orion and noted that Orion accounted for approximately 45 percent of SolarWinds' revenue. On the day of filing, the stock price dropped 16 percent and an additional 8 percent the next day.
On Jan. 11, 2021, SolarWinds filed another Form 8-K disclosing that it had identified two prior customer incidents that it believed to be related to the SUNBURST attack.
Allegations and Challenges
In the Complaint, the SEC argues that SolarWinds had such pervasive and systematic cybersecurity problems the Company had failed to adhere to the very cybersecurity controls it publicly touted and also failed to address known cybersecurity vulnerabilities. In painting this picture, the SEC relies on four main categories of evidence: 1) SolarWinds' risk assessment and risk scores concerning specific controls related to the National Institute of Standards and Technology (NIST) Cybersecurity Framework and to NIST 800-53, which the Company used to evaluate whether certain programs complied with FedRAMP requirements, 2) internal communications among employees, 3) internal presentations concerning the Company's cybersecurity posture and 4) audits under the Sarbanes-Oxley Act (SOX).
Based on these alleged pervasive cybersecurity failures, the SEC alleges that SolarWinds and Brown made material misrepresentations or omissions with respect to the categories of public disclosures from October 2018 through Jan. 12, 2021.
Security Statement Posted on Company's Website since 2017
In late 2017, SolarWinds posted a Security Statement on its website describing its cybersecurity posture. This Security Statement remained on the website, virtually unchanged, at the time the Company went public and throughout the SUNBURST attack.
The SEC dedicated a substantial portion of the Complaint to argue that the Security Statement contained several known materially false and misleading statements as evidenced by the various risk assessments, internal communications, internal presentations and audits conducted or made during the relevant period. Based on this evidence, the Complaint alleges that the Security Statement materially misrepresents that the Company 1) "follows" the NIST Cybersecurity Framework, 2) uses a secure development life cycle (SDL) when creating software for customers, 3) maintains network monitoring, 4) has and enforces a strong password policy, and 5) maintains robust access control.
In its motion to dismiss and related filings, SolarWinds and Brown claim that, in fact, it is the SEC that is making misleading statements about SolarWinds' cybersecurity practice by cherry-picking snippets from documents out of context. They also allege that the SEC mischaracterizes the assessments under the NIST frameworks, arguing that some of the alleged low scores related to certain cybersecurity controls misstate the document. For instance, a "low" score of 2 means a "consistent approach" and not inadequate controls. In addition, the NIST 800-53 assessment was not an organization-wide assessment but was used to assess whether certain "programs" were FedRAMP-compliant. The defendants further argue that dismissal at the motion to dismiss stage was appropriate as the underlying documents are incorporated in the Complaint, and the SEC cannot disregard what they actually say.
SEC Registration and Periodic Filings (Forms S-1, S-8, 10-K and 10-Q)
In its registration statement and periodic SEC filings, SolarWinds included cybersecurity incidents in its material risks disclosures. The Company's cyber risk disclosures indicated that SolarWinds was vulnerable to computer hackers, malicious code and sophisticated nation-state actors, including advanced persistent threat intrusions. It also warned that the Company could experience security breaches that may remain undetected for an extended period of time, impact the Company's products, result in damage to its customer's IT infrastructure, and/or result in the loss or theft of its customers' data.
In the Complaint, the SEC argues that the Company's cyber risk disclosures were insufficiently generic and boilerplate and created a materially misleading picture of the Company's true susceptibility to cyberattacks. The SEC argues that, in fact, there were known specific, pervasive and long-standing cybersecurity problems within SolarWinds that created heightened cyber risks that were not conveyed by, and thereby materially omitted from, the company's generic cyber risk disclosures.
SolarWinds and Brown counter that the cyber risk disclosures, in fact, warned investors of the precise risk that materialized; that is, an advanced persistent threat intrusion that remained undetected for an extended period and resulted in the theft of its customers' data. In addition, the defendants argue that the Company had no duty to disclose detailed information about its supposed cybersecurity shortcomings. Under securities laws, omissions are actionable when a corporation is subject to a duty to disclose or required to speak to make a former statement not misleading.4 The defendants argue that other than to disclose the existence of applicable cyber risks, SolarWinds was not required to disclose granular details of its cybersecurity problems.5 Moreover, such detailed disclosures would provide a roadmap to cybercriminals and increase the risk of and susceptibility to cybersecurity incidents.
Initial Disclosure of SUNBURST on Form 8-K Filed on Dec. 14, 2020
The SEC alleges that SolarWinds' Dec. 14, 2020, Form 8-K disclosure was false and misleading due to material omissions. According to the SEC, the Dec. 14, 2020 Form 8-K disclosure suggested that a cyberattack was theoretical by claiming that the vulnerability "could potentially allow" a compromise and that the Company was investigating whether the vulnerability "has been exploited as a point of infiltration … ." However, the SEC claims that Brown believed and the Company knew that successful cyberattacks exploiting this vulnerability had already occurred in the USTP and Palo Alto incidents, and omitting the USTP and Palo Alto incidents made the disclosure incomplete, false and misleading.
SolarWinds and Brown argue that the disclosure was accurate and that the SEC fails to adequately allege that the Company had, in fact, concluded that the USTP and Palo Alto incidents were connected to SUNBURST. Moreover, even though Brown may have allegedly subjectively thought the incidents were connected, the Company, the defendants argue, had an obligation to investigate prior to asserting such a definitive conclusion on a Form 8-K.
Brown's Public Statements
Finally, the SEC claims that Brown made materially false and misleading statements when he highlighted SolarWinds' robust cybersecurity practices in podcasts, blog posts, press releases and presentations made to the public. Notably, this allegation occupies a mere two pages of the 112-page Complaint and 1.5 pages in the SEC's 71-page opposition brief. This allegation feels more akin to a catch-all provision than being at the heart of the SEC’s claims. For their part, the defendants argue that these statements are "inactionable puffery."
Key Takeaways
The ongoing, hotly contested SolarWinds case highlights several of the most significant concerns being consistently raised regarding the SEC's aggressive cyber enforcement efforts. The SEC's arguments elicit substantial questions concerning the level of detail and foresight that the agency expects in cyber disclosures and underscore the difficult challenges companies face concerning disclosures about highly technical systems and complex cybersecurity incidents. Moreover, as the SEC's Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules came into effect after the SUNBURST attack, these concerns are heightened due to the disclosures required under the new rules. In addition, the SEC's action may impact how companies publicly discuss their cybersecurity program and may have a chilling effect on information security (IS) and information technology (IT) professionals. We look at these issues in more detail below.
Sufficiency of Cyber Risk Disclosures
As the SolarWinds case makes clear, it is exceedingly difficult for an issuer to provide sufficient details in cyber disclosures that will satisfy regulators without also providing a roadmap to criminals. The SEC has consistently stated that its disclosure obligation "is not intended to suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts – for example, by providing a 'roadmap' for those who seek to penetrate a company's security protections."6 Yet, its arguments in SolarWinds may suggest otherwise.
The SEC alleges that SolarWinds' generic, boilerplate cyber risk disclosures created a materially misleading picture of the Company's susceptibility to cyberattacks. Rather, according to the SEC, SolarWinds' allegedly pervasive cybersecurity problems meant its systems were at a heightened risk that needed to be disclosed to investors in a more specific, detailed manner (i.e., beyond what the agency alleges to be a generic warning). Although the SEC states that the disclosures should not provide a roadmap to criminals or technical details of the vulnerability, this refrain misses the mark. If a company discloses that it is at a heightened risk of cyber intrusion due to issues in its cybersecurity program, the disclosure will likely entice cybercriminals to aggressively target the company, and the SEC's focus on "roadmap" and "granular" levels of detail raises serious challenges about how to address this practical concern. Moreover, the SEC could have used its opposition brief as a teachable moment and provided a proposed disclosure that it deems sufficient to thread this delicate needle. The agency did not do so. As such, the SEC has failed to demonstrate that an appropriately balanced and sufficient disclosure actually exists or could exist. Of course, the SEC certainly has no obligation – or need – to propose an adequate disclosure at this stage; in deciding a motion to dismiss, the Court must accept all of the SEC's well-pled factual allegations as true and draw all reasonable inferences in the SEC's favor. However, if the Court denies the motion to dismiss, we may see this issue aggressively play out in discovery and at summary judgment such that the SEC may feel compelled to propose a sufficient disclosure at that time. The resolution of this issue should be closely watched. It may provide clarity on the level of detail required in cyber disclosures or make murkier the already delicate balancing act between detailed disclosures and enticing cybercriminals.
Sufficiency of Material Cybersecurity Incident Disclosures
This case also highlights the difficult balancing act between investigating cybersecurity incidents and making timely disclosures, and it raises concerns that the SEC, with the power of hindsight analysis, may undervalue the role of investigating cybersecurity incidents. The SEC claims that SolarWinds' initial Form 8-K disclosure of the SUNBURST attack is misleading because it omits the USTP and Palo Alto incidents. According to the SEC, SolarWinds had enough information to connect the two incidents to the SUNBURST attack at the time of the first Form 8-K. SolarWinds argues that the Form 8-K discloses that the Company was "still investigating," and it was entitled to conduct a more thorough investigation before reaching any definitive conclusions.
In its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules, the SEC requires disclosure of a material cybersecurity incident under Item 1.05 of Form 8-K within four business days after determining materiality. The SEC notes that companies must make their materiality determination "without unreasonable delay," and it expects public companies to report cybersecurity incidents within four business days even if companies do not have complete information about the incident but know enough to determine that an incident is material. Since these rules became effective in December 2023, companies have wrestled with assessing when they have sufficient information to determine materiality while in the midst of investigating a cybersecurity incident. SEC Division of Corporate Finance Director Erik Gerding's recent statements that companies may be choosing to disclose too early only compounds this issue.
The role of the SEC's Division of Enforcement in assessing after the fact when and to what extent a company had sufficient information for disclosure while also in the midst of investigating a cybersecurity incident can raise concerns about whether and when to proactively disclose an incident to avoid later enforcement scrutiny. That said, the very moment at which a company has sufficient information to determine materiality, and the confidence level of that information, is not an exact science or indisputable fact within a company nor easily compared across companies. For instance, SolarWinds only became aware of the SUNBURST incident on a Dec. 12, 2020, and the Company provided this allegedly "misleading" disclosure on the first possible business day, Dec.. 14, 2020. The claim that a company, within approximately two days, could have revisited two prior incidents (while at the same time investigating one of the most significant cybersecurity events in history) and conducted enough of an investigation to disclose a believed association between incidents with some level of confidence may be challenging to prove at a trial.
Nevertheless, the court's decision on this issue may temper or embolden the SEC's willingness to revisit issuers' prior disclosures.
Identifying What Constitutes Actionable Statements Concerning Cybersecurity Practices
The SolarWinds case could help delineate between inactionable statements of mere "puffery" and actionable claims over a company's statements about cybersecurity and/or data protection practices. Courts in some cases have found that statements asserting the importance of data protection or placing significant emphasis on maintaining a high level of security were puffery or otherwise not actionable.7
Here, much of the SEC's case relies on statements in the Security Statement on the Company's website and Brown's public comments concerning SolarWinds' cybersecurity posture, which the defendants claim are puffery or otherwise not actionable. How this issue is resolved may help companies better understand what to say publicly about their cybersecurity and data protection programs.
Potential Chilling Effect on IS/IT Professionals
The SEC's reliance in the Complaint on SolarWinds' internal assessments, communications, and presentations concerning its cybersecurity program could have a potential chilling effect on IS/IT professionals' ability or willingness to accurately identify and thoroughly discuss cybersecurity issues. This is particularly true since the SEC relied on this information to pursue the first-ever charges against a CISO, an executive officer position at SolarWinds, but not one that is required to certify to the accuracy of a company's periodic public filings like the CEO and CFO.
Cybersecurity is a risk management process aimed to reduce the likelihood of cyberattacks and mitigate the impact of a cybersecurity incident. Moreover, since a company's threat environment is constantly evolving and becoming more sophisticated, any cybersecurity program requires constant updates and alterations. IS/IT professionals rely on risk assessments, communications and presentations to understand the risk environment, communicate those risks and allocate resources consistent with the organization's risk profile. By using these same tools to charge SolarWinds' CISO, companies may see new challenges in recruiting and retaining IS/IT professionals, and those individuals could be discouraged from thoroughly documenting risks, especially where management knows that resources to remediate such risks may be limited or unavailable. The potential negative impact is not limited to CISOs or IS/IT professionals, either. Might a CCO, CAO or other C-Suite candidate think twice before taking a position that may expose her to yet another form of potential liability? The answer could be yes.
The Motion to Dismiss Stage
Finally, the defendants' motion to dismiss challenges the SEC's interpretation of the various internal assessments, communications and presentations. At this preliminary stage, the Court will not determine factual disputes; rather, it will assess the legal sufficiency of the Complaint's claims, taking – as it must – the pleadings in the light most favorable to the SEC. The defendants argue that the underlying documents are incorporated by reference into the Complaint, that the Court can consider them under established precedent and that the SEC cannot disregard what these documents state. However, the Court may conclude that many of the defendants' challenges are factual disputes and cannot be resolved at this stage of the proceeding. As a result, many of the material misrepresentation claims may not be decided in the immediate future and may have to proceed through contentious discovery and summary judgment proceedings before resolution.
Holland & Knight's Securities Enforcement Defense Team and Data Strategy, Security & Privacy Team will continue to monitor the developments of the SEC’s action against SolarWinds and other cybersecurity-related enforcement actions. For more information about this case, contact the authors.
Notes
1 See In the Matter of Blackbaud, Inc.
2 See "SEC Issues First-Ever Penalties for Deficient Cybersecurity Risk Controls," Holland & Knight alert, June 22, 2021; In the Matter of R.R. Donnelley & Sons Co.
3 This summary is based on publicly available court filings.
4 See, e.g., In re Heartland Payment Sys. Inc. Sec. Litig., 2009 WL 4798148, at *6 (D.N.J. Dec. 7, 2009).
5 SolarWinds’ relevant SEC filings preceded the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules (See "SEC Finalizes Cybersecurity Incident and Governance Disclosure Obligations for Public Companies," Holland & Knight alert, July 31, 2023), which require public companies to disclose details concerning their cybersecurity risk management program in annual filings.
6 SEC, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Rel. Nos. 33-10459 & 34-82746, at 11 (Feb. 26, 2018); SEC, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Rel. Nos. 33-11216 & 34-97989, at 111-12 (July 26, 2023).
7 In re Heartland Payment Sys. Inc. Sec. Litig., 2009 WL 4798148, at *6 (D.N.J. Dec. 7, 2009).