Our Securities Litigation, Securities, Privacy, Cyber and Data Strategy team provides key takeaways for public companies and their directors and officers in light of the Securities and Exchange Commission’s recent civil lawsuit against SolarWinds and its chief information security officer. I am summarizing it.
- The complaint is the first formal action of its kind by the SEC since new cybersecurity disclosure rules for public companies were adopted earlier this year.
- The SEC alleges misrepresentations in SEC filings by SolarWinds and its CISO, but also cites public statements on the company’s website.
- This development requires public companies to consider proactive steps to address potentially expanded liability.
In the latest development in the nearly three years since SolarWinds Corporation announced that it had learned of a “highly sophisticated manual supply chain attack” against its systems, the SEC announced that SolarWinds and its current chief information security officer (CISO) and former head of information security, Timothy Brown, alleging fraud and violation of disclosure controls. Notably, the filing of this complaint is the first formal action brought by the SEC against a CISO in this context, and is also the first time the SEC has gone to court for civil fraud claims against a public company related to cybersecurity disclosures. It’s my first time. This action follows the SEC’s announcement and is another sign of the agency’s increased focus on cybersecurity disclosure. New cybersecurity disclosure rules It was adopted earlier this year for public companies.
SEC allegations
In December 2020, SolarWinds announced a cybersecurity attack affecting its Orion platform, one of its “crown jewel” assets used by numerous public and private sector organizations for IT infrastructure monitoring. (known as the SUNBURST attack). And the management team. In November 2022, SolarWinds filed a Wells Notice indicating that the SEC staff had issued a preliminary determination recommending enforcement action against SolarWinds for securities law violations related to the company’s cybersecurity disclosures and public disclosures. announced that it had been received. The same applies to internal controls and disclosure controls and procedures. In June 2023, the company announced that its CFO and Brown also received Wells notices. On October 30, 2023, the SEC filed suit against SolarWinds and Brown in the Southern District of New York.
The SEC’s complaint alleges that Mr. Brown made or endorsed numerous false statements about the status of the company’s cybersecurity program, including on the company’s website, in blog posts, and in podcasts. The complaint further alleges that the company’s SEC filings contained false and misleading statements about the company’s cyber risks, and that the company’s disclosures about the SUNBURST attack omitted material information. The SEC cited internal emails and messages between members of the company’s cybersecurity team, among others, to support its claims. The evidence cited by the SEC indicates a particular focus on the issues allegedly raised against Brown and its responses.
Claims regarding statements made on the company’s website, blog, or press releases
The SEC alleges that the company and Mr. Brown made numerous false statements to investors about the strength of the company’s cybersecurity practices and the security of its products. These statements allegedly misled investors who believed that the actual state of the company’s cybersecurity practices and vulnerability to cyberattacks were “material” in making investment decisions, the SEC alleges.
First, the complaint repeatedly references a “security statement” posted on the company’s website, in which the company states: We have: (1) followed certain standardized industry best practices used to create software products with robust cybersecurity protections (the “Secure Development Lifestyle”); (2) enforced the use of complex passwords on all information systems and databases; (3) Access to sensitive data is granted on a “need to know/least privilege” basis. (4) limit the number of employees who can disable antivirus software or change user passwords; (5) Follows the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Internal documents identify Brown as the ultimate “owner” or “approver” of the security statement.
However, the SEC alleges that the security statements concealed the company’s poor cybersecurity practices from the public, including the company’s alleged failures to: (1) Periodically measure or enforce compliance with SDL protections. (2) Enforce the use of strong passwords on all systems. (3) Solve long-standing access control problems.
The complaint then alleges that the company, and in particular Mr. Brown, have made numerous public statements about the strength of SolarWinds’ cybersecurity program in various press releases, blog posts, podcasts, etc. “We take the security of our products seriously and make sure everything is backed by sound security processes, procedures, and standards.” Alleges that these and similar statements were false and misleading, based on internal emails, messages, and documents from 2017 to 2020 that indicate that the company was aware of advanced cybersecurity practices and material vulnerabilities. are doing. At the earliest he will be in 2018. Evidence cited by the SEC includes:
- In January 2018, an email acknowledging that the company was not following the practices outlined in the SDL section of the security statement published on the website and that the company would begin incorporating those practices in 2018. A subsequent August 2019 presentation listed SDL practices as an area where the company “does not routinely measure or enforce policy compliance.” And Mr. Brown gave sworn testimony in 2020 that Orion was not built under SDL.
- A June 2018 email from the company’s network engineer warned that the company’s remote access VPN allowed access from devices not managed by the company, and the attacker who discovered the vulnerability Basically, it could do anything without us detecting it until it’s too late.” ” This could lead to “significant reputational and financial loss” for the company.
- Document indicating known vulnerabilities in the Orion platform. This includes an internal “Risk Acceptance Form” from September 2020 warning of the “risk of legacy issues in the Orion platform.”[t]The amount of security issues identified in the last month has exceeded our engineering team’s ability to resolve them. ” In November 2020, his instant message to a senior information security manager included a list of vulnerabilities in the Orion platform, stating, “The product is full of mysteries and has clearly been around for many years.” ” was stated.
- October 2020 message from information security employees. Asked if the company had conducted similar cyberattacks against customers, the company said employees “lied” when they denied confirming any similar activity.
- A November 2020 instant message from a senior information security manager read:[w]We are far from a security-focused company. [E]Every time I hear the nerds in our heads talk about security, it makes me want to throw up. ”
The SEC alleges that this evidence made Mr. Brown’s statements about the state of his and the company’s cybersecurity programs false and misleading.
Risk disclosures in periodic SEC filings
The SEC also found that the “general and hypothetical” cybersecurity risk disclosures in the company’s registration statement filed in connection with its 2018 IPO did not disclose cybersecurity risks that the company and Brown were aware of at the time of the filing. The lawsuit alleges that the company did not disclose the allegedly misleading cybersecurity risks. The risk disclosure was repeated verbatim in the company’s periodic SEC filings from October 2018 to November 2020. The SEC alleges that these “general” disclosures about the company’s hypothetical cybersecurity risks were false and misleading because they did not disclose known risks regarding the magnitude of the cybersecurity risks. . any harm to the Company, and if the Company fails to follow the practices outlined in this Security Statement.
SolarWinds’ December 14, 2020 Form 8-K Statement Regarding the SUNBURST Incident
Finally, the complaint challenges the accuracy of the company’s statements in its December 14, 2020 Form 8-K. “We are aware of a cyberattack that inserted a vulnerability within Orion monitoring products that, if present and enabled, could potentially allow for intrusion,” the company said in a statement. . “An attacker compromised the servers running Orion products,” the company said, adding that it was still investigating the attack. The SEC stated that the Form 8-K contained false and misleading statements that the company clearly knew at the time of filing that the threat actor had compromised the company’s servers. The lawsuit alleges that the company misled investors into believing it was still investigating whether it had access to the website. I have accessed the company’s servers at least three times since May 2020.
To support its claim, the SEC said that when it learned of the cyberattack against its corporate customers on December 12, 2020, no further work was needed to link it to three cybersecurity attacks the company had previously discovered. It quotes Mr. Brown’s testimony. The SEC also said Brown signed a supporting certification falsely confirming that all material cyber incidents were disclosed to company executives responsible for filing, even though he was aware of previous cyber incidents. claims.
Disclosure control claims
The complaint also alleges that the company maintained inadequate disclosure controls and failed to ensure that information about potentially significant cybersecurity risks and concerns was reported to executives responsible for disclosure. For example, the SEC alleges that the company’s incident response plan required only incidents that affected multiple customers at the same time to be reported to management, which is responsible for disclosure. “As a result, multiple cybersecurity issues that could have materially affected SolarWinds, but which SolarWinds determined at the time did not yet impact multiple customers, went unreported,” the SEC said. claims.
Take-out
Public companies, their officers and directors, and in-house counsel should consider taking the following proactive steps in light of this first-of-its-kind action by the SEC:
- Executives believe that this incident will result in the SEC Increased potential liability For executive officers beyond CEOs and CFOs. The SEC will likely continue to focus its enforcement efforts in this area, especially in light of the SEC’s recently adopted cybersecurity disclosure rules for public companies.
- Information security managers work closely with legal counsel to verify the accuracy of a company’s public documentation regarding cybersecurity risks, controls, and procedures, even if the company’s statements resemble “hyperbole.” is needed. This is especially true when drafting her upcoming 10-K disclosure.
- Employees understand that the SEC may point to inflammatory language in employee communications as support for their claims, and that employees are responsible for maintaining the company’s cybersecurity, including emails, chats, and text messages. Be careful when discussing the state of your program and your response to cybersecurity incidents.
- CISOs and other senior information security executives are aware that their liability under federal securities laws is not limited to statements made in formal SEC filings, but includes documents posted to a company’s website, blog posts, and presentations at conferences. Public statements are subject to scrutiny by the SEC and plaintiff stockholders in the event of a major cybersecurity incident. These statements should be analyzed in conjunction with a company’s 10-K disclosures.
- Publicly traded companies and their directors and officers should evaluate their cybersecurity and D&O insurance policies to assess coverage for investigations and claims involving CISOs and other cybersecurity officers and employees.
- Employees working on incident response or analyzing the state of a company’s cybersecurity program should include legal counsel in ongoing discussions to ensure that the company’s disclosures reflect the most up-to-date information. You should consider including it.
[View source.]