On July 18, 2024, U.S. District Judge Paul Engelmayer of the U.S. District Court for the Southern District of New York issued a comprehensive 107-page opinion that may have significant implications for the Securities and Exchange Commission’s (“SEC”) enforcement strategy for alleged disclosure and accounting and disclosure controls violations by public companies and their executives. In particular, the decision may affect the Enforcement Division’s efforts to extend the application of existing requirements for public companies to maintain a system of internal controls over financial reporting to cover situations that are not directly related to financial reporting or accounting matters. 

Arising out of a large-scale cyberattack in 2020, the case, SEC v. SolarWinds Corp., has been closely monitored by us, and we previously discussed it in a November 2023 article. In ruling on the IT management software company’s (the “Company”) motion to dismiss, the Court dismissed most of the SEC’s claims against the Company, finding the ones related to the Company’s post-cyberattack disclosures to be based largely on hindsight and speculation, but sustaining claims related to allegedly false statements about cybersecurity practices found on the Company’s website directed at its customers. The opinion provides a noteworthy examination of the SEC’s expansive approach to enforcement under the Exchange Act provisions and SEC rules about internal accounting controls and disclosure controls and procedures, dismissing all of the SEC’s claims that were based on those.

Background and SEC Allegations

The SEC’s enforcement action against the Company, a provider of high-end software solutions to governmental and private entities, and its Chief Information Security Officer (“CISO”), stemmed from a series of alleged violations of both the Securities Act and the Exchange Act.

• Allegedly Misleading Statements About Cybersecurity Practices. The SEC alleged that the Company and its CISO engaged in fraudulent conduct by making material misrepresentations and misleading omissions in various disclosures about the Company’s cybersecurity practices and associated risks. The relevant disclosures were contained in a so-called “Security Statement” that the company had posted to its website to inform its customers about its security infrastructure, the Company’s IPO registration statement, and press releases, podcasts, and blog posts. The SEC argued that the Company was aware of its susceptibility to cyberattacks and that it “misleadingly touted its cybersecurity practices and products,” while it was allegedly well aware that its cybersecurity apparatus was in fact deeply flawed.
• Allegedly Misleading Cybersecurity Risk Disclosures. The SEC also claimed that the Company’s cybersecurity risk factor disclosures, originally made in its IPO registration statement and later incorporated in annual and quarterly reports, concealed the gravity of the cybersecurity risks that the company faced. Specifically, the SEC faulted those disclosures as being unacceptably generic and as omitting mention of two cybersecurity incidents experienced by the Company’s customers.
• Allegedly Misleading Statements About Cyberattack. The SEC further claimed that the Company’s two Current Reports on Form 8-K, filed immediately after revelation of a major cyberattack in 2020, fraudulently minimized the scope and severity of the attack.
• Alleged Failure to Maintain Accounting Controls. Moreover, the SEC alleged that the gaps in the Company’s cybersecurity violated Section 13(b)(2)(B) of the Exchange Act, which requires public companies to maintain a system of internal accounting controls sufficient to provide reasonable assurances that, among other things, access to assets is permitted only in accordance with management’s authorization.
• Alleged Failure to Maintain Disclosure Controls. Finally, the SEC also accused the Company of having ineffective “disclosure controls and procedures,” in violation of Exchange Act Rule 13a-15(a), primarily based on the allegation that the Company internally misclassified the severity level of prior cybersecurity incidents and therefore failed to elevate those incidents for disclosure evaluation by senior executives.

Both the Court and the SEC recognized that “this case [was] the first in which it has brought an accounting control claim based on an issuer’s cybersecurity failings.” It also represented the first time the SEC used the heightened standard of Rule 10b-5 to police the company’s disclosures regarding a cyberattack, necessitating a demonstration of scienter—proof that the statements were made either intentionally or with reckless disregard. Historically, the SEC has pursued companies that experienced data-breaches under the premise that the corporate entity acted negligently in relation to their disclosures following the attack.

Court’s Analysis and Findings

Judge Engelmayer’s opinion largely dismissed the fraud allegations. He specifically criticized the SEC’s claims faulting the Company’s Form 8-K disclosures in the immediate aftermath of its discovery of the large-scale cyberattack for being speculative and based on hindsight. The Company’s first Form 8-K reporting the attack disclosed that the attack had inserted a vulnerability within one of the Company’s monitoring software and that up to 18,000 customers may have installed the software. The opinion highlighted that those disclosures were made at a time when the Company was at an early stage of its investigation into the cyberattack, a time when its understanding was still developing. Consequently, the Court determined that the statements could not have been false or misleading because the relevant information only became known after the disclosure was made. Additionally, the Court held that the Company did not have a duty to disclose the existence of earlier malicious activity reports from two of its customers related to the monitoring software because the 8-K disclosure about the breach of the Company’s systems related to the monitoring software, read in its totality, did not imply that the vulnerability had not yet been experienced by a customer.

The Court also dismissed the claims related to the Company’s statements about its cybersecurity in press releases, blog posts, and podcasts, labeling them as non-actionable corporate puffery that were too general to cause a reasonable investor to rely upon them. Similarly, the Company’s cybersecurity risk disclosures were deemed not to have been plausibly pled as materially false or misleading. The Court disagreed with the SEC’s claim that the risk disclosures were unacceptably boilerplate and generic, stating that the disclosures were sufficient to alert investors of the type and nature of the cybersecurity risks. Importantly, the Court also stated that spelling out a risk with maximal specificity might backfire, as it could furnish malevolent actors with information that they might use to exploit the Company. The Court also held that the Company was not required to disclose the existence of two specific incidents because the disclosure made clear the occurrence of an incident was likely.

However, the SEC’s allegations that the Company’s Security Statement was materially false or misleading was allowed to proceed. The Court found that there was a basis to find that the Statement inaccurately portrayed the Company as adhering to sophisticated cybersecurity controls and industry best practices, whereas, in reality, according to the SEC’s allegations based on internal company communications, the Company’s cybersecurity measures were deficient, characterized by weak passwords and unrestricted administrative access.

Pushback Against SEC’s Broad Interpretation of Internal Controls and Disclosure Controls

The Court’s dismissal of the claims regarding the Company’s internal accounting and disclosure controls is particularly noteworthy. The Company had argued that the SEC’s authority to regulate a company’s “system of internal accounting controls,” could not reasonably be construed to cover a company’s cybersecurity controls over passwords and VPN protocols. Judge Engelmayer concurred, finding that the SEC’s “reading [of the internal control requirement] is not tenable.” The Court reasoned that “accounting” controls refer to a company’s financial accounting, which records business and financial transactions. Judge Engelmayer’s opinion clarified that, “a cybersecurity control does not naturally fit within this term, as a failure to detect a cybersecurity deficiency (e.g., poorly chosen passwords) cannot reasonably be termed an accounting problem.” The Court emphasized the importance of cybersecurity controls but asserted that they are not designed to prevent and detect errors within a company’s financial accounting systems.

The SEC cited SEC v. CavcoIndustries Inc., WL 1491279, at *4 (D. Ariz. Jan. 25, 2022) to support its interpretation. There, a court endorsed the SEC’s interpretation of “internal accounting controls” to include failures in adhering to insider trading policies. However, Judge Engelmayer distinguished the cybersecurity controls in SolarWinds from the internal policies in Cavco Industries, which directly pertained to safeguarding the integrity of financial transactions (in that case, the investment of the company’s surplus cash).

The second counter argument proposed by the SEC contended that the agency “needs authority to regulate cybersecurity controls under Section 13(b)(2)(B)” to ensure adequate controls are in place safeguarding access to assets. However, the SEC’s argument did not address the critical limiting word in the statute, which restricts application to only internal accounting controls. Judge Engelmayer found that the explicit terms of Section 13(b)(2)(B) cannot govern “every internal system a public company uses to guard against unauthorized access to its assets.” Section 13(b)(2)(B) can only regulate those systems which qualify as “internal accounting controls.” The Court concluded that the SEC’s expansive reading of the statute was not supported by the statutory text, legislative history, or the statute’s intended purpose. As a result, the Court dismissed the complaint’s internal accounting control claims against the Company.

The Court also dismissed the claim based on the Company’s alleged failure to maintain disclosure control and procedures. It found the SEC’s allegation that the Company misclassified two prior incidents at a low severity level and thus prevented them from being evaluated for potential disclosure was insufficient to plead any deficiency in the construction of the disclosure controls as such. The Court found that the Company’s Incident Response Plan (“IRP”) was entirely capable of ensuring that relevant information was reported to appropriate individuals within a reasonable time. The Court importantly noted that errors in application of disclosure control system can happen, and these errors do not mean there are deficiencies in the disclosure controls. In addition, the Court disagreed with the SEC’s premise that the alleged fact that the two earlier incidents should have been classified at a higher severity level when initially discovered, dismissing the SEC’s claims in that regard as based on hindsight.

The dismissal of the SEC’s internal accounting controls charge is also significant because on June 18, 2024, the SEC announced a settled enforcement action against a communications company for an alleged failure to maintain internal accounting controls based on a similar legal theory. There, the company allegedly failed to execute a timely response to a ransomware network intrusion, which culminated in encryption of computers, exfiltration of data, and business service disruptions. The SEC argued that the incident constituted an actionable failure to maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to the communications company’s assets—its information technology systems and networks, which contained sensitive business and client data—was permitted only with management’s authorization. The SEC also alleged a failure to maintain disclosure controls, asserting that R.R. Donnelley’s cybersecurity procedures were not designed to ensure all relevant information relating to alerts and incidents was reported to the communications company’s disclosure decision-makers in a timely manner. The communications company agreed to pay $2.125 million to settle that action.

Conclusion

While the case is a significant win for the Company and a setback for the SEC, it will by no means end the SEC’s focus on cybersecurity disclosures. Indeed, new rules from the SEC, adopted last year, obligate public companies to report cybersecurity incidents in a Form 8-K no later than four business days after the company determines the incident to be material. Also, companies are now required to provide comprehensive details about their cybersecurity risk management strategies in their annual Form 10-K filings. The increased frequency and detail of these disclosures are likely to result in the SEC continuing to leverage Rule 10b-5 in similar contexts. The decision is also a useful reminder that not only disclosures contained in SEC filings or other communications to the securities market, but also public statements aimed primarily at customers, such as those in a customer-focused section of a company’s website, are subject to the antifraud rules of the securities laws and can give rise to liability if they are found to be materially false or misleading.

Although the Court rejected the SEC’s claims that the Company’s disclosure of its cybersecurity risk profile lacked the necessary specificity for investors to fully appreciate the scope of the risks and that the Company was required to cite to the occurrence of specific incidents of a breach, we do not believe this means that companies should change their approach to cybersecurity risk disclosures. The Court’s decision, while helpful in outlining a moderating perspective on cybersecurity risk disclosures, was very fact-specific and may not necessarily have broad application.

The decision reflects a significant challenge to the Enforcement Division’s growing reliance on an expansive and aggressive interpretation of what constitutes a violation of internal and disclosure controls requirements to drive settlements. While the Court rejected the SEC’s expansive interpretation of the internal accounting controls provisions of the Exchange Act to include cybersecurity safeguards, we anticipate that the SEC will persist in concentrating on companies’ internal and disclosure controls as part of its investigations.

[View source.]