On July 18, 2024, Judge Paul A. Engelmeyer in the US District Court for the Southern District of New York issued a 107-page opinion dismissing most of the claims against software company SolarWinds and its chief information security officer (CISO) in an enforcement action brought by the US Securities and Exchange Commission (SEC) for disclosures related to cybersecurity and a 2020 Russia-linked cyberattack known as SUNBURST. There are multiple takeaways from the opinion for public company counsel, CISOs and the defense bar:
- The internal controls statute in the Securities and Exchange Act of 1934 (Exchange Act) is limited to accounting controls.
- With investment in reasonably designed and executed policies and procedures, isolated process lapses do not support disclosure-control violations.
- In court, the SEC will face difficulty attempting to second-guess otherwise robust incident disclosures.
- Courts may not view risk disclosures as a catch-all hook for securities fraud claims.
- Notwithstanding the defense victories, serious risks remain for companies, their CISOs and other officers.
Given the continued enforcement interest in this space, as well as new cybersecurity reporting rules, issuers should remain diligent and invest in process and controls. That effort requires careful coordination between securities practitioners and cybersecurity experts.
IN DEPTH
THE FACTS
SolarWinds is a public company that designs and sells IT management software. In late 2019, threat actors gained access to the company’s system and inserted malicious code into a SolarWinds platform, creating a “backdoor into the network environments” of 18,000 SolarWinds customers, including federal and state government agencies and more than 1,500 publicly traded companies, banks, broker-dealers, accounting firms and other SEC-regulated entities. Threat actors then engaged in a series of cyberattacks targeting SolarWinds’ platform and customers, culminating in a large-scale cyberattack known as SUNBURST in December 2020.
In 2023, the SEC filed a litigated action against SolarWinds and its CISO alleging:
- SolarWinds made false and misleading public statements about its cybersecurity.
- SolarWinds made materially false statements in its Form 8-K disclosures following the SUNBURST attack, including by omitting previous cybersecurity incidents from the disclosure.
- SolarWinds’ deficient internal cybersecurity controls violated Exchange Act Section 13(b)(2)(B)’s requirement to “devise and maintain a system of internal accounting controls.”
Given the SEC’s aggressive pursuit of a corporate victim of a cyberattack perpetrated by a nation-state adversary and its decision to charge a CISO, the SolarWinds action has been closely watched.
THE COURT’S DECISION
(1) Fraud Claims Based on Public Disclosures
The SEC pursued securities fraud claims under Section 10(b) of the Exchange Act, Rule 10b 5, and Section 17(a) of the Securities Act of 1933. The securities fraud claims were brought under two theories: misrepresentation liability and scheme liability. Generally speaking, misrepresentation liability requires the SEC to show that, in connection with the purchase or sale of a security, the defendant, acting with scienter, made a material misrepresentation or misleading omission. Scheme liability requires showing that the defendant committed a manipulative or deceptive act in furtherance of the alleged scheme to defraud, with scienter.
Evaluating a motion to dismiss, the district court held that the SEC sufficiently pleaded securities fraud under both the misrepresentation and scheme liability theories as to a security statement (Security Statement) that described SolarWinds’ cybersecurity practices and was published on the SolarWinds website and disseminated to its customers. The court dismissed the securities fraud claims as to the other public statements, holding they were too generalized to mislead investors:
- Security Statement: The court concluded that the SEC adequately alleged that the Security Statement included material misrepresentations that SolarWinds had, inter alia, strong password protections and maintained good access controls. The court found, however, that “the company fell way short of even basic requirements of corporate cybersecurity health. Its passwords – including for key products – were demonstrably weak and the company gave far too many employees unfettered administrative access and privileges, leaving the door wide open to hackers and threat actors.” Importantly, the court rejected the defendants’ suggestion that a statement could not be actionable because it was directed at customers, not investors. According to the court, it is well established that false statements on public websites can sustain securities fraud liability. The court also imputed scienter from the CISO to SolarWinds, noting that the CISO was privy to internal information contradicting the Security Statement’s representations both as to the company’s access controls and compliance with the password policy, but nevertheless approved and disseminated the Security Statement.
- Cybersecurity Risk Disclosure: Significantly, the court dismissed the SEC’s fraud claims based on SolarWinds’ cybersecurity risk disclosures made in its 2018 Form S-1 registration statement and incorporated by reference in later SEC filings. The SEC argued the disclosures contained boilerplate language that concealed the gravity of the cybersecurity risks that SolarWinds faced, and that SolarWinds had a duty to update its risk disclosure in light of the cybersecurity incidents preceding SUNBURST. The court dismissed the claims, finding that the disclosure detailed “unique risks” that warned investors about the serious threat of cyberattacks. The court also found that SolarWinds was not obligated to update its risk disclosures following the cybersecurity incidents due to the uncertain significance of the incidents at the time.
- Other Public Statements: The court rejected the SEC’s securities fraud claims based on company-approved press releases, blog posts and podcasts. For example, a December 12, 2019, press release posted on the SolarWinds website promised commitment “to high security standards, which its partners rely on to help keep the systems they manage secure and compliant.” The court found this statement, and others, to be non-actionable puffery lacking the level of detail at which a reasonable investor would rely on them to make investment choices.
(2) False Filing Claims
The SEC brought false filing claims under Section 13(a) of the Exchange Act and Exchange Act Rules 12b-20, 13a-1, 13a-11 and 13a-13. These provisions require filing complete, accurate and timely reports to the SEC. To plead reporting violations, the SEC need not allege scienter.
The SEC alleged that SolarWinds’ Forms 8-K initially disclosing the SUNBURST attack were materially misleading because SolarWinds failed to disclose preceding cybersecurity incidents. The SEC argued that the language in the Forms 8-K was misleadingly theoretical; for example, the Form 8-K stated that the cybersecurity vulnerability, “if present and activated, could potentially allow an attacker to compromise” the SolarWinds platform. The SEC argued that the earlier cybersecurity incidents demonstrated that SolarWinds and its CISO allegedly knew that the cybersecurity vulnerability was no longer theoretical when the Forms 8-K were issued.
The court rejected this argument as to both SolarWinds and its CISO. The court emphasized the short time – two days – between discovery of the SUNBURST attack and the Form 8-K disclosures and took a more holistic, pragmatic approach to the ultimate message of the disclosures, finding that they “by any measure bluntly reported brutally bad news for SolarWinds,” based on what SolarWinds and its CISO knew when filing.
(3) Internal Controls Claims
The court rejected the SEC’s claims that SolarWinds violated both the internal accounting controls and disclosure controls provisions – provisions the SEC increasingly has employed in various settled actions, including actions involving cybersecurity incidents:
- Section 13(b)(2)(B): The SEC alleged that SolarWinds’ cybersecurity controls violated Section 13(b)(2)(B) of the Exchange Act. Section 13(b)(2)(B) requires that public companies “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that … access to assets is permitted only in accordance with management’s general or specific authorization.”The court reasoned that Section 13(b)(2)(B) applies only to internal financial accounting controls and cannot be construed to cover cybersecurity controls. The court based its conclusion on (i) the plain meaning of “internal accounting controls,” finding that “a cybersecurity deficiency . . . cannot reasonably be termed an accounting problem”; (ii) the surrounding terms in Section 13(b)(2)(B), which refer to, inter alia, “transactions,” “preparation of financial statements,” “generally accepted accounting principles,” and ”books and records”; (iii) the lack of evidence of congressional intent that the provision reach cybersecurity controls; and (iv) that courts interpreting the provision consistently found it addresses financial accounting.The court rejected the SEC’s argument that it needs authority to regulate cybersecurity controls because deficiencies can expose a company’s core assets to damages or destruction. The court stated the SEC’s rationale “would have sweeping ramifications” and allow it to regulate everything from background checks used in hiring nighttime security guards to the lengths and configurations of computer passwords, which “cannot be squared with the statutory text.”
- Rule 13a-15(a): The SEC alleged that SolarWinds had ineffective disclosure controls in place in violation of Rule 13a-15(a) based primarily on the allegation that the company internally misclassified two earlier cybersecurity incidents. Rule 13a-15(a) requires public companies to maintain disclosure controls and procedures designed to ensure that information required to be disclosed in their SEC filings is recorded, processed, summarized and reported within specified time periods. The court held that the SEC did not plead a viable disclosure controls claim because (i) SolarWinds had a system of controls in place to facilitate the disclosure of potentially material cybersecurity risks and incidents and the SEC did not plead that there was any deficiency in the construction of this system; and (ii) the SEC did not adequately plead that two prior cybersecurity incidents were misclassified, as the company investigated both promptly and, based on the information available at the time, the company did not determine that it had been the victim of an incident affecting multiple customers.
KEY TAKEAWAYS
The court’s decision offers varied lessons to be learned with respect to the future defense of cybersecurity events:
- Notably, the court rejected the SEC’s first-ever attempt to litigate an “internal accounting controls” claim under Section 13(b)(2)(B) of the Exchange Act for deficient cybersecurity controls. The ruling could undermine the SEC’s ongoing efforts to use internal controls as a “Swiss Army statute.” In recent years, the internal accounting provision has become a darling of SEC enforcement actions, given its perceived flexibility and lower state-of-mind threshold. Most recently, R.R. Donnelly agreed to pay more than $2 million to settle alleged disclosure and internal control failure violations relating to cybersecurity incidents and alerts. In rejecting the settlement, and others like it, dissenting SEC Commissioners observed that the SEC has used the internal accounting controls provision as “a multi-use tool handy for compelling companies to adopt and adhere to policies and procedures that the Commission deems good corporate practice.” Echoing this sentiment, the court rejected the SEC’s argument that it has authority to regulate cybersecurity controls simply because deficiencies can expose a company’s core assets to damages or destruction.
- The court also rejected the SEC’s effort to convert a handful of isolated process lapses into disclosure control violations. The court relied in significant part on the adequacy of a systemic cybersecurity disclosure process. Investment in the design and execution of internal cybersecurity reporting processes thus may overcome hindsight claims that a public company misjudged the significance of, and failed to disclose, cybersecurity incidents.
- The court dismissed the SEC’s claims that SolarWinds’ Form 8 K reporting in the aftermath of the cyberattack was misleading for failing to disclose prior cybersecurity incidents. This aspect of the decision provides some comfort to public companies issuing meaningful disclosures of cybersecurity events before not all information is known – a task made more challenging given the SEC’s new disclosure requirements.
- In a similar way, the decision limited the SEC’s ability to use otherwise tailored risk disclosures as a basis for securities fraud claims. The SEC attempted to argue that risk disclosures were incomplete because they failed to identify specific cybersecurity incidents that the SEC viewed as important in hindsight.
- Although the court rejected several of the SEC’s more aggressive arguments, the primary fraud claim against SolarWinds and its CISO survived. The court found that the SEC adequately pleaded securities fraud claims alleging that the Security Statement posted on SolarWinds’ website and disseminated to customers by the CISO misrepresented the company’s cybersecurity hygiene. SolarWinds was an early test case for individual actions. The failure to obtain outright dismissal means that CISOs and other officers remain exposed to future SEC actions and securities litigation.
PRACTICAL CONSIDERATIONS FOR PUBLIC COMPANIES
The SolarWinds decision reinforces the wisdom of continued investment in policies and procedures surrounding cybersecurity reporting. Among other considerations:
- Public companies and CISOs still face significant risks. Despite the trimming of the SEC’s claims, the court found that a CISO involved in public statements can face exposure under the federal securities laws. CISOs need to understand their potential liability as officers and ensure that there are not discrepancies between concerns raised internally and statements made externally, particularly with respect to any such statements they approved or are made aware of. The SEC’s new regulations, past enforcement actions, and agency pronouncements are important guideposts for that evaluation.
- Practically speaking, public companies should align public disclosures of cybersecurity practices and incidents with board reporting, and board reporting with senior officer reporting. The SEC and private litigants seek to exploit gaps in the chain between front-line cybersecurity staff and public filings. Reasonably designed and executed disclosure controls should support that reporting chain.
- More specifically, when companies, particularly technology companies, make dedicated or prominent public statements about their cybersecurity practices, including website statements, they should consider an internal assessment to ensure that any public representations of specific cybersecurity practices (e.g., password and access controls, encryption, network monitoring and secure file sharing) align with internal practices and findings. Companies should work with counsel to evaluate whether to conduct the internal assessment under attorney-client privilege and how to document the assessment findings for use in potential investigations and litigation. Companies also should be aware that public disclosures about data security controls are likely to be scrutinized by other regulators, including the Federal Trade Commission and state attorneys general.
- Public companies should continue to draft tailored risk disclosures when possible, avoiding boilerplate that can be criticized in SEC investigations and private litigation. Issuers also should consider whether particular, significant events mean that the risk already has emerged and should be acknowledged.
- When a company prepares a Form 8-K disclosing a material cybersecurity incident, the company should ensure that the disclosure adequately describes the seriousness and scope of the incident. Although the court here found that it was not misleading for the company not to disclose prior related cybersecurity incidents, companies should consider the significance of any prior incidents. In July 2023, the SEC adopted rules and amendments that impose new cybersecurity-related disclosure requirements for public companies. Additional information on the new rules can be found here.
Whatever party emerges in the national election, we expect continued emphasis by the SEC in the cybersecurity space, which has been championed by both major parties and is considered vital to national security interests.