U.S. Federal District Court Judge Dismisses Much of SEC’s Claims Against SolarWinds and its CISO Relating to SUNBURST Cybersecurity Attack

On Thursday, July 18, 2024, Judge Paul Engelmayer, U.S. District Judge for the Southern District of New York, dismissed the bulk of the Securities and Exchange Commission’s (SEC’s) landmark civil securities law claims against SolarWinds and its Chief Information Security Officer (CISO) Timothy Brown.  The Court dismissed all allegations based on SolarWinds’ public disclosures made after SolarWinds became a victim of the well-publicized SUNBURST cybersecurity attack, and also dismissed the SEC’s claims relating to SolarWinds’ internal accounting controls and disclosure controls and procedures.  However, the Court declined to dismiss claims of securities fraud against SolarWinds and its CISO based on SolarWinds’ pre-SUNBURST disclosures, finding that the SEC had properly pleaded that the company’s publicly-posted “Security Statement” was materially false and misleading. 

The decision will be closely scrutinized by public companies, especially technology companies, to understand the terrain regarding cybersecurity disclosures and risk management.  Further, the decision will have broad implications beyond cybersecurity matters, as the Court squarely rejected the SEC’s theory that internal accounting controls violations can arise from controls issues unrelated to a company’s financial accounting controls, such as cybersecurity controls.

1. Background

   SolarWinds is a publicly-traded company that designs and sells software used to manage computer systems, including its flagship “Orion” software platform. In 2017, SolarWinds’ vice president of security and architecture and head of its information security group gave internal presentations highlighting the company’s cybersecurity weaknesses. After this presentation, SolarWinds posted a Security Statement on the “Trust Center” section of its website, without fixing its known cybersecurity problems. Despite knowledge of certain flaws, SolarWinds continued to publicly highlight its robust cybersecurity practices from 2018 to 2020. The Security Statement represented that SolarWinds: (1) followed the NIST “Cybersecurity Framework for evaluating cybersecurity practices; used a secure developmental lifecycle to create its software products; (2) employed network monitoring; (3) had strong password protections; and (4) maintained good access controls.”  (Order at 7).  However, the Court found that certain NIST assessments “revealed multiple programmatic failures at an organizational level that directly contradict the Security Statement and placed Solar Winds at materially increased risk of a cybersecurity incident.” (Order at 11-24).

   Though unknown to SolarWinds at the time, in January 2019, threat actors used stolen credentials to access SolarWinds’ corporate VPN through third-party devices, exploiting weaknesses that previously had been identified by SolarWinds.  Beginning in February 2020 the threat actors inserted malicious code into three different Orion software builds that were used by approximately 18,000 customers, including government entities.  The malicious code gave the threat actors a “backdoor into the network environments of SolarWinds’ customers who downloaded and installed the infected versions of the software to systems that were connected to the internet.” (Order at 28). These attacks collectively came to be known as the SUNBURST cybersecurity event.

   Separately, between January and June 2020, SolarWinds and its CISO learned of an increase in threats to its products and customers, specifically SolarWinds’ managed service provider (MSP) products.  SolarWinds learned that nine SolarWinds customers, who were MSP users, suffered attacks through SolarWinds’ MSP products.  Although SolarWinds investigated the issue, it was unable to determine how the threat actors were able to use accurate credentials to gain access, suggesting that they had obtained customer credentials.

   In June 2020, the U.S. Department of Justice’s U.S. Trustee Program (USTP) evaluated a trial of SolarWinds’ Orion software, following which it notified SolarWinds of malicious activity involving the Orion software.  SolarWinds investigated the USTP’s concerns and uncovered evidence of threat actor attacks, but was unable to determine the root cause of the malicious activity, preventing SolarWinds from remediating the vulnerability. SolarWinds’ CISO became aware of the attack on the USTP and described it as “very concerning.” (Order at 31).  In October 2020, a second SolarWinds customer (Customer Two) notified SolarWinds about malicious activity involving the Orion BusinessLayer software.  SolarWinds’ employees noted some similarities to the USTP activity, and the CISO was notified about this incident and the similarities to the USTP incident.

   In December 2020, a third customer (Customer Three) notified SolarWinds of an attack on its Orion platform.  Customer Three reverse-engineered the Orion software code and identified the root cause of the activity and notified SolarWinds of a vulnerability it its Orion product.  The CISO linked the Customer Three’s incident to the USTP incident and the October 2020 incident with Customer Two.

   Immediately following the Customer’s Three report about malicious code having been inserted in the Orion software, the CISO and other SolarWinds employees prepared a Form 8-K to publicly report this event. SolarWinds filed Form 8-Ks on December 14, 2020, December 17, 2020 (containing an update), and January 11, 2021 (reporting additional information and findings from SolarWinds investigation).
   
   

2. The SEC’s Claims

   In October 2023, the SEC sued SolarWinds and its CISO alleging (1) securities fraud under Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act) and related rules, (2) negligent securities fraud under Section 17(a) of the Securities Act of 1933 (Securities Act), (3) false SEC filings under Section 13(a) of the Exchange Act and related rules.  The SEC also brought claims against SolarWinds for ineffective internal controls and procedures under Section 13(b)(2)(B) of the Exchange Act (failure to devise and maintain a system of internal accounting controls) and Exchange Act Rule 13a-15(a) (ineffective disclosure controls and procedures).  The SEC did not bring claims under recently finalized cybersecurity incident regulations, and therefore the Court did not address these new rules.
   
   

3. The Court’s Decision
   1. Claims Allowed to Proceed
      

      The Court concluded that the SEC had sufficiently alleged that the pre-SUNBURST disclosures in the SolarWinds’ Security Statement were false and misleading.  However, the Court dismissed the securities fraud and false statement allegations based on other statements and filings.  As to pre-SUNBURST disclosures the Court found that the SEC had properly alleged that the Security Statement contained misrepresentations concerning two of the five cybersecurity practices, specifically SolarWinds’ (1) access controls and (2) password protection policies.  The Court found allegations that “the largely indiscriminate provision of administrative access to employees blatantly contradicts the Security Statement's representations to the public that: (1) ‘[e]mployees are granted access to certain additional resources based on their specific job function’; and (2) the company provided access to sensitive data on a ‘need-to-know / least privilege necessary basis.’” (Order at 53 (internal citation omitted)). 

      The Court concluded that the SEC’s allegations “chronicle diverse findings contradicting SolarWinds’ public representations” and that the SEC’s amended complaint “plausibly alleges that Solar Winds and [its CISO] made sustained public misrepresentations, indeed many amounting to flat falsehoods, in the Security Statement about the adequacy of its access controls. Given the centrality of cybersecurity to SolarWinds’ business model as a company pitching sophisticated software products to customers for whom computer security was paramount, these misrepresentations were undeniably material.”  (Order at 56).

      Next, the Court turned to the SEC’s allegations concerning SolarWinds’ password policies, specifically that SolarWinds’ stated password policy was not enforced, employees routinely used unencrypted passwords, and that SolarWinds had been notified by an outside cybersecurity researcher that the password to a SolarWinds server was publicly available. (Order at 57). The Court concluded that “the Security Statement’s statements about the muscularity of the company's password practices are well pled as misleading if not outright false. These misrepresentations, too, are well pled as material, especially given the nature of the company's products and customer base.”  (Order at 59-60).

      The Court rejected SolarWinds’ argument that the Security Statement cannot constitute securities fraud because it was directed to customers, not investors.  (Order at 51).  Even though the Security Statement was aimed at persuading customers to buy SolarWinds products, it was public, and therefore, accessible to investors, and thus part of the “‘total mix of information’ SolarWinds furnished to the investing public.” (Order at 51).

      The Court found that that SEC had “easily plead[ed]” SolarWinds’ CISO’s scienter, as he approved the Security Statement and had access to internal information contradicting the Security Statement’s representations. (Order at 62). The Court imputed his scienter to SolarWinds.  (Order at 64).
      
      

   2. Dismissed Claims

      The most notable of the Court’s rulings was its determination that the phrase “internal accounting controls” cannot be interpreted to include an issuer’s cybersecurity controls. (Order at 95-96).  The SEC alleged that SolarWinds violated Section 13(b)(2)(B) of the Exchange Act because its “source code, databases, and products were its most vital assets,” and that, due to SolarWinds cybersecurity deficiencies, the company had failed to limit access to these “only in accordance with management's general or specific authorization.”  (Order at 95).  The Court analyzed the text of 13(b)(2)(B)(ii), which requires public companies to “devise and maintain a system of internal accounting controls” and found “untenable” the SEC’s reading that this provision covers an issuer’s cybersecurity controls.  (Order at 95-96).  The Court concluded that Section 13(b)(2)(B), including the term “assets,” does not cover “a failure to detect a cybersecurity deficiency,” but rather, is meant to require that an issuer “accurately report, record, and reconcile financial transactions and events.”  (Order at 98).  The Court found this interpretation consistent with other court decisions as well as the fact that Sections 13(b)(2)(A) and (B) were enacted as part of the Foreign Corrupt Practice Act, as “accounting provisions” to ensure accurate books and records of a company.  (Order at 100-101).

      The Court separately dismissed claims relating to SolarWinds’ cybersecurity risk factor disclosures in its pre-IPO Form S-1, finding that “SolarWinds' cybersecurity risk disclosure, . . .  enumerated in stark and dire terms the risks the company faced were its cybersecurity measures to fail. Although a reasonable investor could easily have been led astray by the Security Statement, such an investor could not have been misled by the risk disclosure.”  (Order at 70).  While the Court concluded part of the risk factor disclosure was generic, it found that SolarWinds had detailed the specific risks it faced, including how a security breach could have damaging consequences to the Company. (Id. at 71-72).  Notably, the Court rejected the SEC’s arguments that SolarWinds did not spell out risks in sufficient detail, finding that “the case law does not require more, for example, that the company set out in substantially more specific terms scenarios under which its cybersecurity measures could prove inadequate.”  (Order at 73).  The Court went on to note that detailing risks “with maximal specificity may backfire in various ways, including by arming malevolent actors with information to exploit, or by misleading investors based on the formulation of the disclosure or the disclosure of other risks at a lesser level of specificity.”  (Order at 73). 

      The Court similarly rejected the SEC’s argument that SolarWinds was required to update its risk disclosure to account for the incidents involving USTP and Customer Two, concluding that SolarWinds’ pre-SUNBURST disclosure “must be evaluated based on the information the company had in real time and the conclusions it reasonably drew from that information,” as opposed to hindsight.  (Order at 76).  The Court faulted the SEC for failing to plead facts that SolarWinds knew, or had internally concluded, that the two incidents were part of a “singular cyberattack” that was serious or pervasive.  (Order at 77-78).  Because the SEC failed to plead that the cybersecurity risk disclosure was materially false or misleading, the Court dismissed the Section 13(a) claim.  (Order at 84).

      The Court dismissed the SEC’s claims that SolarWinds December 14, 2020 Form 8-K was misleading, finding that “perspective and context are critical.”  (Order at 86).  The Court explained that the Form 8-K was not factually inaccurate, describing how the Form 8-K disclosed the SUNBURST vulnerability, the potential for compromise, and “widespread news accounts of attacks on governmental agencies and private companies that attributed these attacks to a vulnerability in the Orion Server.”  (Order at 87).  The Court found the SEC’s allegations insufficient as the Form 8-K “bluntly reported brutally bad news for SolarWinds,” and was not misleading for failing to disclose the USTP and Customer Two’s incidents.  (Order at 88).  These disclosures, made within two days of learning of the compromise, captured the severity of the SUNBURST attack.  (Order at 90).

      The Court also dismissed the SEC’s claims relating to SolarWinds’ cybersecurity statements made in press releases, blog posts, and podcasts, determining them to be “non-actionable corporate puffery” that were “too generic” for a “a reasonable investor” to have “relied on them in making investment decisions.”  (Order at 68).

      The Court provided two reasons for rejecting the SEC’s claims that SolarWinds had defective disclosure controls, due to how SolarWinds classified the incidents involving USTP and Customer Two under its incident response plan.  First, the Court noted that the SEC admitted that SolarWinds had a system of controls to help with the disclosure of cybersecurity events (or rather, that SEC did not allege that SolarWinds lacked such controls).  (Order at 103).  Second, the Court ruled the SEC did not plead that SolarWinds’ disclosure controls were defective, finding that the mere misclassification of two incidents – as opposed to frequent errors – “an inadequate basis on which to plead deficient disclosure controls.”  (Order at 104).
      
      

4. Key Takeaways
   1. Internal Accounting Controls Violations Must Relate to Accounting or Financial Recordkeeping

      Judge Engelmayer’ s methodical rejection of the SEC’s use of Section 13(b)(2)(B) to cover cybersecurity controls is likely to have a broad impact for all public companies, especially outside of the cybersecurity realm.  In the past years, the SEC has used this provision to obtain settlements with issuers over matters such as controls surrounding stock buybacks.  More recently, in June 2024, the SEC obtained a settlement against an issuer for violations of Section 13(b)(2)(B) for failing to design and maintain internal controls to prevent unauthorized access to company assets when that issuer was hacked – a theory of liability now squarely rejected by a federal district court.  Thus, the SEC may be substantially limited in its use of Section 13(b)(2)(B) in investigations and enforcement, including in cybersecurity matters.
      
      

   2. Public Statements About Cybersecurity

      While SolarWinds and its CISO prevailed on many of their arguments, the Court nevertheless permitted claims to proceed regarding SolarWinds’ cybersecurity representations in its Security Statement.  Thus, statements outside of securities filings continue to present potential risk for SEC enforcement and potential shareholder lawsuits.  Such statements are fairly common in the tech space, particularly for companies that offer software, cybersecurity, or other IT products, and thus present heightened risks for these companies and their CISOs.  Publicly-traded companies should consider whether to create a review process for such statements (including blogs, podcasts, and potential remarks at public conferences), similar to how securities filings are reviewed prior to filing, and ensure that relevant constituencies are involved to ensure accuracy and lack of conflicting internal information.
      
      

   3. Risk Factor Disclosures

      The Court ruled that SolarWinds’ broad disclosure of “the risks the company faced were its cybersecurity measures to fail” could not have misled a reasonable investor.  (Order at 70).  Indeed, the Court found SolarWinds’ generic disclosures, coupled with a listing of specific risks, sufficient and that the securities laws do not require spelling out more detailed risks, as sought by the SEC. (Order at 71-73).  Thus, companies disclosing cybersecurity risks and their potential consequences may take comfort that at least one district court has rejected the idea of “maximal specificity” in cybersecurity incident disclosures.  The Court also embraced the concept of companies making disclosures based on the information had in real time and conclusions they reasonably draw from this information, as opposed to requiring disclosures, or updates to disclosures, based on what companies might be able to conclude later in time with the benefit of subsequent learned information.  Thus, companies should have some comfort that courts are unlikely to second-guess disclosures in risk-factors.  However, in light of the SEC’s new cybersecurity incident reporting rules, which were not addressed by the Court, public companies should review their cybersecurity processes and internal reporting protocols to ensure that information is being reported to appropriate stakeholders to determine whether an incident is “material” and what details must be disclosed about the event.
      
      

   4. CISO and Potential Individual Liability

      The Court’s ruling did not reject the SEC’s ability to bring enforcement charges directly against SolarWinds’ CISO, Timothy Brown, for statements made in the publicly-facing Security Statement.  The SEC’s charges in SolarWinds highlight that, in addition to potential exposure facing companies, public companies must consider how to protect CISOs given that they may be individually targeted by the SEC and shareholders in the aftermath of a cybersecurity incident, as shown in the example of SolarWinds’ CISO. 

      As a general matter, companies should provide rigorous training that will put CISOs and similarly-situated individuals in the best position to avoid enforcement actions for failures to detect and disclose cybersecurity weaknesses. Part of that training should include educating CISOs on the mechanism for promptly internally reporting cybersecurity incidents to appropriate stakeholders, the requisite information to be provided, and guidance on how to interact with the company’s disclosure committee and disclosure counsel.  Taking these steps will not only protect CISOs when it comes to potential SEC enforcement inquires and actions, but will also increase their effectiveness and performance in protecting companies against significant cybersecurity incidents.

      Beyond enhanced cybersecurity training, companies can protect their CISO by ensuring that their Directors and Officers (D&O) insurance programs explicitly cover CISOs, just as they protect other company officers, such as CEOs and CFOs. While cyber liability insurance is equally important, typically cyber coverage protects against unauthorized access to a company’s computer system, data loss or theft, and potentially incident response, but does not protect CISOs against enforcement actions or shareholder litigation that may arise from decisions and actions taken as part of their duties. Ensuring that CISOs are protected under a company’s D&O coverage can provide executive officers with valuable peace of mind and the critical funds needed to defend against potentially costly enforcement actions following a breach or incident, as well as for indemnity against potential judgments or settlements. 

---

Crowell & Moring LLP will continue to monitor this case and provided updates on developments as appropriate.