District Court Dismisses Majority of SEC Complaint Against SolarWinds and Its CISO

The U.S. District Court for the Southern District of New York has dealt a significant blow to the cybersecurity enforcement efforts of the U.S. Securities and Exchange Commission (SEC or Commission). In its July 18, 2024, decision, the court dismissed the majority of the SEC's complaint against SolarWinds Corporation (SolarWinds), a software vendor that experienced a large-scale cybersecurity attack in 2020, and its chief information security officer (CISO), Tim Brown. The court's decision leaves in place only the SEC's allegations related to pre-attack descriptions of SolarWinds' cybersecurity practices in a public Security Statement. The SEC's case against SolarWinds and Brown — the first time the SEC has alleged that a CISO violated securities laws in connection with a company's cybersecurity practices — has been closely watched by cybersecurity and SEC reporting professionals alike. We previously analyzed the SEC's initial October 2023 complaint.

The SEC's complaint, which was amended in February 2024, alleged a variety of scienter-based securities fraud claims, as well as false filing and internal controls violations by SolarWinds and Brown. While a number of the SEC's allegations were specific to SolarWinds' statements about the 2020 cyberattack known as SUNBURST, which is believed to have been conducted by state-sponsored hackers in Russia, many of the SEC's allegations were broader and pertained to general statements by the company and Brown about the strength of SolarWinds' cybersecurity program prior to SUNBURST. The SEC stated expressly in the amended complaint SolarWinds' and Brown's actions would have violated federal securities laws even if the SUNBURST attack had not occurred.[1]

The court dismissed all of the SEC's false filing and internal controls claims, including a novel theory that the Exchange Act requires adoption of cybersecurity controls to prevent unauthorized access to an issuer's computer systems. The court also dismissed all but one of the SEC's securities fraud claims. The court sustained the SEC's claim that a Security Statement posted on SolarWinds' website describing the company's cybersecurity practices was materially misleading in at least several respects. The court otherwise dismissed the SEC's securities fraud claims, which were based on a variety of alleged misstatements in formal SEC filings (both before and after discovery of SUNBURST) as well as in blog posts, press releases, podcasts and presentations.

Publicly traded companies — and their cybersecurity leaders — should review the court's decision closely. The decision walks through each of the alleged misstatements by SolarWinds and Brown and in doing so provides substantial guidance on how companies and their cybersecurity executives might publicly discuss their cybersecurity practices without running afoul of securities laws. The decision also sheds light on the reach of certain internal controls requirements, holding that certain shortcomings in a company's cybersecurity incident-response processes do not necessarily add up to internal control failures.

Key Points

We highlight the following key points from the court's decision to dismiss most of the SEC's complaint:

• Customer-facing statements are actionable under securities laws. The court rejected an argument by defendants that a Security Statement posted on the SolarWinds public website was not actionable under securities laws because it was intended to be customer-facing, not investor-facing. The court found that because the Security Statement was "accessible to all, including investors … [was] part of the 'total mix of information' that SolarWinds furnished the investing public … and the company's representations, as pled, were materially misleading by a wide margin." Investors could reasonably have relied on "misrepresentations as to at least two of the five cybersecurity practices" for information about the company's cybersecurity practices. Companies should be aware that any public statements — even if not directed towards investors — may be actionable under securities laws.
• Companies should carefully scrutinize public statements about their cyber practices. Although the court ultimately dismissed the SEC's allegations related to SolarWinds' and Brown's statements in press releases, blog posts, podcasts and elsewhere, this case provides an important reminder that companies must be cautious when making public statements about their cyber practices. Any public statements — even informal ones in blog posts, etc. — may give rise to securities fraud claims. The court's detailed decision provides some helpful guidance on the difference between actionable and non-actionable statements. While the court rejected the SEC's allegations based on general claims by SolarWinds and Brown that the company prioritized cybersecurity, it upheld allegations based on specific claims in SolarWinds' Security Statement that the company adopted strong access control and password practices — claims that were undermined by various internal statements, audits, and assessments. The SEC's Enforcement Division will undoubtedly continue to scrutinize both formal and informal public statements as potential bases of security fraud claims.
• Consider internal communications. Core to the SEC's allegations — including its claims sustained by the court that SolarWinds and Brown made material misrepresentations in the Security Statement — were a litany of internal emails, presentations, and other statements regarding the company's cybersecurity practices. The SEC alleged that these various internal communications undermined the company's public statements and showed that SolarWinds and Brown knew that such public statements were false. Companies should prioritize training their employees on communicating internally in a way that truthfully communicates problems and concerns without creating excessive legal risks.
• Contrary to the SEC's position, Exchange Act requirements to maintain "accounting controls" do not require implementation of cybersecurity controls. The court rejected the SEC's argument that Section 13(b)(2)(B)(iii) of the Exchange Act requires issuers to adopt cybersecurity controls to prevent unauthorized access to their computer systems. The court's decision in this regard is significant, as a contrary holding could have provided the SEC with sweeping authority to regulate issuers' cybersecurity (and potentially many other) practices. Of course, cybersecurity practices still are very much relevant to companies' compliance with securities laws, including various provisions introduced by Sarbanes-Oxley.
• Incident response plans are relevant to companies' disclosure controls — but isolated errors are not control deficiencies. The SEC alleged that SolarWinds' disclosure controls were deficient because the company failed to adequately classify incidents related to SUNBURST, resulting in those incidents not being reported to the company's management. The SEC's claims are an important reminder that a company's incident response plan (IRP) is an important part of its disclosure controls, and companies should assess whether their IRPs adequately ensure reporting of significant incidents to management. That said, the court ultimately rejected the SEC's claims, holding that even if SolarWinds employees had misclassified the incidents, isolated errors did not make the company's disclosure controls inadequate.

Background

SolarWinds is a developer of business IT monitoring and management software, including the company's "Orion" platform. In December 2020, SolarWinds learned that Orion had been exploited by hackers (believed to be state-sponsored actors working for the Russian Foreign Intelligence Service) to accomplish a massive supply chain attack against SolarWinds' customers. As part of the attack, known as SUNBURST, hackers inserted malicious code into legitimate Orion software updates. SolarWinds then distributed the compromised updates, which allowed the attackers to gain remote access to the networks of tens of thousands of SolarWinds customers from approximately March to December 2020.[2] Numerous federal government agencies and private sector operators of critical infrastructure were affected.

Following an investigation, the SEC filed suit against SolarWinds and Brown on October 30, 2023, and amended its complaint on February 16, 2024. The SEC alleged both scienter-based securities fraud and internal controls and false filing violations by the company and Brown.[3] Defendants moved to dismiss the amended complaint on March 22, 2024. Defendants' motion was supported by numerous amicus curiae briefs, including one from former federal government law enforcement and national security officials and another from more than 50 cybersecurity leaders.

The Court's Decision

The court organized its decision dismissing most of the SEC's amended complaint into the following sections:

• Pre-SUNBURST disclosures, including those in the company's Security Statement, press releases, blog posts, podcasts, and presentations, and in various SEC filings, including SolarWinds' Form S-1, 10-Q, and 10-K filings;
• Post-SUNBURST disclosures in SolarWinds' various Form 8-K filings regarding the attack and the company's response to it; and
• The SEC's internal controls allegations, including the Commission's novel theory that Section 13(b)(2)(B)(iii) of the Exchange Act requires issuers to adopt cybersecurity controls to prevent unauthorized access to their computer systems.

We analyze each of these three sections of the court's decision below.

Pre-SUNBURST Disclosures

SolarWinds' Security Statement

While the court dismissed nearly all of the SEC's amended complaint, it sustained the SEC's allegations that SolarWinds and Brown committed securities fraud by making various material misstatements in a Security Statement posted to the company's website. The Security Statement was intended to be a customer-facing document that described SolarWinds' cybersecurity program and commitment to strong cyber practices. The SEC alleged that Brown was liable for the contents of the Security Statement because of his role in reviewing and approving its content. The SEC highlighted five alleged material misstatements in the Security Statement, specifically that the company:

1. Complied with the National Institute of Standards and Technology ("NIST") Cybersecurity Framework for evaluating cybersecurity practices;
2. Used a secure developmental lifecycle to create its software products;
3. Employed network monitoring;
4. Had strong password protections; and
5. Maintained good access controls

At the outside, the court brushed aside defendants' assertion that the Security Statement was not actionable under securities laws because it was intended to be customer-facing, not investor-facing. The court stated that although "the Security Statement was aimed at persuading customers to buy Solar Winds' ostensibly cybersecure products … the Statement was on SolarWinds' public website and accessible to all, including investors," and therefore was "part of the 'total mix of information' that SolarWinds furnished the investing public."

The court then held that the Security Statement was materially misleading with respect to at least two sets of statements: those regarding SolarWinds' access controls and those regarding the company's password-protection policies. The Security Statement included claims that the company used role-based access controls, implemented the principle of least privilege when assigning access to systems and data, employed a formal process for reviewing and approving access requests, required use of complex passwords, and individually assigned user IDs, among others.

The court recited numerous allegations from the amended complaint that both the company and Brown were aware that SolarWinds did not actually follow the relevant assertions in the Security Statement. Among other things, the SEC alleged that company executives and other employees repeatedly discussed deficiencies in SolarWinds' access controls and password protections, including in various emails and presentations. The SEC further alleged that multiple assessments and audits, including several based on the NIST Cybersecurity Framework and NIST's Special Publication 800-53, identified multiple serious deficiencies related to the company's access controls and password policies, and that the results of those audits and assessments were known to Brown and other company executives. Based on these and other allegations, the court found that the SEC adequately pled that the company and Brown engaged in scienter-based securities fraud because they knew that the Security Statement was materially misleading. Having found the SEC's allegations adequate with respect to SolarWinds' misrepresentations related to access controls and password protections, the court did not address the SEC's allegations that other aspects of the Security Statement were materially misleading as well.

Statements in Press Releases, Blog Posts, and Podcasts

The court next considered the SEC's allegations that defendants had made material misstatements in various press releases, blog posts, podcasts, and presentations. The amended complaint cited numerous such statements, particularly by Brown, including that SolarWinds "focused on … heavy-duty hygiene," "places a premium on the security of its products and makes sure everything is backed by sound security practices," and is committed "to high security standards." The court concluded that none of these statements contained the requisite level of detail on which a reasonable investor might rely. The court stated that the statements were mere "corporate puffery" and dismissed any of the SEC's claims predicated upon such statements.

Pre-SUNBURST SEC Filings

The court also found in favor of SolarWinds and Brown with respect to the SEC's claims that the company committed fraud by failing to adequately disclose cybersecurity risks in its Form S-1 (related to the company's IPO and a later securities offering) and periodic filings thereafter. The court's holding ultimately turned on its view that the company's cybersecurity risk disclosure sufficiently "enumerated in stark and dire terms the risks the company faced were its cybersecurity measures to fail." The court repeatedly rejected the Commission's arguments that the risk disclosure was too generic to put investors on notice, noting that "the case law does not require more, for example, that the company set out in substantially more specific terms scenarios under which its cybersecurity measures could prove inadequate.… [T]he anti-fraud laws do not require cautions to be articulated with maximum specificity" because "the more specific the caution, the more likely it is to mislead a reasonable investor" (for example, by misrepresenting that a risk is only possible in a very specific set of circumstances). The court further noted that requiring companies to detail cyber risks with "maximal specificity" could result in "arming malevolent actors" with information useful for committing cyberattacks.

While the court acknowledged that issuers generally have a duty to update their disclosures when necessary to avoid misleading investors, it disagreed with the SEC that SolarWinds was required to update its disclosures when it received several reports from customers that ultimately were related to SUNBURST. The court noted that SolarWinds' existing cyber risk disclosures already warned investors of both the threat, volume, intensity, and sophistication of such attacks. The court further determined that the complaint failed to plead that the company had concluded that the two incidents at issue were "linked"; SolarWinds was not aware of a coordinated, systemic threat that might have required an update to their risk disclosure.

Post-SUNBURST Disclosures

The court dismissed the SEC's securities fraud and false filings claims that were based on SolarWinds' December 14 and 17, 2020, Form 8-K disclosures related to the SUNBURST attack, holding that the SEC had not adequately pled that the filings were materially misleading.

The SEC alleged that the December 14 Form 8-K was materially misleading because it did not disclose malicious activity reports from SolarWinds' client Palo Alto Networks (PAN) or the U.S. Department of Justice's U.S. Trustee Program (USTP). The SEC alleged that these omissions gave the wrong impression that SUNBURST was a theoretical problem.

In rejecting the SEC's claims, the court considered "perspective and context" to be critical and highlighted that the Form 8-Ks at issue were made in the early stages of SolarWinds' investigation. The court found that the SEC did not allege that any statement in the December 14, 2020, Form 8-K was factually inaccurate, and the SEC did not provide specifics as to how the Form 8-K was misleading for not disclosing the USTP and PAN incidents. The court found that the December 14 Form 8-K "fairly captured the known facts," and the omission of the PAN and USTP incidents was not materially false or misleading.

SolarWinds filed its December 17, 2020, Form 8-K reiterating that it had been a "victim of a malicious cyberattack that impacted our Orion Platform products as well as our internal systems." The SEC again alleged that the December 17 Form 8-K was false or misleading because it did not disclose the USTP and PAN incidents. As with the SEC's arguments regarding the December 14 Form 8-K, the court did not find these incidents to be material omissions.

Internal Controls

Finally, the court dismissed the SEC's various internal controls claims including claims that defendants violated requirements related to accounting and disclosure controls.

First, the court rejected a novel argument by the SEC that SolarWinds failed to adopt adequate cybersecurity controls as required by Section 13(b)(2)(B)(iii) of the Exchange Act. Section 13(b)(2)(B)(iii) requires companies to "devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that … access to assets is permitted only in accordance with management's general or specific authorization." The SEC claimed that SolarWinds violated Section 13(b)(2)(B)(iii) by failing to develop adequate cybersecurity controls to limit access to the company's most important "assets," i.e., its source code, databases and products.

SolarWinds argued and the court agreed that "internal accounting controls" could not be reasonably interpreted to cover a company's cybersecurity controls. The court found that the text of the statute supports that the term "system of internal accounting controls" instead refers to a company's "financial accounting" and could not be broadly construed to include cybersecurity controls.

The court's decision is notable because the SEC recently entered into a settlement agreement with R.R. Donnelley & Sons where the agency used the same broad definition of "internal accounting controls" to claim R.R. Donnelley & Sons violated Section 13(b)(2)(B)(iii) by failing to implement adequate cybersecurity controls. In R.R. Donnelley & Sons, the firm settled the charges by paying a $2,125,000 civil penalty. Given that the SEC recently settled an enforcement action using its broad reading of 13(b)(2)(B)(iii), and the same reading was rejected by the court here, it remains to be seen whether the SEC will continue to assert that this provision of the Exchange Act requires companies to adopt cybersecurity controls.

The court then dismissed the SEC's claims that SolarWinds violated Exchange Act Rule 13a-15(a). Rule 13a-15 a requires companies to "maintain disclosure controls and procedures," to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported within the time periods specified in the Commission's rules and forms.

The SEC argued that SolarWinds failed to maintain internal disclosure controls sufficient to ensure that information regarding potentially material cybersecurity risks, incidents, and vulnerabilities would be escalated to the executives responsible for disclosures, in violation of the Rule 13a-15(a). The SEC claimed that as a result of the ineffective controls, key information related to SUNBURST was not timely communicated to the executives responsible for public disclosures.

SolarWinds' policy was to classify cyber incidents on a severity level scale of "0" (minimal) to "3" (high) with incidents scoring a "2" or higher requiring notification to the responsible executives, including the CEO and CTO. Per SolarWinds policy, "an incident involving 'a security compromise that affects multiple customers, whose impact could have an adverse effect on SolarWinds' reputation, revenue, customer(s), partner(s) or the public' was to be scored a '2' or higher under the IRP, and elevated to SolarWinds' executives for disclosure evaluation." SolarWinds' employees classified the incidents related to USTP and PAN as level "0;" thus, executives were not timely notified. While not taking issue with the incident response plan or the severity rating system, the SEC claimed that SolarWinds maintained inadequate disclosure controls because company personnel did not properly classify those incidents.

The court found that the misclassification of only two incidents was not significant enough to demonstrate that SolarWinds' entire system was deficient. The court noted that errors can happen without systemic deficiencies. The SEC did not claim that SolarWinds' incident response plan frequently yielded errors or that misclassifications of incidents happened on a regular basis and failed to allege a larger, systemic control problem, and, therefore, the claim was dismissed.

Conclusion

The court's decision dismissing most of the SEC's complaint against SolarWinds and Brown is a significant blow to the Commission's cybersecurity enforcement efforts. That said, the SEC undoubtedly continues to see cybersecurity as a major priority, particularly following the issuance of its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule a year ago. We expect the SEC to continue to prioritize cyber enforcement, including by considering charges against CISOs and other company executives related to alleged cybersecurity shortcomings. We will continue to monitor this litigation (a pretrial conference is scheduled for August 14, 2024), including whether the SEC seeks an interlocutory appeal.