Recently, the Securities and Exchange Commission (“SEC”) filed a complaint in the Southern District of New York against the SolarWinds Corporation, a network and infrastructure management company, and also named the company’s Chief Information Security Officer as an individual in the action. The SEC’s complaint alleges that the defendants defrauded investors and customers through internal control failures, as well as a series of misstatements, omissions, and schemes that obscured SolarWinds’ deficient cybersecurity practices and the cybersecurity threats it was facing. The SEC alleges the disclosure deficiencies violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934, and the control failures violated the reporting and internal control provisions of the Exchange Act. Finally, while the SEC has recently issued cybersecurity rules that will come into effect in December, these allegations are all founded on existing regulations that do not invoke the requirements of the new rules. We summarize the case below and suggest a number of precautions companies can take in contemplation of this more aggressive SEC posture regarding cybersecurity compliance.
Notably, the SEC charged not only SolarWinds, but also charged its Chief Information Security Officer, Timothy Brown, with aiding and abetting the alleged corporate violations. During the relevant time period, Brown was the company’s Vice President of Security and Architecture and head of its Information Security group. In these roles, Brown was responsible for both SolarWinds’ ongoing security efforts and the security architecture within its products.
2020 SUNBURST Supply Chain Cybersecurity Attack
In 2020, SolarWinds disclosed that it had been the victim of a major supply chain cyberattack, now known colloquially as the SUNBURST attack. The attack, widely attributed to Russian state-sponsored hackers, was carried out by accessing SolarWinds’ virtual private network (“VPN”) through an unmanaged device neither owned nor operated by the company. Using this undetected access, hackers inserted malicious code into software for the SolarWinds’ signature Orion products. These products were then delivered to more than 18,000 customers globally, allowing hackers to obtain unauthorized access to the systems of some customers.
The SEC’s Allegations
In detailing the Defendants’ alleged wrongful conduct, the SEC alleges a series of actions and omissions, from at least its initial public offering in October 2018 through at least January 12, 2021, to defraud investors. These allegations include purportedly:
- Ignoring Serious Known Cybersecurity Deficiencies: the SEC alleged that Brown and other SolarWinds employees knew of serious cybersecurity deficiencies according to internal emails, messages, and documents. These included not developing Orion and other company products in a secure development lifecycle and not addressing access control deficiencies including permitting access to SolarWinds’ VPN by unmanaged devices and inadequately stringent password practices.
- Making Materially False and Misleading Risk Disclosures in SEC Filings: SolarWinds filed numerous SEC registration statements, forms, and periodic reports that the SEC characterizes as containing inadequate disclosures. The SEC singles out that repeated disclosures of hypothetical, generalized descriptions of cybersecurity risk were insufficient where a company has in fact experienced events and cyberattacks and was aware of known vulnerabilities to its products. The SEC further emphasizes that Brown repeatedly signed sub-certifications representing that all material incidents had been disclosed to company executives responsible for its securities filings while being aware of numerous documented cybersecurity failures. Sub-certifications are not required by any SEC rule or regulation but are used by many companies to assist the company’s CEO and CFO in giving their SEC-required certifications of the company’s disclosure.
- Posting Misleading Statements on the SolarWinds Website: During the relevant period, SolarWinds maintained a Security Statement on its website that articulated cybersecurity practices which the SEC alleges contradicted its internally known practices and deficiencies.
- Permitting Multiple Internal Control Failures: The SEC also alleges that SolarWinds lacked sufficient internal accounting controls, failing to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that . . . access to assets is permitted only in accordance with management’s general or specific authorization.” The complaint further alleges that SolarWinds lacked sufficient safeguards to protect against and detect unauthorized access and appropriate controls to ensure that information regarding potentially material cybersecurity risks, incidents, and vulnerabilities was reported to executives responsible for disclosure.
This case represents the most aggressive posture the SEC has taken to date with respect to purported cybersecurity-related disclosure deficiencies and individuals it asserts were personally liable for those deficiencies.
The SEC’s complaint against SolarWinds and Brown underscores its interest in companies’ cybersecurity practices and disclosures and the individual responsibility that certain executives bear for such practices and disclosures. While the SEC’s position remains subject to adjudication, the allegations provide important insights for SEC-registered companies to consider in managing their cybersecurity obligations.
- The SEC is Prioritizing Cybersecurity Enforcement: While many might think of insider trading or securities fraud as the usual purview of the SEC, the recent charges and the new cybersecurity rules highlight that the SEC is making cybersecurity a regulatory and enforcement priority. Companies should carefully evaluate their cybersecurity resourcing and governance to reflect this heightened focus. This should include prioritizing executive and board awareness of industry standard cybersecurity practices, consciously evaluating and documenting resourcing requirements and decisions, and adopting appropriate processes for evaluating and, if appropriate, disclosing cyber events and deficiencies.
- Accurate Disclosure is Key: Companies may do well to continuously assess their risk disclosure practices and consciously account for past, material incidents and material vulnerabilities as they do so. Perhaps the most challenging aspect will be understanding the thresholds for considering events and vulnerabilities for inclusion in SEC reporting and the SEC’s latest action highlights the value of having defensible processes to support disclosure determinations.
- Individual Executives Should Be Cognizant of their Responsibilities: Individual executives and directors, especially those in management positions with oversight of cybersecurity matters, may have legal obligations to respond to, address, assess, and disclose certain cybersecurity-related events and vulnerabilities. They should seek to establish and maintain frameworks designed to promote the reporting up of cyber incidents so that executives and other responsible individuals can be responsive to cybersecurity issues and the company can comply with its disclosure obligations.
- Mind Your Internal Controls: As the SolarWinds complaint makes clear, it is imperative that companies attend to internal controls. There is a broadening awareness of market standard security practices that are an increasing expectation of regulators, customers, and the markets. It will be prudent to develop structured mechanisms for assessing and elevating issues pertaining to such controls for the awareness and decision-making of responsible management.
The key theme underlying all of these points is the value in companies’ assessing how to support leadership with sufficient procedures to normalize incident and vulnerability assessment and merge those procedures with SEC reporting processes. The latest SEC action is likely to drive a focus on these priorities in the coming term.