You remember the 2020 SolarWinds hack, perhaps one of the worst cyberattacks in history? As NPR described it in 2021, we all regularly receive routine software updates like this one:
"'This release includes bug fixes, increased stability and performance improvements'.... Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare—bug fixes, performance enhancements—to the company's popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company's network. Customers simply had to log into the company's software development website, type a password and then wait for the update to land seamlessly onto their servers. The routine update, it turns out, is no longer so routine. Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion's software and then used it as a vehicle for a massive cyberattack against America. 'Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,'"
according to the Company's CEO. And not just any customers—the Company determined that many very well-known companies and about a dozen government agencies were compromised, including the Treasury, Justice and Energy departments, the Pentagon and, ironically, the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. On Monday, the SEC announced that it had filed a complaint against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, charging 'fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities." In the complaint, the SEC charges that "SolarWinds' public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company's cybersecurity policy violations, vulnerabilities, and cyberattacks." According to Gurbir S. Grewal, Director of the SEC's Division of Enforcement, the SEC's enforcement action "underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns."
SideBar
In October, Grewal gave remarks to the NYC Bar Association Compliance Institute, during which he addressed the question of when Enforcement recommends charges against a compliance officer, indicating that they
"do not second-guess good faith judgments of compliance personnel made after reasonable inquiry and analysis. That is why such actions are rare.
There are really three situations where the Commission typically brings enforcement actions against compliance personnel:
- where compliance personnel affirmatively participated in misconduct unrelated to the compliance function;
- where they misled regulators; and
- where there was a wholesale failure by them to carry out their compliance responsibilities."
And earlier this year, in remarks at a Financial Times Summit, Grewal advocated "cyber resilience," a concept that assumes that "breaches and cyber incidents are likely going to happen, and that firms must be prepared to respond appropriately when they do. In other words, it's not a matter of if, but when." (See this PubCo post.)
The gist of the complaint, as alleged by the SEC, is that many red flags emerged and incidents occurred, well known among Company employees, that should have spurred the company and its CISO to take action to address serious cyber vulnerabilities, including vulnerabilities related to the company's "crown jewel" assets. Instead, the CISO "failed to resolve the issues or, at times, sufficiently raise them further within the company." Compounding that failure, the SEC alleged, perhaps more importantly from the SEC's perspective, the Company and the CISO misled investors with a deceptive depiction of the Company's cyber controls environment that "concealed both the Company's poor cybersecurity practices and its heightened—and increasing—cybersecurity risks." It was only after the massive cyberattack that the "true state of SolarWinds' cybersecurity practices, controls, and risks ultimately came to light." According to the SEC, the specific cybersecurity issues highlighted were pervasive and "reflected a culture that did not take cybersecurity issues with sufficient seriousness, and a scheme to conceal these issues from investors and customers."
Background
As described in the complaint, SolarWinds "designs and sells network monitoring software used by many businesses, as well as state, federal, and foreign governments to manage their computer systems." During the period, "SolarWinds had more than 300,000 customers, including 499 of the companies making up the Fortune 500." Orion, the Company's flagship product, is "an information technology infrastructure and management platform consisting of a suite of products used by customers to manage network system configurations."
The complaint alleges that the Company trumpeted its safe and secure cybersecurity practices through misleading statements in three contexts: cybersecurity statements posted to the Company's website (including statements posted just prior to its second IPO after going private), its S-1 and S-8 registration statements, and the Form 8-K disclosing the SUNBURST cybersecurity breach.
Security statement. The SEC alleges that the cybersecurity statements, which were primarily Brown's responsibility, were false and misleading because they hyped a series of secure practices, such as its "secure development lifecycle," strong password policy and reliable access controls, while concealing "from the public the Company's known poor cybersecurity practices...includ[ing] SolarWinds' (a) failure to consistently maintain a secure development lifecycle for software it developed and provided to thousands of customers, (b) failure to enforce the use of strong passwords on all systems, and (c) failure to remedy access control problems that persisted for years." According to the SEC, "Brown and the Company understood that SolarWinds' adherence to sound cybersecurity practices was material to SolarWinds' ability to obtain and retain business." Moreover, the SEC charged, "[r]easonable investors considering whether to purchase or sell SolarWinds stock would have considered it important to know the true state of SolarWinds' cybersecurity practices."
Yet, at the same time that, in its cybersecurity statements, SolarWinds was promoting its safe cybersecurity practices to the public markets, the SEC alleged, internal communications revealed that the Company was well aware of its serious deficiencies, control issues and cybersecurity vulnerabilities. For example, in a 2018 internal communication, an employee "bluntly admitted" that the claims in the cybersecurity statement regarding the secure development lifecycle were false: "I've gotten feedback that we don't do some of the things that are indicated in the [Security Statement's SDL section]." Still, the Company did not amend the statement to reflect the facts; instead, the SEC charged, the Company hid the errors and sought to "work toward making them eventually true." The SEC charged that "SolarWinds and Brown knew, or were reckless or negligent in not knowing, that the Company was still working to determine how to incorporate aspects of an SDL into its product development leading up to and throughout the Relevant Period." That conduct, the SEC charged, "does not reflect a culture of honesty or effective controls regarding disclosure, cybersecurity, or other matters. Rather it reflects a culture of recklessness, negligence, and scienter at SolarWinds."
Similarly, with respect to password issues, an employee email in 2017 showed "surprise that things 'like 'default passwords' are [still] plaguing us when the product has been in the market [this long,]' explaining, '[m]any of these vulnerabilities seem pretty well amateur hour.'" The SEC concluded that "SolarWinds and Brown's misstatements and omissions regarding password issues were not only false and misleading, but materially so."
The complaint identifies similar issues with access management, which, the SEC alleges, had been persistent problems for years. Internal communications in 2018 revealed that the Company's "remote access virtual private network, which allowed access from devices not managed by SolarWinds" (such as third-party cell phones and laptops) was "not very secure" and that "someone exploiting the vulnerability 'can basically do whatever without us detecting it until it's too late' which could lead to a 'major reputation and financial loss' for SolarWinds." Other internal presentations revealed that "[a]ccess and privilege to critical systems/data is inappropriate." Numerous warnings notwithstanding, the SEC claims, "SolarWinds and Brown took no steps to remediate the vulnerability in 2018 or 2019" or to disclose it. The SEC alleges that "[n]o one, including Brown, raised the issue with SolarWinds' Disclosure Committee, nor did SolarWinds have sufficient procedures and controls in place to ensure that he did so."
According to the SEC, "[t]ogether, the individual failures, risks, issues, and incidents described in this Complaint so affected SolarWinds' cybersecurity posture that SolarWinds needed to, at a minimum, disclose their collective effect, especially in light of the Security Statement's positive portrayal of SolarWinds' cybersecurity practices."
In addition, the SEC charges that Brown and the Company made materially false and misleading statements related to SolarWinds' cybersecurity practices in SolarWinds' podcasts, blog posts and press releases. The complaint alleges that "SolarWinds and Brown knew, or were reckless or negligent in not knowing, that the listed statements in the Security Statement, podcasts, and blogs contained materially false and misleading statements, and that SolarWinds and Brown had omitted and failed to disclose (either in the Security Statement or in other public statements) the true state of SolarWinds' cybersecurity practices, including the risks, issues, and violations discussed in this Complaint. Those omissions made the statements made, in light of the circumstances, materially misleading."
SEC filings. The complaint charges that SolarWinds also failed to concealed the risks related to its poor cybersecurity practices in its SEC filings, including in the registration statement for its second IPO. The risk factors were "generic and hypothetical," presented as "general, high-level risk disclosures that lumped cyberattacks in a list of risks alongside 'natural disasters, fire, power loss, telecommunication failures...[and] employee theft or misuse." Significantly, many of the risks disclosed were hypothetical and "did not address known risks. For example, the Company warned of an inability to defend against 'unanticipate[d]... techniques' but failed to disclose that SolarWinds had already determined that it was not taking adequate steps to protect against anticipated and known risks, including failing to follow the steps outlined in the Security Statement." The cybersecurity risk factors "did nothing to alert investors to the elevated risks that existed at SolarWinds"; those risks "are not being assessed in hindsight by the SEC," the SEC said, "Brown and others at SolarWinds assessed and documented them at the time." In support, the SEC cites as an example that, during the same month that SolarWinds conducted its IPO, Brown wrote in an internal presentation that SolarWinds' 'current state of security leaves us in a very vulnerable state for our critical assets.'" According to the SEC, the generic warnings in the risk factors "were then repeated verbatim in each relevant filing, despite both the ongoing problems and the increasing red flags in 2020 that SolarWinds was not only being specifically targeted for a cyberattack, but that the attackers had already gotten in."
In its IPO registration statement, according to the complaint, the Company did not disclose the known VPN vulnerability or take steps to render it immaterial. But just months later, "the threat actors responsible for the SUNBURST cyberattack accessed SolarWinds' corporate VPN by using an unmanaged third-party device and stolen credentials, exploiting the vulnerability" that had been identified six months earlier. That broad, undetected access to the entire network continued repeatedly through November 2020, as "threat actors conducted reconnaissance, exfiltration, and data collection; identified product and network vulnerabilities; harvested credentials of SolarWinds employees and customers; and planned additional attacks against SolarWinds' products that would be deployed during later stages of the campaign." In November 2019, the threat actors tested out the SUNBURST attack, first inserting non-malicious test code into SolarWinds' Orion and then, after evading detection, in February 2020, inserting malicious code into Orion software that was delivered to almost 18,000 customers. With this malicious code, threat actors could access the systems of these compromised customers. While the attacks have been attributed to a state actor, the SEC suggests that the exploited vulnerabilities were known to SolarWinds and Brown for months and "could have been remedied through straightforward steps." But, the SEC charges, SolarWinds' "fail[ed] to adhere to basic cybersecurity practices," or to disclose these problems to investors.
Beginning in early 2020, the SEC alleges, a number of red flags emerged, such as an increase in threats to its products and multiple attacks against customers' Orion platforms, including ransomware attacks—all suggesting that there were serious vulnerabilities in the Orion platform products that might presage a potential significant cyberattack. The Company investigated these attacks but was unable to resolve the issues. Similarly, several times before December 2020, customers alerted SolarWinds to evidence that threat actors had breached SolarWinds' systems. In May and October 2020, customers reported incidents at a government agency and a cybersecurity company that were ultimately determined to be related to the SUNBURST attack. Although the company and Brown were aware of these red flags and incidents, none were disclosed in the Company's periodic filings or otherwise. An engineer subsequently emailed Brown in 2020, describing "being 'spooked' by activity at a SolarWinds' customer." He was concerned that a bigger cyberattack was looming. "Brown agreed that the incident was 'very concerning' and continued, 'As you guys know our backends are not that resilient and we should definitely make them better.'" According to the SEC, the Company's investigation uncovered so many vulnerabilities that it raised a concern that the size of its engineering staffing was inadequate to deal with them. Warnings in a September 2020 internal document provided to Brown and others stated that "the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve." The SEC alleges that the backlog and staffing issues were not publicly disclosed.
Following the incident in October at the cybersecurity company, the SEC alleges, Brown was advised of its similarities to the incident at the government agency. In response to an inquiry from the cybersecurity company, however, a SolarWinds employee allegedly falsely advised the customer that the Company had not previously seen similar activity, confessing afterward to a colleague that he had "just lied." According to the SEC, SolarWinds again "failed to investigate sufficiently, uncover the root cause for the malicious activity, or otherwise remediate the vulnerability." The SEC charges that, "by October 2020 if not earlier, SolarWinds and Brown knew, or were reckless or negligent in not knowing, that the Company's systems had been breached," that there was a "problem with the Orion software and a compromise in SolarWinds systems." Nevertheless, "SolarWinds and Brown did not disclose to investors any warning about this situation or determine the source of the potential problem and remediate it." The SEC charges that the failure to disclose "was part of an overall scheme to conceal both the problems with Orion specifically, and the overall poor state of SolarWinds' cybersecurity," a scheme that included other deceptive business practices, such as misleading customers.
As alleged by the SEC, Brown was aware that threat groups were looking at Orion, as employees advised of numerous vulnerabilities. In November 2020, an InfoSec Manager "expressed his own disgust with the Company's security posture, lamenting, '[W]e're so far from being a security minded company. [E]very time I hear about our head geeks talking about security I want to throw up.'" Yet, until the disclosure of SUNBURST in 2020, SolarWinds failed to "disclose the numerous risks, vulnerabilities, and incidents affecting its products in its SEC filings or elsewhere. Instead, in each periodic disclosure and registration statement during the period, SolarWinds disclosed the same hypothetical, generalized, and boilerplate description that had appeared in its October 2018 Form S-1."
In addition, while SolarWinds had experienced numerous attacks and incidents before and throughout 2020, the SEC alleges, Brown continued to sign sub-certifications confirming that all material incidents had been disclosed, and "SolarWinds repeatedly failed to disclose the known cybersecurity risks in the Company's periodic reports, rendering them materially misleading." In 2020 10-Qs, the Company reported that there were no material changes to its risk factors. The SEC charges that Brown signed false sub-certifications and that "SolarWinds and Brown knew, or were reckless or negligent in not knowing, that the risk disclosure in the listed SEC filings contained materially false and misleading statement."
In December 2020, another cybersecurity company experienced an attack, only this time, that company reverse engineered the SolarWinds' code and identified the root cause of the malicious activity. After the customer shared the information with SolarWinds, Brown realized the connection among the incidents. The SEC emphasizes that
"SolarWinds' poor controls, Defendants' false and misleading statements and omissions, and the other misconduct described in this Complaint, would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack. But those violations became painfully clear when SolarWinds experienced precisely such an attack. Between January 2019 and December 2020, SolarWinds experienced one of the worst cybersecurity incidents in history, the SUNBURST 'supply chain' cyberattack,' which exploited some of the cybersecurity failings described above and compromised SolarWinds' 'crown jewel' Orion product."
Form 8-K. On December 14, 2020, SolarWinds filed a Form 8-K disclosing the SUNBURST attack. The stock price fell more than 16% on the day the 8-K was filed, ultimately losing approximately 35% by the end of the month, "as SolarWinds disclosed more details of the SUNBURST attack, and as news outlets reported that internal sources had warned SolarWinds for several years about the Company's cybersecurity risks and vulnerabilities." The complaint points out that Brown exercised options and sold shares during the period at "prices inflated, at least in part, by the misconduct," receiving over $170,000 in gross proceeds.
Brown participated in drafting the 8-K disclosure. However, the SEC charges, the 8-K "created a materially misleading picture of the Company's knowledge of the impact of the attack in at least three respects." First, the Company described the malicious code that was inserted as a vulnerability that "could potentially allow an attacker to compromise the server," when, the SEC charges, that vulnerability was not theoretical—it had allowed the server to be compromised on at least three occasions. Second, the 8-K stated that SolarWinds hired third-party cybersecurity experts to help investigate "whether a vulnerability in the Orion monitoring products was exploited as a point of any infiltration of any customer systems." But again, the SEC charges, the SolarWinds knew that the vulnerability had already been exploited. Third, SolarWinds stated that it was "still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited" in any reported attacks. Again, the SEC charges, "SolarWinds knew the vulnerability in the Orion products had been successfully exploited on at least three prior occasions" since as early as May 2020. The SEC charges that Brown "knew, or was reckless or negligent in not knowing, that the Form 8-K contained materially false and misleading statements," and, as an officer, his "knowledge, recklessness, and/or negligence is attributable to the Company."
The SEC also charges that the Company filed to maintain reasonable internal accounting controls. Under COSO, with respect to cybersecurity controls, an organization is required "to select and develop internal control activities over technology that are designed and implemented to restrict technology access rights to authorized users and to protect the entity's assets from external threats." However, the SEC charged, the Company "failed to devise and maintain a system of internal controls sufficient to provide reasonable assurance that access to the Company's assets was only in accordance with management's general or specific authorization." According to the SEC, neither Brown nor the Company "were able to identify the list of relevant controls to the SEC during the SEC's investigation. Brown instead certified based on his general sense of the quality of those controls, while failing to identify the Company's extensive shortcomings in areas such as access controls." SolarWinds' cybersecurity-related policies and procedures, the SEC alleges, "went largely unimplemented or were subject to extensive problems or violations."
And, the SEC also claimed that the Company lacked effective disclosure controls under Exchange Act Rule 13a-15(a). For example, SolarWinds devised an Incident Response Plan, which provided that "only incidents that impacted multiple customers were reported upward to management responsible for disclosure. As a result, multiple cybersecurity issues that had the potential to materially impact SolarWinds, but which SolarWinds determined at the time did not yet impact multiple customers, went unreported," including the VPN vulnerability and the three incidents that had not yet been determined to be the result of the same malicious activity.
Violations
The SEC charges that SolarWinds and Brown violated Section 17(a) of the Securities Act (knowing false statements in connection with the sale of securities); and Section 10(b) of the Exchange Act and Rule 10b-5 thereunder (knowing false statements in connection with the sale of securities).
SolarWinds is also separately charged with violations of Section 13(a) of the Exchange Act and Exchange Act Rules 12b-20 and 13a-1, 13a-11, and 13a-13 thereunder (false statements in periodic and current reports); violations of Section 13(b)(2)(B) of the Exchange Act (internal accounting controls) and violations of Exchange Act Rule 13a-15(a) (disclosure controls).
Brown is also separately charged with aiding and abetting the Company's Section 17(a) violation; Section 10(b) and Rule 10b-5 violations; Section 13(a) of the Exchange Act and Exchange Act Rules 12b-20 and 13a-1, 13a-11, and 13a-13 violations; Section 13(b)(2)(B) of the Exchange Act violations; and Exchange Act Rule 13a-15(a) violations
The SEC requested injunctions, disgorgement and civil monetary penalties, as well as an officer and director bar against Brown.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.