The SEC’s Risk Disclosure and Controls Claims Against SolarWinds Fall to the Cutting Room Floor
The SEC’s Risk Disclosure and Controls Claims Against SolarWinds Fall to the Cutting Room Floor
Judge Engelmayer of the Southern District of New York issued his much-anticipated opinion in Securities and Exchange Commission v. SolarWinds Corp. et al. last week,[1] dismissing most of the SEC’s claims against SolarWinds Corporation (“SolarWinds” or the “Company”) and its Chief Information Security Officer (“CISO”). The decision represents a significant victory for the Company and undoubtedly will affect the future scope of SEC cybersecurity enforcement and strategy. The case serves as a reminder, however, that public statements with detailed and specific cybersecurity information must be complete and accurate.
On October 30, 2023 the SEC accused SolarWinds and its CISO of committing scienter-based securities fraud for allegedly misleading investors about SolarWinds’ cybersecurity practices and risks before and after a cyberattack caused by Nobelium, a likely state-sponsored threat actor. The agency alleged that the Company and the CISO promoted the strength of SolarWinds’ cybersecurity practices in public statements, including in a Security Statement on the company’s website. It also alleged that SolarWinds’ risk disclosures materially misrepresented the state of SolarWinds’ cybersecurity by presenting risks faced by the company as generic and hypothetical in the face of known, material risks. In bringing its first ever cyber enforcement action to include Section 13(b)(2)(B) charges, the agency also alleged that SolarWinds failed to employ a system of internal accounting controls that would safeguard its critical assets (namely, source code and IT networks) during a breach, in supposed violation of Section 13(b)(2)(B).
Securities Fraud Claims and Cybersecurity Risk Disclosures. Apart from securities fraud claims arising from the Security Statement,[9] Judge Engelmayer dismissed all charges against the Company and its CISO based on the cybersecurity risk disclosures in SolarWinds’ public filings, as well as other public-facing materials such as blog posts, podcasts, and press releases. If other courts follow this lead, public companies and their CISOs can take comfort that non-specific marketing statements regarding cybersecurity may not lead to individual securities laws liability.
In his ruling, Judge Engelmayer held that SolarWinds’ cybersecurity risk disclosures “enumerated in stark and dire terms the risks the company faced were its cybersecurity measures to fail” and that while a reasonable investor “could easily have been led astray by the Security Statement, such an investor could not have been misled by the risk disclosure.”[10] He noted that “the case law does not require . . . the company set out in substantially more specific terms scenarios under which its cybersecurity measures could prove inadequate,” as this could “backfire” by giving threat actors information to exploit or otherwise mislead investors about risks disclosed by the company in less detail.[11] As for the SEC’s argument that the risk disclosures should have been updated after two incidents leading up to the SUNBURST attack,[12] Judge Engelmayer ruled that while companies have a duty to tell the whole truth once they speak on an issue or topic, SolarWinds did not have an obligation on the facts as pled to update its cybersecurity risk disclosures since it had already warned investors “in sobering terms”[13] of the relevant risks of a cyberattack.[14] Instead, the Company’s risk disclosures should be evaluated “based on the information the company had in real-time and the conclusions it reasonably drew from that information,” not with the benefit of hindsight.[15] By extension, Judge Engelmayer also dismissed all claims against SolarWinds’ CISO related to sub-certifications he provided to senior management responsible for certifying the Company’s SEC filings, deeming them “logically unsustainable.”[16]
Internal Accounting Controls Violations Under Section 13(b)(2)(B). Relying on well-established canons of statutory interpretation[17] and case law precedent analyzing Section 13(b)(2)(B),[18] Judge Engelmayer held the statutory requirement to devise and maintain a system of internal accounting controls requires issuers to “accurately report, record and reconcile financial transactions and events.”[19] Adopting the SEC’s expansive interpretation of the statute to cover all systems companies use to protect all of their assets (such as cybersecurity controls) was not supported by the plain reading of the statute and would have undesirably “sweeping ramifications,” by granting the agency authority to regulate a host of activities that Congress did not originally intend.[20] Thus, the court concluded while cybersecurity controls are important, they are not internal accounting controls.[21]
Disclosure Controls. The court also dismissed claims by the SEC that the failure to accurately access the severity of a cybersecurity incident is not sufficient to establish that there is a disclosure control problem. The court made clear that “errors happen without systematic deficiencies.”[22]
Conclusion. As a result of this decision, the remaining claims involve Section 17(a) of the Securities Act and Section 10(b) of the Exchange Act, which may be challenging, though not impossible, to dispose of at summary judgment. Given the ruling, companies should carefully consider the benefits of sharing detailed, non-mandatory statements about cybersecurity controls (and the accuracy of such information) against the potential risks of these statements being used to support a violation of the securities laws.
[1] No. 125, 1:23-cv-09518-PAE (S.D.N.Y. July 18, 2024) (hereinafter “ECF 125”).
[2] ECF 125 at 68.
[3] ECF 125 at 74.
[4] ECF 125 at 75–76.
[5] Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, SEC Release No. 84429 (Oct. 16, 2018).
[6] ECF 125 at 57.
[7] ECF 125 at 54.
[8] ECF 125 at 59.
[9] In particular, statements made by the Company that it had strong access controls and a strong password policy, despite internal awareness of an allegedly expansive use of administrative privilege rights and a virtual private network vulnerability.
[10] ECF 125 at 70.
[11] ECF 125 at 73.
[12] In late 2020, certain SolarWinds customers discovered that Russia-backed hackers had accessed SolarWinds’ systems and inserted malicious code into its Orion software platform, which allowed the threat actors to access certain customers’ network environments.
[13] ECF 125 at 75
[14] ECF 125 at 74–75.
[15] ECF 125 at 76.
[16] ECF 125 at 81.
[17] Namely, the principle of “noscitur a sociis,” which states that a word should be interpreted in the context of neighboring words it is associated with.
[18] See, e.g., SEC v. World-Wide Coin Investments, Ltd., 567 F. Supp. 724 (N.D. Ga. 1983); McConville v. SEC, 465 F.3d 780 (7th Cir. 2006), as amended on denial of reh’g and reh’g en banc (Jan. 17, 2007).
[19] ECF 125 at 98.
[20] ECF 125 at 100.
[21] ECF 125 at 98.
[22] ECF 125 at 104.