The U.S. District Court for the Southern District of New York on July 18, 2024, dismissed most of the SEC’s landmark cyber enforcement litigation against SolarWinds Corp. (SolarWinds or the Company) and the Company’s Chief Information Security Officer (CISO) Timothy Brown. In a 107-page opinion in Securities and Exchange Commission v. SolarWinds Corp. & Timothy G. Brown, Judge Paul Engelmayer rejected the SEC’s efforts to expand the Securities Exchange Act’s “internal accounting controls” provision to encompass an issuer’s cybersecurity controls. The court also restrained the SEC’s use of the Exchange Act’s “disclosure controls and procedure” provision where disclosure controls existed and systematic failures were not alleged. Rather, the court found that innocent errors are “an inadequate basis” on which to plead deficient disclosure controls. The court also dismissed the SEC’s material misrepresentation claims because they relied on hindsight and speculation. In the end, only a subset of the SEC’s material misrepresentation claims, which were associated with the Security Statement published on the Company’s website, survived as the case proceeds toward discovery.
As discussed in our earlier articles on this case (Part 1 and Part 2), the SEC has been pursuing cybersecurity investigations and enforcement actions aggressively against issuers on two primary theories: 1) The company made material misrepresentations in its disclosures about cybersecurity risks or concerning a material cybersecurity incident and 2) The company maintained deficient disclosure and/or internal controls to ensure material cybersecurity risks are timely and accurately assessed and disclosed by appropriate decision-makers.
The court recognized that the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules (SEC Cybersecurity Rules) were not implicated because alleged conduct predated the rules’ effective date. Nevertheless, this decision is significant because it effectively eliminates internal controls violations and limits disclosure controls violations as a basis for SEC cyber enforcement actions. Additionally, the decision may reduce the SEC’s ability to second-guess disclosures made by companies, and it could have significant implications for public companies and foreign private issuers concerning their reporting obligations under the SEC Cybersecurity Rules.
Background
As more specifically discussed in our earlier articles, SolarWinds is a software development company with a flagship network monitoring and management product known as the Orion Platform (Orion). In late 2017, SolarWinds posted a Security Statement on its website describing its cybersecurity posture, which remained virtually unchanged thereafter.
As early as January 2019, suspected nation-state hackers exploited a cybersecurity vulnerability to gain unauthorized access to SolarWinds’ systems and inserted malicious code into the Orion software builds for three product updates that allowed the cybercriminals to gain access to the systems of SolarWinds’ customers who used the latest versions of Orion. This became known as the SUNBURST attack.
In 2020, SolarWinds was notified separately by the executive office of the U.S. Trustee Program (USTP) and Palo Alto Networks (Palo Alto) of suspicious activity observed in association with Orion; however, SolarWinds was unable to determine the root cause of these incidents. Two days after the cybersecurity firm Mandiant notified SolarWinds about malicious activity associated with Orion and identified the malicious code within the Orion software, on Dec. 14, 2020, SolarWinds filed a Form 8-K detailing the SUNBURST attack. On Jan. 11, 2021, SolarWinds filed another Form 8-K disclosing that it had identified two prior customer incidents (i.e., USTP and Palo Alto) that it believed to be related to the SUNBURST attack.
The SEC filed a complaint against SolarWinds and Brown in 2023 and, on Feb. 16, 2024, the SEC filed an amended complaint (Complaint) charging the defendants with violations of the scienter-based antifraud provisions of the federal securities laws, violations of disclosure controls and violations of internal controls. The Complaint claimed that SolarWinds and Brown made material misrepresentations and omissions concerning their cybersecurity program and associated risks. The SEC also alleged that SolarWinds, aided and abetted by Brown, failed to maintain disclosure controls concerning cybersecurity risks and internal accounting controls due to the lack of effective cybersecurity safeguards. In their joint motion to dismiss, SolarWinds and Brown took an aggressive posture and challenged the SEC’s claims on all counts.
The Court’s Opinion
The Internal Controls Provision Does Not Encompass Cybersecurity Controls
Exchange Act Section 13(b) requires companies to maintain a system of “internal accounting controls” sufficient to provide reasonable assurances that access to assets is permitted only in accordance with management’s general or specific authorization.1 The SEC alleged that SolarWinds violated this provision because the Company had deficient cybersecurity access controls.2 The defendants countered that the SEC reads the word “accounting” out of internal accounting controls.
The court found that the defendants were “clearly correct.” Not only did the plain language of the provision strongly refer to a company’s financial accounting, but the few courts that have construed the term “internal accounting controls” under Section 13(b) have consistently found it to address financial accounting. The court held that accounting critically delimits the statute’s reach, which “does not govern every internal system a public company uses to guard against unauthorized access to its assets, but only those qualifying as ‘internal accounting’ controls.” (emphasis in original).
The court also looked at the history and purpose of the statute noting that Congress’ explicit purpose was to provide reasonable assurance that transactions were recorded appropriately to permit the preparation of financial statements in conformity with accounting principles. Thus, the court concluded that “cybersecurity controls are outside the scope of Section 13(b)(2)(B)” and dismissed the Complaint’s internal accounting control claim in its entirety for failure to state a claim.3
Disclosure Controls Violations Require More than Innocent Error or Hindsight
Exchange Act Rule 13a-15(a) requires companies to maintain disclosure controls and procedures designed to ensure that information required to be disclosed is accumulated and communicated to management to allow for timely decisions regarding disclosure. The SEC alleged that SolarWinds failed to maintain effective disclosure controls related to material cybersecurity risks and incidents. According to the SEC, SolarWinds maintained an Incident Response Plan (IRP) that contained a classification system. If an incident was classified as a Level 2/moderate incident, the IRP required the incident response team to escalate the incident to those responsible for assessing the company’s disclosure obligations. Since SolarWinds was unable to determine the root cause of the USTP and Palo Alto events, both incidents were classified at Level 0, which corresponded to an undetermined security event. The SEC charged that SolarWinds allegedly maintained deficient disclosure controls because it misclassified the USTP and Palo Alto events as a Level 0 instead of a Level 2, and Brown failed to escalate a VPN vulnerability to management in June 2018.4
The court dismissed the SEC’s disclosure controls claim entirely for failure to state a claim.5 The court noted that the SEC did not allege a lack of disclosure controls; to the contrary, the Complaint recognized that SolarWinds maintained controls to facilitate the disclosure of potentially material cybersecurity risks and incidents. Moreover, the SEC did not allege that these controls were deficient in their design or yielded frequent errors. Noting that “errors happen without systemic deficiencies,” the court found that “[w]ithout more, the existence of two misclassified incidents is an inadequate basis on which to plead deficient disclosure controls.”
The court also found that the SEC relied improperly on hindsight to conclude that the events were misclassified and that the VPN vulnerability should have been escalated. The court recognized that “second-guessing by hindsight” is disfavored in securities fraud claims.
Security Statement Published on Website Sufficient to Allege a Material Misrepresentation
The SEC dedicated a substantial portion of the Complaint to argue that the Security Statement materially misrepresented that SolarWinds 1) “follows” the NIST Cybersecurity Framework, 2) uses a secure development life cycle (SDL) when creating software for customers, 3) maintains network monitoring, 4) has and enforces a strong password policy and 5) maintains robust access control.
The court agreed in part. As a preliminary matter, the court recognized that false statements on public websites can sustain securities fraud liability. The court rejected the defendants’ argument that the Security Statement was meant for SolarWinds’ customers, not investors, and found that since the Security Statement was on the Company’s public website and accessible to investors, it was part of the “total mix of information” furnished to the investing public.
The court held that the Complaint sufficiently alleged that the Security Statement made material misrepresentations concerning the Company’s cybersecurity practices under both material misrepresentation and scheme liability theories. The court did not find it necessary to assess whether all five categories of alleged misrepresentations were misleading; rather, the court found that the Complaint sufficiently pled that the Security Statement contained material misrepresentations concerning the Company’s access controls and password protection policies.
Whereas the Security Statement made representations concerning specific practices associated with access controls and password protection, the Complaint relied upon SolarWinds’ risk assessment and risk scores concerning specific controls related to the National Institute of Standards and Technology (NIST) Cybersecurity Framework and to NIST 800-53, internal communications, internal presentations and Sarbanes-Oxley Act (SOX) audits to plead sufficiently that the representations concerning these practices were false and made with scienter. The court also determined that a reasonable person would consider SolarWinds’ cybersecurity practices as significant in making an investment decision.
Cybersecurity Risk Disclosures Neither Misled Investors Nor Required the Level of Specificity Sought by the SEC
In its registration statement and periodic SEC filings, SolarWinds included cyber-related risk factors, which indicated that the Company was vulnerable to computer hackers, malicious code and sophisticated nation-state actors. It also warned that the Company could experience security breaches that may remain undetected for an extended period of time, impact the Company’s products, result in damage to its customer’s IT infrastructure and/or result in the loss or theft of its customers’ data. The SEC charged securities fraud against the defendants, alleging that these cyber risk disclosures were insufficiently generic and boilerplate and created a materially misleading picture of the Company’s true susceptibility to cyberattacks.
The court dismissed all charges based on these cyber risk disclosures. The court noted that fraud claims based on risk disclosures are uncommon and actionable only in “narrow circumstances” where the warned risk has already occurred. According to the court, based on information known to the Company in real time, the alleged facts do not support this conclusion. Moreover, assuming arguendo that a risk disclosure could be actionable for misleading investors, the court determined that an investor could not have been misled by the Company’s cyber-related risk warnings. Rather, the Company sufficiently alerted investors “of the types and nature of the cybersecurity risks SolarWinds faced and the grave consequences these could present for the company’s financial health and future.”6
The SEC’s position in the Complaint raised substantial concern among practitioners that detailed disclosure would provide a roadmap to cybercriminals and increase the risk of and susceptibility to cybersecurity incidents. Acknowledging this concern, the court found that such a level of detail is not required, noting that “[s]pelling out a risk with maximal specificity may backfire in various ways, including by arming malevolent actors with information to exploit, or by misleading investors based on the formulation of the disclosure or the disclosure of other risks at a lesser level of specificity.”
General Cybersecurity Statements Are Unactionable “Puffery”
The Complaint separately brought securities fraud claims against the defendants based on Brown’s public statements concerning the Company’s dedication to high cybersecurity standards in podcasts, blog posts and press releases. In dismissing this claim, the court found these statements to be “non-actionable corporate puffery, ‘too general to cause a reasonable investor to rely upon them.'”
SEC’s Argument Regarding Form 8-K Disclosures Is Non-Actionable Fraud by Hindsight
In the Complaint, the SEC alleged that the Dec. 14, 2020, Form 8-K was materially misleading because it suggested that a successful compromise was theoretical and omitted the USTP and Palo Alto incidents. The court found the SEC’s allegations “unpersuasive” and “impermissibly rely on hindsight and speculation” to conclude that investors interpreted the Form 8-K to suggest that a compromise did not occur and that all the reported incidents were linked at the time of the filing.
The court advised that “perspective and context are critical” in assessing such Form 8-K filings. Acknowledging that the Dec. 14, 2020, Form 8-K was filed just two days after Mandiant informed SolarWinds of the malicious code inserted within the Orion software, the court stated that “[c]onsidering in light of this short turnaround, the Form 8-K disclosed the SUNBURST attack and surrounding events with appropriate gravity and detail.” When “[r]ead fairly and in totality,” the court found that the Dec. 14, 2020, Form 8-K did not imply that no successful compromise existed. Rather, “a reasonable investor could easily read [the Form 8-K] to connote more consequential or damaging events or outcomes” than the narrow reading that the SEC applied. Based on the 16 percent drop in the stock price on the day of filing and an additional 8 percent drop the next day, investors appear to have made such a conclusion.
The court also noted that the SEC did not allege that any statement in the Dec. 14, 2020, Form 8-K was factually inaccurate. Instead, the SEC’s basis for its claims was the omission of the USTP and Palo Alto incidents in the Dec. 14, 2020, Form 8-K. However, such an omission can be actionable only if the disclosure of these incidents was necessary to make the Company’s prior statements not misleading. The court determined that the Dec. 14, 2020, Form 8-K was not misleading as it “captured the big picture: the severity of the SUNBURST attack.” The court, thus, dismissed all of the SEC’s claims based on the defendants’ conduct following the SUNBURST attack.
The SEC’s case will proceed to discovery on the surviving claim that the Security Statement on the Company’s website was false and misleading. The defendants are required to file an answer to the remaining claim by Aug. 1, 2024.
Key Takeaways
The SEC Failed in Its Efforts to Expand the Internal Controls Provision
The SEC’s effort to expand internal accounting controls to include cybersecurity access controls failed. Despite significant opposition to its novel interpretation of Exchange Act Section 13(b)(2)(B), the SEC continued to bring internal controls violation charges in cyber enforcement actions.7 However, in its first-ever challenge to this broad interpretation, the SEC’s arguments were rejected outright.
If this decision stands or survives an appeal (if the SEC appeals), it is unlikely that the SEC will raise an internal controls violation in future cyber enforcement actions. If it does, any such charge will not likely look like the allegations against SolarWinds. In addition, this opinion likely curtails the SEC’s effort to further expand internal controls violations beyond cybersecurity control. Thus, the court’s decision may impact enforcement actions involving internal controls violations more broadly outside of just the cybersecurity context.
The Court Rejected Allegations of Disclosure Controls Violations in Cyber Enforcement Actions
The SEC often alleges disclosure control violations in cyber enforcement actions, which is consistent with the agency’s recent trend to deal with disclosure-related matters through disclosure controls rather than through materiality determinations.8 Given the court’s rejection of the SEC’s reliance on disclosure controls violations in cyber enforcement actions, however, the SEC may have to get creative when bringing such charges in the future. In other words, innocent errors in the application of a disclosure control program may not suffice.
The opinion suggests that to sufficiently allege a disclosure control violation, the SEC will need to establish that the controls and procedures in place were deficient in design or yielded frequent errors. Essentially, the SEC must allege systemic deficiencies for disclosure controls violations. As material cybersecurity incidents are unlikely to be frequent occurrences, the SEC may find it challenging to establish frequent errors resulting from current disclosure controls. As a result, the SEC may be unlikely to bring disclosure controls violations unless the agency can argue that the current controls and procedures are deficient in design. Companies, therefore, should develop well-designed disclosure controls and incident response plans that would preclude such arguments.
The Court Limited Actionable Claims Concerning Cyber Risk Disclosures
Based on the court’s ruling, securities fraud claims concerning cyber risk disclosures are actionable only in the “narrow circumstances” where the warned risk has already occurred. Such a finding significantly limits the SEC’s ability to pursue cyber enforcement actions based on cyber risk disclosures.
The SEC argued that cyber risk disclosures could be actionable for misleading investors; however, the court did not find any caselaw to support such an interpretation. Even when the court assumed arguendo that such a claim could be actionable, the court took a far more pragmatic perspective than the SEC. The court assessed whether the cyber risk disclosure conveyed the manner and severity of the risk to investors and looked at whether the risk disclosure provided the level of “breadth, specificity, and clarity” to convey the consequences of the risk. In doing so, the court rejected the SEC’s argument that cyber risk disclosures require greater specificity, and it acknowledged the concern that such a level of specificity could assist malevolent actors.
The court, thus, provides meaningful guidance to companies on risk factor disclosures. Companies should avoid warning about risks where the warned risk has already occurred. In addition, risk disclosures should convey the manner and severity of the risk but not provide a level of specificity that could arm a threat actor.
The Court Limited Actionable Claims Concerning Material Cybersecurity Incident Disclosures
The opinion suggests that Form 8-K filings concerning material cybersecurity incidents may be actionable when 1) the disclosure contains factually inaccurate statements or 2) information omitted is necessary to make prior disclosures not misleading. Beyond that, the court was highly critical of, and did not credit, the SEC’s speculative assumptions, hindsight analysis and nitpicking on minor details. Essentially, courts are unlikely to be persuaded by the SEC’s second-guessing on the substance of these types of disclosures.
Similar to its analysis of the Company’s cyber risk disclosures, the court took a pragmatic approach in its analysis of SolarWinds’ Form 8-K filings. The court cautioned that a Form 8-K disclosure must be “[r]ead fairly and in totality.” In doing so, the court focused on the “big picture” that is important to investors (i.e., “the severity of the SUNBURST attack”) and not all potentially relevant information (“[The disclosure of the severity of the SUNBURST attack] made the absence of a reference to the two earlier incidents immaterial.”).
The court also advised that “perspective and context are critical” in assessing such Form 8-K filings and credited the short turnaround from discovery to disclosure in its analysis. Importantly, this suggests that courts may consider the practical time constraints that companies face when making material cybersecurity incident disclosures. Thus, given that the SEC Cybersecurity Rules require disclosure of material cybersecurity incidents within four business days after determining materiality, courts may consider this timing constraint when assessing Item 1.05 Form 8-K disclosures under the new rules.
Actionable Cybersecurity Statements
The court delineated between actionable and nonactionable cybersecurity statements, finding that general statements concerning good cybersecurity hygiene and dedication to maintaining high cybersecurity standards were “too general” and constituted “non-actionable corporate puffery.” In contrast, the Security Statement identified specific cybersecurity practices SolarWinds followed, and the court determined that investors could have relied on such statements.
In addition, to demonstrate falsity in the Security Statement, the SEC relied on SolarWinds’ internal assessments, communications and presentations concerning its cybersecurity program. Although such assessments and communications assist companies with identifying and addressing cybersecurity issues, they likely will be the evidentiary basis for SEC cyber enforcement actions. This raises policy concerns that some of the necessary tools to combat cybersecurity risks could be detrimental to a company in a regulatory action.
Finally, although the court recognized that the SEC Cybersecurity Rules were not implicated in its opinion, the decision suggests that courts may take a pragmatic approach concerning disclosures made under SEC Cybersecurity Rules. Courts likely will consider the context and totality of such disclosures and reject hindsight and second-guessing from the SEC. Instead, courts likely will find disclosures under the SEC Cybersecurity Rules to be actionable where a false statement exists or an omission is necessary to make the disclosure not misleading.
Suggested Action Items
To sum up, we highlight some steps issuers can take to help try to avoid an SEC cyber enforcement action:
- Develop well-designed disclosure controls and incident response plans to preclude claims by the SEC that the company’s cyber controls and procedures are deficient in design.
- Include risk disclosures that provide enough detail to convey the manner and severity of the risk but do not contain enough specificity to provide a road map to threat actors.
- Have a plan in place for responding to a cyber incident and practice it routinely to sharpen the company’s response time and to ensure that the key players know what to do and are engaged fully in the process.
- Engage counsel with cybersecurity experience and expertise to assist with drafting or finetuning risk disclosures and advise in the event of a cybersecurity incident.
Holland & Knight’s Securities Enforcement Defense Team and Data Strategy, Security & Privacy Team will continue to monitor the developments of the SEC’s action against SolarWinds and other cybersecurity-related enforcement actions. For more information about this case, con
Notes
1 15 U.S.C. § 78m(b)(2)(B)(iii).
2 In cybersecurity, access controls are policies and procedures to ensure that only authorized users can access and use the information system and that authorized users are granted the appropriate level of access to the data within such systems.
3 The court dismissed the internal accounting controls claim against SolarWinds and the related aiding and abetting claim against Brown.
4 Since SolarWinds went public in October 2018, it is unclear whether the disclosure controls claim prior to the company becoming a public company was raised appropriately. This issue was not addressed in the court’s order.
5 The court dismissed the disclosure controls claim against SolarWinds and the related aiding and abetting claim against Brown.
6 Notably, the court takes issues with the SEC’s “opaque” view that the risk disclosure was generic and boilerplate. Although unnecessary for its opinion, the court, nevertheless, identified several aspects of the risk disclosure that were specific to the risks that SolarWinds faced given its business model.
7 See “SEC Expands Scope of Internal Accounting Controls in Cybersecurity Breach Settlement,” Holland & Knight alert, July 9, 2024.
8 See “SEC Issues First-Ever Penalties for Deficient Cybersecurity Risk Controls,” Holland & Knight alert, June 22, 2021. (“[T]his action continues the SEC’s recent trend to deal with disclosure-related matters through rules related to internal control over financial reporting and disclosure controls and procedures. By eschewing claims under securities disclosure laws, such as Sections 10 and 18 of the Exchange Act and rules thereunder, the SEC avoids the need to establish whether a disclosure was materially misleading or whether the disclosure failure involved scienter or other culpable behavior or knowledge of the persons making the disclosure. Rather, the SEC simplifies its inquiry to determine whether corporate controls and procedures alerted senior executives of particular facts and information.”).
link