On July 18, 2024, the Court in SEC v. SolarWinds, 23-cv-09518 (S.D.N.Y. Oct. 30, 2023) dismissed the majority of the claims brought by the Securities and Exchange Commission (“SEC”) against the software company SolarWinds and its Chief Information Security Officer (“CISO”), Timothy Brown, in connection with a state-sponsored cybersecurity attack (“SUNBURST”). As explained in our prior post, the SEC alleged that:
- Prior to the incident, Defendants made and disseminated misleading statements to investors by touting (in a Security Statement on the company’s website, in a range of other public statements, and in the company’s Form S-1 registration statement and subsequent SEC filings) SolarWinds’ purportedly robust cybersecurity practices and products despite knowing that its practices and products had weak cybersecurity;
- Defendants’ Form 8-Ks disclosing SUNBURST were materially misleading by failing to disclose two prior, related attacks and by wrongly depicting SUNBURST’s harm to customers as a theoretical risk;
- SolarWinds failed to maintain adequate cybersecurity controls such as password and VPN protocols, which constituted a failure to maintain sufficient internal accounting controls under 13(b)(2)(B) of the Exchange Act; and
- SolarWinds had ineffective disclosure controls and procedures that led to misclassifying two prior, related attacks under its incident response plan and failing to elevate these attacks (in addition to a separate VPN vulnerability) to top executives for disclosure evaluations.
The Court largely dismissed the SEC’s claims and referenced arguments made in a number of amicus briefs supporting dismissal, including one filed by Freshfields. However, the Court sustained the claims alleging Defendants had materially misled investors with respect to the Security Statement posted on the company’s website prior to the incident. As such, companies, CISOs, and cybersecurity professionals should take care with respect to statements concerning their cybersecurity practices and products. Below we highlight key takeaways from the Court’s holding.
Material Misrepresentation and Scheme Liability Claims
Pre-SUNBURST Form S-1 Risk Disclosure. The Court rejected the SEC’s argument that the cybersecurity risk disclosure in SolarWinds’ Form S-1 registration statement, which was incorporated by reference into several SEC filings, materially misled investors by downplaying the gravity of risk that SolarWinds faced. In reaching this decision, the Court rejected the SEC’s characterization of the disclosure as “boilerplate.” Rather, the Court concluded that it adequately described “specific risks that SolarWinds faced given its business model,” including that the company was “vulnerable . . . to traditional computer hackers, malicious code, . . . denial-of-service attacks, and [infiltration by] sophisticated nation-state . . . actors,” that may “remain undetected for an extended period[.]” Mem. at 71 (citations omitted). In noting that “anti-fraud laws do not require cautions to be articulated with maximum specificity,” the Court referenced one of the primary considerations noted in Freshfields’ amicus brief—namely, that “[s]pelling out a risk with maximal specificity may backfire . . . including by arming malevolent actors with information to exploit[.]” Id. at 73.
Additionally, the Court held that SolarWinds did not have a duty to update the risk disclosure to include two incidents that its customers reported to SolarWinds, which Defendants ultimately determined had been precursors to the SUNBURST attack. The Court found that the SEC’s theory was based on impermissible fraud-by-hindsight reasoning—specifically, that it “ha[d] not pled [contemporaneous] facts known to the company that then demonstrated a singular cyberattack” or that the two incidents “reflected a vulnerability within SolarWinds’ own systems, as opposed to those of its customers.” Id. at 78–79.
Post-SUNBURST Form 8-K Disclosures. The Court also rejected the SEC’s argument that three Form 8-K disclosures describing the SUNBURST attack were materially misleading for (1) failing to disclose the two earlier incidents reported by customers and (2) portraying SUNBURST’s impact on customer networks as a theoretical rather than materialized risk. The Court again held that such arguments were grounded in hindsight and speculation and did not consider the Form 8-Ks in their totality. Stressing that “perspective and context are critical,” the Court noted that the first Form 8-K was filed just two days after the cybersecurity firm Mandiant contacted SolarWinds’ Chief Executive Officer to report discovery of a vulnerability in SolarWinds’ product resulting from malware inserted by a malicious actor. “In light of this short turn-around” and the fact that the disclosure was made at an early stage of SolarWinds’ investigation, the Court found that the first Form 8-K had sufficiently disclosed the attack, including by explaining that up to 18,000 customer-installed products “might contain the vulnerability.” Id. at 86.
As to the three Form 8-Ks more broadly, while the SEC alleged that Brown had already “mentally linked” SUNBURST to the two prior incidents reported by customers, the SEC failed to plead that Brown or any other executive had concluded by this time that threat actors had “successfully exploited” the vulnerability inserted into those customers’ products (such that customer harm would have already materialized). Additionally, the lengthy Form 8-K disclosures opined SUNBURST was likely a “highly sophisticated, targeted and manual… attack by an outside nation state” and noted “media reports ‘of attacks on U.S. governmental agencies and other companies’ that ‘attribute[ed] those attacks to a vulnerability in [SolarWinds] products.’” Id. At 90. As such, the Court found the Form 8-Ks sufficiently captured the severity of the SUNBURST attack and that the Form 8-Ks’ omission of the earlier customer incidents was immaterial and did not render the disclosures materially misleading.
Pre-SUNBURST Website Security Statement. However, the Court allowed the SEC’s securities fraud claim to survive in connection with the alleged misrepresentations made in the Security Statement posted on SolarWinds’ website prior to the incident. Specifically, the Court found that the SEC had adequately pleaded that the Security Statement was materially misleading in representing that SolarWinds enforced a strong password policy and maintained robust access controls. The Court noted that SolarWinds’ password policy was allegedly unenforced by the company and that employees routinely used simple, unencrypted passwords. Moreover, SolarWinds allegedly “gave far too many employees unfettered administrative access and privileges” that were unnecessary to their job functions, “leaving the door wide open to hackers and threat actors.” Id. at 58. In allowing the claim to survive the motion to dismiss, the Court highlighted allegations referencing internal presentations, communications, cybersecurity assessments, and Sarbanes-Oxley audits which documented that the password and access control problems were longstanding issues that were well-known to employees, including Brown, some of which were reported to management. The Court also rejected the notion that the Security Statement was directed at customers, rather than investors (and therefore was not actionable under the Exchange Act), noting the importance of security to SolarWinds’ business model, and finding that the Security Statement contributed to the total mix of information available to the investing public.
The Court allowed potential individual liability to survive against Brown, holding that the SEC “easily plead[ed]” Brown’s scienter, as he allegedly knew or should have known that the Security Statement was misleading in light of his position as then-Vice President of Cyber Security and Architecture and the multiple presentations he gave to management concerning the need for improvement on these measures. Id. at 62. The Court also found that Brown’s scienter in publishing and maintaining the Security Statement on SolarWinds’ website was properly imputed to SolarWinds given his “lead role on cybersecurity matters at the company.” Id. at 64.
The Court further held that the SEC had adequately pleaded scheme liability as to Brown (and subsequently as to the company) in connection with the website’s Security Statement. While the Court noted that “[a]n actionable scheme liability claim [] requires something beyond misstatement and omissions,” Brown had fulfilled this requirement by actively disseminating the Security Statement to customers (e.g., by posting it on the website, sending it to customers seeking more information about SolarWinds’ security practices, and citing it in blogposts, podcasts, and press releases). Id. at 65. However, the Court made clear that while such conduct was sufficient to constitute “dissemination” distinct from the misrepresentation claims, Brown’s signing of sub-certifications underlying certain challenged disclosures was not, as “the core misconduct alleged [there] is in fact a misstatement,” even if it was framed as a ‘manipulative device.’” Id. at 83-84 (citations omitted).
Pre-SUNBURST Press Releases, Blog Posts, and Podcasts. The Court dismissed the SEC’s securities fraud claims based on various public statements made by Brown in company-sanctioned press releases, blog posts, and podcasts. These statements included representations that SolarWinds was “focused on … heavy-duty hygiene,” “place[d] a premium on the security of its products and makes sure everything is backed by sound security processes, procedures, and standards,” and “was committed ‘to high security standards, which its partners rely on to help keep the systems they manage secure and compliant.’” Id. At 67. The Court found that these statements were “non-actionable corporate puffery” and “too general to cause a reasonable investor to rely upon them.” Id. At 68.
Internal Accounting Controls Claims
In a key part of the Court’s decision, the Court squarely rejected the SEC’s attempt to impose Section 13(b)(2)(B) liability for failing to maintain appropriate internal accounting controls on the basis of insufficient cybersecurity controls. It held that “[a]s a matter of statutory construction, [the SEC]’s reading is not tenable,” id. at 96, as the plain language of the statute makes clear that the provision pertains solely to a company’s financial accounting controls. In reaching this decision, the Court noted that the SEC’s reading would have “sweeping ramifications,” such as “empower[ing] the agency to regulate background checks used in hiring nighttime security guards, the selection of padlocks for storage sheds . . . and the [precise] lengths and configurations of passwords required to access company computers.” Id. at 100. The SEC failed to plead “any basis to conclude that Congress, in enacting Section 13(b)(2)(B), intended to confer such power upon the SEC.” Id.
This holding is particularly notable because the SEC has relied on its new and expansive interpretation of the accounting controls rule to cover cybersecurity measures in other recent contexts, including its settlement last month with R.R. Donnelley & Sons Company. Following that settlement, which involved a civil penalty of over $2 million, Commissioners Peirce and Uyeda issued a statement critical of the Commission’s application of the accounting controls rule in the cybersecurity context.
Disclosure Controls Claims
The Court also dismissed the SEC’s allegations that SolarWinds failed to maintain disclosure controls and procedures by internally misclassifying the severity of the two earlier incidents reported by customers, such that, pursuant to SolarWinds’ Incident Response Plan, those incidents were not elevated to top executives for disclosure evaluation. Additionally, the SEC relied on a separate failure to elevate a VPN vulnerability that SolarWinds identified a few years prior to the SUNBURST attack. The Court found that the SEC did not plead any deficiency in the company’s systems as to the recording, processing, and reporting of requisite information up the chain within a reasonable time. Further, the Court found that the SEC’s second-guessing of the company’s classification of the two pre-SUNBURST customer incidents was impermissibly premised on fraud by hindsight.
Lessons Learned
The Court’s decision is helpful in foreclosing many of the unprecedented theories of liability that the SEC has sought to impose on companies and CISOs. Nevertheless, as some claims will proceed, the decision provides helpful guidance to companies, CISOs, and their teams:
- Be mindful of all cybersecurity representations, including those made on company websites. As with SolarWinds’ Security Statement, statements posted on company websites could potentially be used as a basis for securities fraud. Accordingly, there should be an adequate process for CISOs or other appropriate personnel to vet any cybersecurity statements made to the public, regardless of form or medium in which they are distributed.
- Ensure all cybersecurity representations accurately reflect the company’s actual practices. One of the Court’s primary observations in allowing certain claims to proceed was that, despite the Security Statement’s representations on the company website, (i) employees, including Brown, had allegedly been aware of failures to enforce the company’s password policy and (ii) senior management had likewise been aware of access control issues but had failed to rectify them. With this in mind, it can be helpful for CISOs to work with legal and marketing teams to ensure that any statements match on-the-ground cybersecurity practices and are not likely to be misinterpreted or misunderstood by the public.
- Internal communications should maintain a professional tone and not only identify cybersecurity issues, but also contemplate a path for their resolution. Throughout the opinion, the Court referenced employee statements from instant messages that were, among other things, incriminating, inflammatory and speculative. CISOs and their teams should be mindful of their comments (even in informal channels such as Slack or Teams) and avoid unnecessary, imprecise, or inflammatory language. Additionally, when documenting and/or communicating to management any cybersecurity issues, it would be prudent to include proposed action plans for resolving vulnerabilities that have been identified. As in SolarWinds, internal communications may be pivotal in building a plaintiff’s liability claim or, ideally, in dismantling it.