On Thursday July 18, a Southern District of New York court dismissed much of the U.S. Securities and Exchange Commission's (SEC) case against SolarWinds Corp.
While not binding on other courts, the thorough 107-page opinion may have implications for the SEC's approach as it continues to pursue cyber incident litigation against corporate defendants. Among other things, the opinion recognized that, even when a public company has a duty to disclose a material cybersecurity incident, the sufficiency of those disclosures cannot be judged by hindsight and must fairly consider the information known to the company at the time.
In addition, the Court's opinion rejects the SEC's efforts to expand the requirement that companies maintain a system of "internal accounting controls" to cover cybersecurity controls. At the same time, in sustaining a portion of the SEC's claim, the opinion shows that statements outside of securities filings—in this case, on the company's website—can form the basis for actionable securities fraud claims and that companies should ensure that such statements do not become stale or inaccurate over time due to changing information.
Background
On December 12, 2020, SolarWinds received information from a customer that it had a vulnerability in its Orion product as a result of a malicious code inserted by a threat actor, which had infiltrated thousands of networks (the "Sunburst Attack").
The SEC soon began investigating the adequacy of SolarWinds' cybersecurity related disclosures to investors, and, in October 2023, filed an enforcement action in the Southern District of New York again SolarWinds and the head of its information security group. The SEC alleged that (i) various statements by SolarWinds—both before and after the Sunburst Attack—violated the anti-fraud provisions of the U.S. securities laws and (ii) SolarWinds failed to devise and maintain a system of internal accounting controls and had ineffective disclosure controls and procedures.
Key Holdings in the SolarWinds Case
The Court's decision rejected most of the SEC's theories. While a discussion of every theory addressed by the Court in its 107-page opinion is beyond the scope of this summary, we highlight three issues below that are likely to have particular significance:
- Certain Pre-Attack Claims Allowed to Proceed.
While dismissing most of the SEC's theories, the Court found
that the SEC had adequately pled a securities fraud claim against
both SolarWinds and the head of information security based on a
"Security Statement" posted on SolarWinds' website in
the years before the Sunburst Attack. The Court rejected the
defendants' argument that the statement was not actionable
because it was directed to customers, not investors, noting
"it is well established that false statements on public
websites can sustain securities fraud liability." Further, the
Court found that the Security Statement's representations
regarding SolarWinds' access controls and password protection
policies "were materially misleading by a wide margin."
The Court cited evidence that "SolarWinds was routinely
promiscuous in freely granting administrative rights to employees
and conferring access rights way beyond those necessary for
employees' specific job functions" and that "the
company's stated password policy was generally not
enforced."
- Court Dismissed Claims Based on Post-Sunburst Attack
Form 8-Ks. In the days following the Sunburst Attack,
SolarWinds made a series of disclosures concerning the attack in
its Form 8-K filings. The SEC alleged that those disclosures were
materially misleading because they did not disclose two earlier
cyber incidents and gave the impression that the vulnerability was
"purely theoretical." The Court rejected this theory,
emphasizing that, "as to this claim, perspective and context
are critical." SolarWinds filed the first Form 8-K two days
after the customer first contacted SolarWinds. As such, the Court
explained that "the disclosure was made at a time when
SolarWinds was at an early stage of its investigation, and when its
understanding of that attack was evolving." The Court
concluded that "the lengthy Form 8-K disclosure, read as a
whole, captured the big picture: the severity of the SUNBURST
attack."
- Dismissal of Internal Accounting Control and Disclosure Control Theories. The Court also rejected in total the SEC's internal control theories. First, the SEC claimed that the Sunburst Attack showed that SolarWinds had failed to devise and maintain a system of "internal accounting controls," as required under Section 13(b)(2)(B) of the Exchange Act. The SEC has expansively interpreted "internal accounting controls" in settled proceedings over the years. But in this litigated acton, the Court rejected the SEC's theory based on a plain reading of the word "accounting," which it held "refers to a company's financial accounting" and not "every internal system a public company uses to guard against unauthorized access to its assets." The Court also rejected the SEC's theory that SolarWinds violated an SEC rule requiring it to have "disclosure controls and procedures." The Court noted that SolarWinds, even as alleged by the SEC, "had a system of controls in place to facilitate the disclosure of potentially material cybersecurity risks and incidents," which was "designed to ensure that material cybersecurity information was timely communicated to the executives responsible for public disclosure." The system "scored" various events to determine whether they required disclosure to executives. The Court found SolarWinds in fact investigated pre-Sunburst cyber incidents and essentially rejected the SEC's contention that they had not been assigned the appropriate "score."
Takeaways
- Ensure Website and other Disclosures Remain
Accurate. The one theory the Court sustained related to a
statement on the company's website. While the Court found this
statement false and misleading from publication, the decision
nevertheless highlights that companies should maintain a process to
ensure that informal disclosures (such as on a website or
promotional materials) do not become stale and potentially
misleading over time.
- Proactive Cybersecurity Measures:
Organizations should invest in robust cybersecurity frameworks and
regular audits to mitigate risks and demonstrate due diligence in
protecting sensitive information and responding cybersecurity
incidents. The Court's dismissal of the SEC's formal
disclosure related claims and disclosure (i.e., the company's
Form 8-K disclosures) is notable and useful for companies because
it recognizes that "perspective and context are
critical," and post-incident disclosures should not be judged
with perfect hindsight. At the same time, the fact that SolarWinds
was able to defeat these claims was based, in part, on the fact
that it did have disclosure procedures in place and issued a
lengthy, detailed, appropriately caveated Form 8-K following the
Sunburst Attack.
- Reigning-In on Internal Accounting Controls. Finally, the Court's ruling on the plain meaning of the internal accounting controls claim—i.e., the "accounting" means "accounting"—may cabin the SEC's more expansive internal controls theories of enforcement in both cybersecurity cases and more broadly.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.