Judge Engelmayer's 107-page dismissal of most of the U.S. Securities and Exchange Commission (SEC)'s claims against SolarWinds provides valuable guidance, and some comfort, for public companies and Chief Information Security Officers (CISOs). The SEC lost the bulk of its fraud claims and all of its internal controls claims in a decision that significantly undermines its reliance on hindsight to punish alleged deficiencies in cybersecurity programs. Some of the more serious claims, however, survived, including negligence-based claims against a CISO.
Key Points
- Alleged cybersecurity failures were not enough to support internal controls violations without a link to financial accounting.1
- Alleged failures to inform top executives about specific cyber intrusions were not enough to plead a deficient disclosure program under the circumstances of the case.
- The SEC's reliance on non-scienter, controls-based charges in the cybersecurity context is on shaky ground less than six weeks after it settled a similar matter based on a ransomware attack.
- Public statements about cybersecurity programs must be scrutinized to avoid allegations of cyberwashing, with extra care required during any public or private offering of securities.
- The SEC is willing to charge CISOs who speak publicly—or who control public statements—on material matters concerning their employers' cybersecurity programs.
The dismissal also emphasizes important principles for issuers to keep in mind when tackling challenging decisions during a cyber incident, including that issuers do not have to disclose everything—or every incident—to comply with the law. This is consistent with the SEC's new cybersecurity disclosure rules, which limit disclosures to material incidents based on available information (see here for more information).
Unless settled, the case will proceed to discovery on the SEC's allegations that SolarWinds and its CISO exaggerated the soundness of their cybersecurity program in statements directed at customers on SolarWinds' website—allegations that SolarWinds publicly describes as factually inaccurate.
The SEC's SolarWinds Lawsuit and Focus on Cybersecurity
SolarWinds is an Austin-based technology company that provides customers with network monitoring software. It held an initial public offering of securities in October 2018, during the course of events underlying the SEC's lawsuit.
The lawsuit, filed October 30, 2023, stems from a cyberattack on SolarWinds' products and customers that SolarWinds disclosed to the public in December 2020. SolarWinds' share price dropped by roughly 25% during the two days following that disclosure. As a rule of thumb, controlling for other variables, the SEC views a price change exceeding 5% as presumptively material.
As discussed in our prior alert on this case, the SEC named both SolarWinds and a vice president in charge of the company's information security (the CISO) as defendants, demonstrating an interest in charging corporate officers with responsibility for cybersecurity whether or not those officers sign corporate disclosures. The case is part of a string of enforcement and rulemaking activity targeting cybersecurity risks and disclosure polices, including a June 2024 settlement for internal and disclosure controls violations against R.R. Donnelley & Sons Company, charges for non-scienter-based fraud against Pearson plc and charges for disclosure controls failures against First American Financial Corporation (see here and here for more about these cases).
The SEC alleges that SolarWinds failed to devise and maintain adequate controls to reasonably protect its key assets from cyberattacks, including its "Orion" software product that accounted for nearly half the company's revenue in 2020.2 The complaint alleges, for instance, that SolarWinds was "routinely promiscuous in freely granting administrative rights to employees and conferring access rights way beyond those necessary for employees' specific job functions"3 and that employees "used simple, unencrypted passwords" like "solarwinds123."4 The SEC further alleges that SolarWinds' disclosure program failed to ensure that vulnerabilities and incidents were consistently reported to senior management, including due to failures by employees to escalate two breaches to top executives.
To support its fraud claims, the SEC alleges that SolarWinds and its CISO misled investors and engaged in a scheme to conceal the truth about its cybersecurity program by approving and publishing a "Security Statement" on SolarWinds' website that exaggerated the sophistication of that program, including by claiming that SolarWinds employed cybersecurity controls that were consistent with industry best practices. The SEC alleges that SolarWinds made similar misrepresentations and omissions in its SEC filings, for which its CISO signed sub-certifications.5
The Court's Decision
The court rejected the SEC's theory that SolarWinds violated the internal control provisions under Section 13(b)(2)(B) of the Exchange Act by failing to protect its assets. The court held that internal controls violations under Section 13(b)(2)(B) do not extend to cybersecurity controls with no link to financial accounting and reporting. While recognizing that cybersecurity controls are "undeniably vitally important," the court maintained that such controls cannot be fairly said to be a part of a company's accounting—at least not on the present facts.6 The court expressly declined to apply the internal controls requirements to "every internal system a public company uses to guard against unauthorized access to its assets," noting that to do so would have "sweeping ramifications" for the SEC's authority to regulate issuers.<7
The court also rejected the SEC's disclosure controls claim, holding that isolated incidents of failing to adhere to a disclosure program do not render an entire program deficient and noting that "errors happen without systemic deficiencies."8 The court further held that the alleged failures were based on hindsight about the root cause of those incidents.
The court rejected most of the SEC's fraud-based claims as based on insufficiently specific puffery (for example, claims to have "high security standards") or because the disclosures were legally adequate (noting, for example, that SolarWinds' S-1 "enumerated in stark and dire terms" the risks SolarWinds faced if its cybersecurity measures were to fail). The court emphasized that "the anti-fraud laws do not require cautions to be articulated with maximum specificity" and that "maximal" specificity may "backfire in various ways, including by arming malevolent actors with information to exploit, or by misleading investors based on ... the disclosure of other risks at a lesser level of specificity."9
The court further held that SolarWinds could not be held liable for failing to update its risk disclosures to identify specific, known incidents where it had already warned investors about the likelihood of such incidents.10 The court rejected the SEC's argument that the seriousness of those incidents required fuller disclosures as improperly based on hindsight rather than available information. Applying this reasoning on a go-forward basis must take into account the specific requirements of the SEC's new disclosures rules, which were not in place at the time of the SUNBURST attack, as the court acknowledged.
With respect to the fraud claims based on post-incident disclosures, the court declined to accept the SEC's characterization of the events, even under the plaintiff-friendly standard applied on a motion to dismiss, concluding that SolarWinds' Form 8-K filings "captured the big picture: the severity of the SUNBURST attack."11 Focusing on the circumstances at the time of the disclosures and information known at the time, the court held that it was not false and misleading for SolarWinds to withhold information about two known cyber incidents where its disclosures identified the overarching concerns and "bluntly reported brutally bad news for SolarWinds."12 The court further held that the SEC's allegations about SolarWinds' scienter were in tension with SolarWinds' efforts to minimize problems resulting from the cyberattacks, including its investigation of the attacks, retention of third-party cybersecurity experts and cooperation with government agencies.13
The SEC's claims based on the Security Statement survived the motion to dismiss and will proceed to discovery, absent a settlement. The court rejected SolarWinds' argument that claims directed at customers, rather than investors, should not be actionable, holding that public statements were available to investors to consider as part of the total mix of relevant information. The court also rejected SolarWinds' argument for dismissal on the basis that no alleged misrepresentation would have influenced a reasonable investor when viewed in isolation, holding that the representations should be considered together for purposes of pleading materiality.14
Ultimately, the court held that at least two of the five categories of alleged misrepresentations by SolarWinds and its CISO in the Security Statement—those concerning access controls and password protections—were sufficient to survive the motion to dismiss, concluding that a reasonable person contemplating investing in SolarWinds would have viewed the alleged gap between SolarWinds' words and "on-the-ground reality" as "highly consequential."15 Those disclosures were made before and during SolarWinds' IPO, which brings the SEC's fraud claims under provisions of the Securities Act that the SEC can prove based solely on negligence.
Takeaways and Reminders
- Issuers must accurately describe their cybersecurity and risk management programs, and CISOs should pay close attention to public statements about those programs, even if they are intended for customers rather than investors.
- The best approach is to develop a robust, proactively tested program worthy of accurate description under the now-effective SEC Cybersecurity Rules for public companies, which require annual disclosures of material information about a company's cybersecurity risk management, strategy and governance.
- Issuers should consider the real-world interactions of their cybersecurity protocols and internal controls over financial accounting to avoid subjecting cybersecurity controls to scrutiny for violations that do not require proof of scienter. If cybersecurity controls are designed to interact with controls needed for financial reporting, the SEC may be able to second-guess the quality of a cybersecurity program under the kind of non-scienter-based internal controls claims rejected in the SolarWinds case.
- Although the decision noted that isolated disclosure failures were not enough to plead a deficient disclosure program under the circumstances, a cybersecurity program is not complete without disclosure controls, both to improve cyber safety through internal communication and to ensure timely disclosures to investors. Companies should create and test protocols to convey cybersecurity-related information to internal decisionmakers and senior executives where appropriate. Inadequate disclosure programs may face SEC scrutiny even without a cybersecurity event, and the SEC is not required to prove recklessness or intent to support a violation.
- Whether an incident requires disclosure or an update to prior disclosures is an incident-by-incident determination based on materiality. Under the new SEC Cybersecurity Rules for public companies, disclosure is mandated within four business days of identifying an incident as material, and follow-up disclosures are necessary where material information becomes available.
- Whether a disclosure is sufficient will be a question of whether it provides information that a reasonable investor would consider important in making an investment decision.
- Companies should ensure information security programs include incident response procedures addressing immediate, hands-on responses to adverse events, including plans for investigation, the engagement of third-party experts and potential cooperation with outside authorities—the last being a noted factor in Judge Engelmayer's rejection of the SEC's scienter allegations.
- CISOs and other officers with responsibility for cybersecurity must be vigilant in reporting material information to senior executives and providing accurate descriptions of cybersecurity protocols to the public, whether directly or indirectly.
- Extra care is warranted when describing a cybersecurity program during a public or private offering of securities because non-scienter-based fraud provisions may apply.
Footnotes
1 SEC v. SolarWinds Corp., No. 23-09518 (S.D.N.Y. July 18, 2024), at 99–100, available at https://www.documentcloud.org/documents/24851956-solarwinds-dismissal-opinion.
2 Id. at 2.
3 Id. at 53.
4 Id. at 57.
5 Id. at 79–80.
6 Id. at 98–99.
7 Id. at 99–100.
8 Id. at 104.
9 Id. at 73.
10 Id. at 75.
11 Id. at 90.
12 Id. at 88.
13 Id. at 93, n.47.
14 Id. at 51–52.
15 Id. at 59.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.