A New Your federal district judge handed down a significant decision dismissing much of the SEC’s securities fraud enforcement action against SolarWinds arising from its claims relating to SolarWinds’ cybersecurity policies, and disclosure of a significant cyberattack against the SolarWinds’ network.

In an unprecedented case, the SEC alleged that SolarWinds, which went public in 2018, mislead the public as to the effectiveness of its cybersecurity practices and products, including its flagship “Orion” software platform.  In a “Security Statement” on its website, and in a variety of other public statements, including securities filings, the SEC argued that SolarWinds filings were misleading because SolarWinds failed to disclose that its products and practices were defective in protecting against cyberattacks.  The SEC contended that the company’s hype misled the investing public to believe that SolarWinds’ central software product had minimal vulnerability to cyberattacks.

Also, the SEC alleged that SolarWinds misled the investing public about a series of cyberattacks, which culminated in the revelation, in December 2020, that the company and its customers had been victims of a large-scale cyberattack, known as Sunburst, conducted by Russian hackers. The SEC claimed that, in the aftermath of the Sunburst’s immediate aftermath, SolarWinds minimized the scope and severity of the attack, including by omitting that customers had previously reported similarly malicious activity involving the Orion product.

SolarWinds’ Security Statement

As to the first claim, the pre-Sunburst disclosures contained in the Security Statement, U.S. District Judge Paul Engelmayer upheld the charges because the violation is “viably pled as materially false and misleading in numerous respects.

With respect to the second claim, the post-Sunburst disclosures, Judge Engelmayer dismissed all the claims because the SEC did not “plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack,” and found that the SEC claims “impermissibly rel[ied] on hindsight and speculation.”

Finally, the Court dismissed all SEC claims that SolarWinds’ internal accounting and disclosure controls were ill-plead as applied to its cybersecurity controls.

The SEC’s case, filed last year, alleges that SolarWinds knew as early as 2017 that its cybersecurity practices were well below industry standards but issued various statements reassuring customers and investors that its cybersecurity practices were acceptable. 

In upholding the SEC’s case challenging SolarWinds’ Security Statement, the Court found that the statement “misleadingly touted SolarWinds’ access controls as strong.” In fact, as the SEC alleged, SolarWinds was well aware of deficiencies and weaknesses in its cybersecurity controls. In particular, the Court cited evidence establishing that SolarWinds officials were well aware of deficiencies in its access controls, and at the time SolarWinds went public, these glaring omissions were known by numerous officials and employees in the company.

The Security Statement also misrepresented SolarWinds’ materially misrepresented to the public that SolarWinds enforced a strong password policy. In fact, the SEC alleged that SolarWinds’ stated password policy was generally not enforced. Instead, employees routinely used simple, unencrypted passwords with respect to products and internal systems, compounding SolarWinds’ vulnerability to intrusion by threat actors.

SolarWinds’ S-1 Cybersecurity Disclosures

The Court rejected the SEC’s claims that SolarWinds’ Form S-1 cybersecurity disclosures were deficient.  As the Court found, “Viewed in totality, this risk disclosure was sufficient to alert the investing public of the types and nature of the cybersecurity risks SolarWinds faced and the grave consequences these could present for the company’s financial health and future.”

The Court noted that:

SolarWinds’ cybersecurity risk disclosure, reproduced in full above, enumerated in stark and dire terms the risks the company faced were its cybersecurity measures to fail. Although a reasonable investor could easily have been led astray by the Security Statement, such an investor could not have been misled by the risk disclosure.

In rejecting the SEC’s claims that SolarWinds should have updated its disclosures to reflect two specific cyber incidents, Judge Engelmayer noted that the SEC’s case rested too heavily on “hindsight and speculation” because the evidence established that SolarWinds’ disclosure was made at the time in the “early stage of its investigation” of these incidents.

Judge Engelmayer also rejected the SEC’s post-Sunburst attack claims of fraud and false filing claims based on SolarWinds’ Form 8-Ks, in which it disclosed the Sunburst attack.  The Court ruled that:

[The SEC] does not plead with particularity that the Form 8-K which by any measure bluntly reported brutally bad news for SolarWinds was misleading for not disclosing [two prior incidents]. ‘Silence, absent a duty to disclose, is not misleading, ‘, and ‘[d]isclosure of … information is not required …simply because it may be relevant or of interest to a reasonable investor,’ In re Braskem S.A. Sec. Litig., 246 F. Supp. 3d 731, 752 (S.D.N.Y. 2017).

Internal Accounting Controls and Cybersecurity Policies and Procedures

In dismissing the SEC’s internal controls claims — the SEC’s first reliance on the internal controls provision based on SolarWinds’ cybersecurity failures — the District Judge rejected use of the internal controls provisions to a company’s cybersecurity’s controls under the securities laws. 

Specifically, the Court stated:

As a matter of statutory construction, that reading is not tenable. In various respects, the text of the statute strongly supports that the term “system of internal accounting controls” instead refers to a company’s financial accounting. The term “accounting” is widely defined in this manner-for example, as “the system of recording and summarizing business and financial transactions and analyzing, verifying, and reporting the results.” Accounting, Merriam-Webster Dictionary, https://www.merriam-webster.com/dictionary/accounting (emphasis added). The SEC has not identified any dictionary definition favoring its construction. And the surrounding terms that Congress used in Section 13(b)(2)(B)- which refer, inter alia, to “transactions,” “preparation of financial statements,” “generally accepted accounting principles,” and “books and records”-are uniformly consistent with financial accounting. See Yates v. United States, 574 U.S. 528 (2015) (“[W]e rely on the principle of noscitur a sociis- a word is known by the company it keeps-to ‘avoid ascribing to one word a meaning so broad that it is inconsistent with its accompanying words, thus giving unintended breadth to the Acts of Congress.”)

The Court’s decision is the first on this topic and probably not the last.  The SEC’s expansive use of its internal controls provision for non-financial accounting purposes is a significant limitation to the SEC’s application of this important provision used in enforcement of securities laws.