In many ways, the Securities and Exchange Commission’s (“SEC”) October 30, 2023 enforcement action against software company SolarWinds Corporation (“SolarWinds”) and its chief information security officer (“CISO”) is a typical securities case. The first four counts involve alleged material misstatements by the public company related to widely reported operational turmoil that allegedly materially impacted the company.
But aspects of the case may signal a change in how the SEC looks at cyber incidents, including internal controls, disclosure controls and procedures and reporting failures relating to allegedly known cybersecurity risks and vulnerabilities. The SEC is also breaking ground in its public company cyber disclosure initiative in two significant ways. First, SolarWinds’ CISO was charged with aiding and abetting these more technical violations. Second, the SEC is employing internal accounting controls provisions charges against both the company and the CISO arising out of its failure to maintain effective controls to protect its key assets from cyber attacks.
For avoidance of confusion, even though much has been written about the SEC’s recently finalized rules requiring public company disclosures of material cybersecurity incidents and related governance disclosures, the alleged conduct in this case predates the effectiveness of these rules and therefore these rules are not alleged to have been violated in this case. Instead, the SEC used the its pre-existing arsenal of enforcement legal theories, as discussed below.
The charges stem from a major cybersecurity incident that went undetected for months. In 2019, threat actors gained access to SolarWinds’ Orion system, widely used by companies and government agencies to manage IT resources, and added malicious code. The result was an unprecedented supply-chain attack wherein threat actors compromised systems of more than 18,000 SolarWinds’ customers.
The SEC complaint alleges that, from at least October 2018 through December 2020, SolarWinds and its CISO defrauded investors by overstating SolarWinds’ cybersecurity practices, failing to disclose known risks and failing to resolve issues or sufficiently raise them within the company. The SEC complaint further alleges that SolarWinds and the CISO made materially false and misleading statements and omissions in at least three instances: (i) the “Security Statement” on the SolarWinds’ website; (ii) in Form S-1 and S-8 Registration Statements and periodic reports filed with the SEC; and (iii) in Form 8-K filed with the SEC on December 14, 2020 regarding the cybersecurity incident. Notably, the SEC based its charges not only on statements intended for use by investors, but also customer-facing materials like the Security Statement on the SolarWinds website. In its complaint, the SEC asserts that: “Reasonable investors considering whether to purchase or sell SolarWinds stock would have considered it important to know the true state of SolarWinds’ cybersecurity practices because, among other reasons, poor cybersecurity practices could negatively impact sales and revenue, and, therefore, stock valuations.”
The SEC’s complaint alleges that SolarWinds and its CISO violated the antifraud provisions of the Securities Act of 1933 (the “Securities Act”) and of the Securities Exchange Act of 1934 (the “Exchange Act”). In addition to charging the CISO with direct liability for securities fraud, the SEC pleads in the alternative that the CISO aided in the company’s disclosure violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against the CISO. The matter was not settled and the SEC will, at least at this point, need to prove its case at trial.
Gatekeeper or Just a Culpable Party?
Government enforcement agencies have increasingly sought to hold individuals accountable for perceived corporate misconduct, including gatekeepers (those in a position to prevent and detect that conduct). For example, Deputy Attorney General Lisa Monaco has cited “going after individuals who commit and profit from corporate crime” as one of the Department of Justice’s top priorities in this administration. The Federal Trade Commission has also pursued individual accountability in its enforcement actions. The SEC has emphasized its focus on “gatekeeper accountability” by committing to bring enforcement actions against individuals who facilitate violations. Whether or not this is a “gatekeeper” case is open for interpretation (i.e., whether the SEC is taking the view that a CISO is a gatekeeper), although we note that the SEC’s press release nowhere mentions that notion. In the main, however, the answer to that question is somewhat irrelevant to the overall questions of what is unique about this case and what the SEC is saying about why the CISO was singled out for potential liability?
Although the relevant statements in the SolarWinds complaint are not directly attributed to the CISO, the complaint cites the CISO’s responsibility for “the overall security program, … ongoing security efforts, as well as security architecture” and the fact that he signed sub-certifications “attesting to the adequacy of SolarWinds’ cybersecurity internal controls, which SolarWinds’ executives relied on in connection with SolarWinds’ periodic reports that were filed with the SEC.” In particular, some of the key statements at issue are as follows.
(1) Security Statement
During the relevant time period, SolarWinds had on its website a Security Statement that described its cybersecurity practices. Among other things, the Security Statement asserted that SolarWinds used a Secure Development Lifecycle for creating software, used strong password security practices, and maintained access controls on a “least privilege” basis. According to the complaint, all of these assertions were untrue; notably, the complaint cites a particular email sent in 2018 by an unnamed employee to senior management saying “I’ve gotten feedback that we don’t do some of the things that are indicated [in the SDL section of the Security Statement].” The complaint also cites emails and an audit sent to the SolarWinds Chief Information Officer (CIO) revealing poor password practices, like the use of default passwords and shared login credentials for legacy SQL accounts, and the failure to encrypt log-in credentials in some instances.
The complaint alleges that the SolarWinds CISO was “primarily responsible for creating and approving the Security Statement.” In support of this, the SEC points out that the CISO was listed as the “owner” or “approver” of the Security Statement on company documents, that it was posted on a section of the website that prominently featured a photo of the CISO, and the CISO (and others acting at his direction) sent out the Security Statement to customers and included a link to it on blog posts.
(2) Registration Forms and Annual Reports
SolarWinds became a public company in 2018, and filed Form S-1 registration statements as well as Forms S-8 for its employee stock purchase plan. It thereafter filed Form 10-K annually as required. According to the complaint, these forms contained “general, high-level risk disclosures that lumped cybersecurity in a list of risks,” which were simply repeated verbatim in each successive filing. The disclosure acknowledged the potential for negative consequences in the event of a cyberattack, but “failed to disclose that SolarWinds had already determined that it was not taking adequate steps to protect against anticipated and unknown risks.” Although the CISO did not sign these statements, the complaint alleges that he was aware they were materially false, and points to internal statements he made regarding certain cybersecurity deficiencies.
(3) December 2020 8-K
From May 2020 to December 2020, three separate customers reported malicious unauthorized activity associated with Orion. In December 2020, SolarWinds filed Form 8-K, disclosing that malicious code had been detected in the Orion software. The complaint alleges that the 8-K was misleading because it (i) characterized the vulnerability was one that “could potentially allow” a threat actor to compromise the server, when in fact SolarWinds knew that such a compromise had already occurred for at least three customers, (ii) characterized the hiring of third-party cybersecurity experts as an effort to determine “whether a vulnerability in the Orion monitoring products was exploited” when, again, the company was aware that the exploitation had occurred, and (iii) said that the company was “still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited.”
The complaint indicates that the 8-K was “drafted by a group of executives, including [the CISO], and signed by SolarWinds’ CEO.”
Notably, the complaint makes clear that, while the CISO had primary responsibility for the security program, company executives were aware of cybersecurity risks. For example, one of the customers impacted by the Orion vulnerability reported it to the CEO initially. The complaint also makes reference to various presentations and papers that highlighted security risks and were shared with executive leadership, including the CEO.
Pursuing companies under the antifraud provisions of the federal securities laws (Section 10(b) of the Exchange Act and Rule 10b-5 thereunder and Section 17(a) of the Securities Act) for making allegedly false and misleading statements to the investing public, as well as senior management significantly involved in the making of those alleged misstatements is old fare for the SEC.
Beyond that, however, there are a handful of critical takeaways from the SEC’s charges.
First, the SEC’s decision to name the CISO as an individual defendant, and seek a permanent officer and director bar, suggests that CISOs may increasingly be viewed as the gatekeepers of a public company’s cybersecurity program. Although the SEC has a long history of bringing enforcement actions against individuals, including gatekeepers, these enforcement actions tended to focus on individuals that were directly involved in a transaction or practice that formed the basis for the enforcement action (e.g., directly responsible for knowingly booking improper transactions as a part of a channel stuffing or revenue recognition scheme) or who affirmatively made misrepresentations to the investing public or auditors. Here, the SEC alleged that Brown had responsibility for the Security Statement, which was a public communication and contained a number of allegedly material misrepresentations. Absent this direct involvement in a public disclosure (and assuming it is deemed “material”), questions remain about whether this is a one-off enforcement action based on the facts and if not, where the “line” for CISO liability is. Lacking a crystal ball, it is hard to imagine that this will be the only SEC enforcement activity relating to CISOs and others similarly situated. The real question is, in the absence of public statements that are allegedly false and misleading, where will the SEC draw the line? That question leads to our next thought.
Second, the SEC has employed here was an internal accounting controls charge under Section 13(b)(2)(B) of the Exchange Act. In the SEC’s Press Release announcing the case, Director of Enforcement Gurbir Grewal said “[t]oday’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
The SEC claims that Solar Winds violated these provisions and Brown aided and abetted those violations by allegedly being aware of “SolarWinds’ cybersecurity risks and vulnerabilities but fail[ing] to resolve the issues or, at times, sufficiently rais[ing] them further within the company…the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.” The SEC is fond of using the internal controls provisions in cases where corporate assets were jeopardized or proper financial controls were circumvented, and this is a theory that has been bandied about in various circles by SEC Staff (of course, expressing their own views) for at least the last decade.
Third, another theory used by the SEC, and one companies are strongly advised to pay significant attention to, is the SEC’s allegation of SolarWinds’ failure to maintain appropriate disclosure controls and procedures related to cyber incidents. Exchange Act Rule 13a-15(a) requires issuers to maintain disclosure controls and procedures, including controls and procedures designed to ensure that information required to be disclosed by an issuer is accumulated and communicated to management to allow for timely decisions regarding disclosure. The SEC has used, on an increasingly frequent basis, the disclosure controls and provisions under Exchange Act Rule 13a-15(a) as basis for bringing enforcement actions in data breach cases, and here the CISO was charged with aiding and abetting SolarWinds’ violations. In support of this, the SEC alleged “SolarWinds’ Incident Response Plan, which Brown helped implement and maintain, provided for a classification of risks based on the impact to customers, and only incidents that impacted multiple customers were reported upward to management responsible for disclosure. As a result, multiple cybersecurity issues that had the potential to materially impact SolarWinds, but which SolarWinds determined at the time did not yet impact multiple customers, went unreported.”
Registrants should ensure they have adequate structures in place to assess the materiality of cybersecurity-related issues, are paying close attention to the relatedness of perceived individual cyber incidents (as required under the new SEC rules) and approve all public-facing statements related to their cybersecurity programs. It is also important to create internal controls for reporting cybersecurity issues to senior management for disclosure assessments — including for example ensuring that there are mechanisms for info sec personnel involved in monitoring and tracking incidents to meet regularly with personnel with front-line disclosure assessment responsibilities. Protocols for escalating issues to senior management are paramount, as this case articulates. These controls can and should be flexible and evolve as new vulnerabilities and risks are identified, but should be memorialized in an incident response plan that accounts for specific risk factors that apply to the organization. All of this will come further into focus once public companies and foreign private issuers are required to report cybersecurity incidents on 8-Ks and 6-Ks.
For more information on these rules and tips for preparation and compliance, see our previous client alert.