A New Frontier for SEC Cybersecurity Enforcement? The SEC Charges SolarWinds and its CISO with Securities Fraud
A New Frontier for SEC Cybersecurity Enforcement? The SEC Charges SolarWinds and its CISO with Securities Fraud
Earlier this week, the SEC accused SolarWinds Corporation (“SolarWinds” or the “Company”) and its Chief Information Security Officer (“CISO”) of committing scienter-based[1] securities fraud, among other violations, for allegedly misleading investors about the Company’s cybersecurity practices and risks.[2] This lawsuit represents a shift in the SEC’s cybersecurity enforcement: the SEC’s previous—and rare—cybersecurity enforcement actions largely centered on negligence-based disclosure violations, as well as disclosure and internal controls violations, in the wake of cyber incidents that involved the exfiltration of individual sensitive personal information. The SEC’s Complaint, which includes an unprecedented charge against a CISO, alleges that SolarWinds and the CISO knowingly made false public statements promoting the Company’s cybersecurity practices and risks while omitting material information to the contrary. The SolarWinds CEO has called the SEC’s suit “misguided and improper . . . representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages.”[3]
Cyber Risk Disclosures Matter: The SEC alleges that hypothetical and generic risk disclosures in periodic SEC filings, even in the absence of a material cybersecurity incident, were materially misleading in violation of the securities laws where the company faces known, material risks that remain undisclosed.
Form 8-K Disclosures About Material Cyber Events Are Under Scrutiny: SolarWinds disclosed the December 2020 SUNBURST incident in a Form 8-K, but the SEC alleges that the disclosure was materially misleading because it did not disclose that “the vulnerability at issue had been actively exploited against SolarWinds’ customers multiple times over at least a six-month period.”[4]
Charges Against an Individual in Connection with a Cyber Incident: The SEC alleges that the CISO knowingly made deceptive public statements—including in podcasts and blog posts—that touted the Company’s cybersecurity practices and hygiene, despite acknowledging internally and contemporaneously that the Company had serious cybersecurity vulnerabilities. The SEC also claims that the CISO aided and abetted SolarWinds’ violations, including related to the Company’s allegedly false public statements and in connection with its alleged internal controls failures. In addition to monetary relief, the SEC seeks a permanent officer and director bar against the CISO.
In late 2020, certain SolarWinds customers discovered that Russia-backed hackers had accessed SolarWinds’ systems and inserted malicious code into its Orion software platform, which the SEC alleges is the Company’s “crown jewel” product.[8] The SEC claims that SolarWinds’s delivery of the compromised product to thousands of its customers allowed the threat actors to access certain customers’ network environments. This incident became known as the “SUNBURST” attack.
The SEC’s lawsuit against SolarWinds and its CISO alleges that the Defendants knowingly deceived investors about known cybersecurity risks and vulnerabilities, in addition to having internal controls failures and other violations of the securities laws.
The SEC’s allegations against SolarWinds and its CISO go beyond insufficient incident disclosure. Indeed, the bulk of the Complaint’s fraud allegations concern what the SEC claims are allegedly deficient risk disclosures that remained hypothetical and generic in the face of known, material risks, as well as false public statements that touted the Company’s cybersecurity practices when the actual practices fell short. According to the SEC, “Defendants’ false and misleading statements and omissions . . . would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack.”[9]
As to specifics, the Company and the CISO allegedly promoted the strength of SolarWinds’ cybersecurity practices in public statements, including in a Security Statement on the Company’s website.[10] For example, the SEC alleges that Defendants claimed that SolarWinds followed the widely used and internationally recognized National Institute of Standards and Technology Cybersecurity Framework (or “NIST Framework”) to help identify, prevent, detect, and respond to security incidents. In reality, according to the SEC, SolarWinds met only a small fraction of the NIST Framework cybersecurity controls and had “no program/practice in place” for the majority of the controls.[11] The SEC also alleges that the Defendants falsely stated that SolarWinds used a secure development lifecycle (“SDL”) when creating software for customers, even though they knew that SolarWinds did not in fact follow an SDL, including for components of Orion that were ultimately accessed by the SUNBURST threat actor. According to the Complaint, the Defendants publicly stated that the Company had implemented a strong password policy while knowing that SolarWinds did not enforce this policy. Finally, the SEC claims that the Defendants falsely stated that SolarWinds maintained strong access controls, when the reality on the ground, according to the SEC, was that “SolarWinds actually had poor access controls,” including an expansive use of admin privilege rights and a virtual private network vulnerability.[12]
As for the CISO, the SEC alleges that he knew about SolarWinds’ cybersecurity vulnerabilities and deficiencies while simultaneously publicly touting the quality of the Company’s cybersecurity practices, including in Company-approved press releases, blog posts, and podcasts. The SEC alleges that the CISO used internal communications, including emails, instant messages, and presentations between the CISO, members of his security team, and Company executives, allegedly demonstrating that the CISO knew that SolarWinds had “pervasive cybersecurity deficiencies.”[13]
The SEC further alleges that, in the time leading up to the SUNBURST attack, SolarWinds faced “an accumulating number of red flags” and “multiple successful intrusions against Orion.”[14] The risks SolarWinds faced were allegedly documented and discussed internally by the CISO and other Company employees at the time. Upon suffering the SUNBURST attack, Defendants prepared and filed a Form 8-K that allegedly “created a materially misleading picture of the Company’s knowledge of the impact of the attack.”[15] According to the SEC, the Defendants knowingly failed to disclose that the vulnerability had been exploited on SolarWinds’ customers’ systems on at least three prior occasions over the prior several months.
As is common in SEC cyber cases, the SEC brought charges for internal controls violations. This lawsuit, however, is the first cyber enforcement action that includes a Section 13(b)(2)(B) charge. Specifically, the SEC charged SolarWinds with a failure to employ a system of internal accounting controls that would safeguard its critical assets during a breach. Section 13(b)(2)(B) requires, among other things, that issuers devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that access to company assets is permitted only in accordance with management’s general or specific authorization.[16] Historically, access to company assets comes up where payments are made by company employees without proper authorization.[17] The assets at issue in the Complaint, however, appear to be SolarWinds’ “information technology network environment, source code, and products,” including its “crown jewel,” the Orion information technology infrastructure and management platform.[18] The SEC alleges that numerous internal communications in 2019 and 2020 raised doubts about SolarWinds’ ability to protect these “critical assets” from cyber threats. The SEC further alleges that the Company nevertheless failed to remedy vulnerabilities that allowed the SUNBURST threat actor to access and insert malicious code into Orion in violation of Section 13(b)(2)(B). It remains to be seen whether this application of Section 13(b)(2)(B) will stand up in litigation; if it does, this broad definition of “assets” could significantly increase the possibility of similar claims on the heels of cyber attacks involving internal controls failures.
Finally, the SEC alleges that SolarWinds also failed to maintain internal disclosure controls sufficient to ensure that information regarding potentially material cybersecurity risks, incidents, and vulnerabilities was escalated to the executives responsible for disclosures, in violation of the Exchange Act Rule 13a-15(a). As a result, cybersecurity issues that had the potential to materially impact SolarWinds allegedly went unreported.
[1] In other words, the SEC has charged SolarWinds and its CISO with intentionally and knowingly committing securities fraud.
[2] Complaint, SEC v. SolarWinds Corp. and Timothy G. Brown, No. 23-cv-9518 (S.D.N.Y. Oct. 30, 2023), (hereinafter, the “Complaint” or “SolarWinds Compl.”).
[3] Ramakrisha, Sudhakar, Transparency, Information-Sharing, and Collaboration Make the Software Industry More Secure. We Must Not Risk Our Progress (Oct. 30, 2023).
[4] SolarWinds Compl. ¶ 17.
[5] SolarWinds Compl. ¶ 195.
[6] Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, SEC Release No. 84429 (Oct. 16, 2018).
[7] SolarWinds Compl. ¶ 54.
[8] See id. ¶ 2.
[9] Id. ¶ 10 (emphasis added).
[10] Although CISOs are not typically responsible for statements made on company websites, the SEC claims that, in this case, the CISO was “was primarily responsible for creating and approving the Security Statement before it was posted,” and that he “disseminated the Security Statement, or a link to the Security Statement, to customers seeking more information about SolarWinds’ security practices.” Id. ¶ 39.
[11] Id. ¶ 49.
[12] Id. ¶ 91.
[13] Id. at 36.
[14] Id. ¶ 137.
[15] Id. ¶ 185.
[16] 15 U.S.C. § 78m(b)(2)(B).
[17] In an October 16, 2018, Section 21(a) Report of Investigation, the SEC discussed the possibility that Section 13(b)(2)(B) could apply to victims of cyber attacks, but the SEC has never brought any enforcement action under that theory. Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, SEC Release No. 84429 (Oct. 16, 2018).
[18] SolarWinds Compl. ¶ 195.