On October 30, 2023, the US Securities and Exchange Commission (SEC or Commission) sued SolarWinds and its Chief Information Security Officer (CISO) for fraud, false reporting, and internal and disclosure control violations related to the massive SUNBURST cybersecurity attack. The SEC was unable to reach a settlement with the company or the CISO following the conclusion of the Commission’s enforcement investigation and was forced to file a litigated action against the defendants.
Notably, the CISO is the only individual defendant named in the SEC’s suit, even though the Commission previously sent Wells Notices to other SolarWinds officers and employees. As we discussed in a prior post, SolarWinds previously disclosed that “certain current and former executive officers and employees” had received Wells Notices stating “that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws.”
The SEC does not normally file suits against defendants in a piecemeal fashion and likely won’t here, given that its investigation appears to be over. If the SEC’s enforcement staff were still investigating other potential defendants, we would expect the SEC’s press release to disclose the existence of an ongoing investigation. The fact that the SEC did not charge other executives is a standout feature of this action. It sends CISOs and other information security professionals a message that, in at least some cases, the buck stops with them for cyber control deficiencies and cyber disclosures.
Other interesting allegations from the SEC’s 68-page complaint, along with some of our takeaways, include:
- According to the SEC, “[c]ybersecurity practices are important to every publicly traded company,” but especially for those whose primary product is software that other organizations use to manage their own computer networks. Takeaway: Software and cybersecurity companies may be the target of enhanced SEC scrutiny going forward, but all public companies will be under a microscope for the foreseeable future. This is especially true in light of the SEC’s new cybersecurity risk management and disclosure rules, which will take effect in December 2023.
- The SEC alleged that the CISO failed to ensure that other senior executives sufficiently understood the severity of cybersecurity risks. He simultaneously signed sub-certifications, relied on by those executives, confirming that all material incidents were disclosed to the executives responsible for the company’s securities filings. Takeaway: This may explain why the SEC did not charge other executives in addition to the CISO. CISOs should be aware of the importance that the SEC will assign to sub-certifications going forward.
- The complaint charges that the CISO misled a customer by calling “partially mitigated” cybersecurity issues fully “mitigated” in order to induce the customer to enter into a contract with SolarWinds. Takeaway: This fact likely influenced the SEC’s charging decisions. In future cases, the SEC will probably hunt for evidence linking concealment of cybersecurity vulnerabilities to efforts to increase sales, particularly by companies in the software and cybersecurity industries.
- According to the complaint, the company’s incident response plan, which the CISO helped implement and maintain, dictated that only incidents that impacted several customers were reported upward for possible disclosure, leading to the concealment of multiple cybersecurity issues that had the “potential” to materially impact SolarWinds. Takeaway: Companies may decide to re-evaluate their incident response plans and disclosure controls in light of this case.
- Boilerplate disclosures regarding “generic and hypothetical cybersecurity risks that most companies face” did “nothing to alert investors” to the elevated risks at SolarWinds, as alleged in the complaint. “Accumulating red flags” in the form of a handful of successful intrusions against certain software should have been disclosed, as should the fact that the company’s “overall cybersecurity posture was so poor that something far worse [than those intrusions] could be just around the corner.” The SEC stressed that risks and violations “are not being assessed in hindsight by the SEC.” Takeaways: Companies may want to re-evaluate their cybersecurity risk disclosures against their control testing results and should plan for the SEC to take a backward-looking view of the materiality of incidents despite protestations to the contrary. The materiality of isolated intrusions and so-called “red flags” may be a hotly contested issue in the litigation going forward.
- Poor cyber controls and false statements about cyber risks and vulnerabilities “would have violated the federal securities laws [absent] a major, targeted cybersecurity attack,” as set forth in the complaint. Takeaway: We expect a spike in whistleblower complaints concerning vulnerabilities and deficiencies in cybersecurity and IT general controls, even when a company does not experience a reportable cyber incident.
In sum, responsible security and tech executives can use the SEC’s SolarWinds case, along with the SEC’s new cybersecurity rules, to make the business case for solid cybersecurity risk management practices and hopefully protect data, privacy and investor dollars in the process.