On July 18, a New York federal judge threw out most of the SEC’s claims brought against both SolarWinds Corp. and the company’s chief information security officer (CISO), Timothy Brown. The judge will still allow the SEC to argue that SolarWinds and Brown committed securities fraud in the months leading up to a cybersecurity breach.

The SEC’s action stems from the massive security incident experienced by SolarWinds, and throughout its downstream supply chain, spanning from 2019 through 2021. SolarWinds is a software company with products used extensively in both public and private sectors. The SEC alleged in its initial complaint that both SolarWinds and Brown defrauded investors by disclosing only "generic and hypothetical" cybersecurity risks in SolarWinds' 2018-2020 SEC filings and materially misrepresented the state of SolarWinds' cybersecurity standards in its security statement. The SEC originally sought an officer and director bar (which would have prohibited Brown from serving as an officer or director of a public company) and $700,000 in civil penalties against Brown as well as $2.5 million in penalties against SolarWinds.

This was the SEC’s first cybersecurity enforcement action against a corporate executive, following the Department of Justice’s successful lawsuit against Joseph Sullivan, Uber’s former chief security officer. And it is the SEC’s first use of intentional fraud charges in a cybersecurity disclosure case. Gurbir Grewal, director of the SEC’s Division of Enforcement, stated that the "enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s 'crown jewel' assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns."

The court’s decision to dismiss the SEC’s claims that SolarWinds' Form 8-K disclosures were materially misleading (among other claims) dealt a large blow to the SEC’s recent attempts at policing cybersecurity incidents. Still, it remains an important lesson about how CISOs communicate with company teams and the public, especially at public companies.

While SolarWinds may have experienced partial success in this action brought by the SEC, SolarWinds agreed to pay $26 million to settle a securities class action brought by shareholders back in late 2022.

How the Court Ruled in SEC’s Case Against SolarWinds

The court broke its decision out into what it called "pre-SUNBURST disclosures" and "post-SUNBURST disclosures" by SolarWinds, referring to the name of the large-scale cyberattack believed to have been conducted by state-sponsored hackers in Russia. The SEC’s security fraud claims related to the pre-SUNBURST disclosures survived the motion to dismiss as the court found that the SEC had sufficiently pleaded that the company’s pre-SUNBURST security statement was "materially false and misleading in numerous respects." The court dismissed all other claims related to SolarWinds' pre-SUNBURST statements, holding that the statements were not materially false and standard "corporate puffery, too general to cause a reasonable investor to rely upon them."

Regarding post-SUNBURST Form 8-K filings, the court dismissed all claims, according to the 107-page ruling. "These do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack," the judge wrote. "The [SEC’s pleadings] impermissibly rely on hindsight and speculation." The SEC claimed that SolarWinds and Brown’s failure to implement proper cybersecurity controls violated the Securities Exchange Act’s "system of internal accounting controls" requirement. The court strongly denounced this novel interpretation, finding that this provision of the act only covered financial accounting and that the SEC’s reading would require Congress to have "empowered the agency to regulate everything from padlocks on storage sheds to the safety measures at water parks."

In allowing the pre-SUNBURST security fraud charges to stand, the judge cited Brown’s internal communications as evidence that Brown should have known that the security statement was misleading. The court went one step further as well, holding that "given his position as vice president of security and architecture, his duty to monitor SolarWinds' cybersecurity, and his role as the company’s cybersecurity spokesperson, the only rational inference is that Brown knew of them,” making his approval of the security statement "extreme misconduct."

In the opinion, the court found that the SEC "plausibly alleges that SolarWinds and Brown made sustained public misrepresentations, indeed many amounting to flat falsehoods, in the Security Statement about the adequacy of its access controls." These misrepresentations, the judge wrote, were "undeniably material" given the "centrality of cybersecurity to SolarWinds' business model as a company pitching sophisticated software products to customers for whom computer security was paramount."

Takeaways for Companies on Cybersecurity Practice and Risk Reporting

The court’s ruling in SolarWinds, coupled with the SEC’s new cybersecurity disclosure rules and recent enforcement actions, are important reminders for companies about cybersecurity disclosure requirements. The SEC increasingly views individuals in leadership as responsible, and thus liable, for the accuracy of any representations made both internally and in public filings regarding a company’s cybersecurity. With a potential penalty of up to $100,000 per violation for individuals (and up to $500,000 per violation for companies), these charges underscore how imperative it is that CISOs and other leaders remain vigilant regarding communications, disclosures, and cybersecurity reviews.

The main takeaways for companies, their boards, and information security leaders include:

• Companies and their leadership can limit the risk of misinterpreted external and internal communications being used against them by engaging legal counsel early and often, establishing procedures to align public statements with discoverable internal communications.
• The surviving claims indicate that courts and the SEC consider public facing cybersecurity statements, whether in public filings or posted on a company’s website, as material and that the agency is exploring all possible avenues of expanding the enforcement risk for entities and individuals in the public entity space.
• Public company boards should involve their CISO and legal counsel as early as possible when making public facing cybersecurity statements. It is essential for both the board and the CISO to have a proper understanding of any cybersecurity risks faced by the company prior to disclosure. Companies, boards, and information security leaders can get ahead of this curve by ensuring all cyber policies, escalation, and response procedures are compliant today, instead of waiting until after a security incident.

[View source.]