Court Narrows SolarWinds Case to Company’s Pre-Cyberincident Voluntary Disclosures

Dismisses most claims, except for securities fraud claims based on the company’s statements about cybersecurity posted on its website before the incident occurred.

Rejects SEC’s claims of “controls” violations based on allegedly inadequate accounting controls and disclosure procedural deficiencies.

On July 18, 2024, Judge Paul Engelmayer of the United States District Court for the Southern District of New York issued a consequential decision on cybersecurity incident disclosure in the case brought by the SEC against SolarWinds Corp. (“SolarWinds”) and its information security officer, Timothy Brown. The case arose in the context of a large-scale supply chain cybersecurity incident, known as “Sunburst,” in which nation-state actors compromised SolarWinds’ Orion software platform and infiltrated a large number of public company and government computer systems. The court’s opinion touches on many important issues, including the requirements of cybersecurity incident disclosures in corporate SEC filings, the types of controls and procedures that fall under accounting and disclosure controls rules, and the responsibilities of cybersecurity officers under the federal securities laws for disclosures regarding cybersecurity incidents.[1]

The court dismissed most of the SEC’s claims, except for securities fraud based on statements about SolarWinds’ own cybersecurity program that the company made on its website before SolarWinds disclosed the Sunburst incident. It also rejected the SEC’s claim that gaps in SolarWinds’ cybersecurity controls constituted violations of the internal accounting controls provisions of the Securities Exchange Act of 1934 (“the Exchange Act”) and that SolarWinds had inadequate disclosure controls and procedures. It remains to be seen whether this court’s rejection of the SEC’s “controls” claims will affect the SEC’s pursuit of similar claims in other cybersecurity cases.

Background. The SEC alleged that SolarWinds misrepresented its cybersecurity practices and products and understated its cybersecurity risks in a “Security Statement” posted on its website and in other public statements, misleading investors to believe that SolarWinds’ Orion software platform had minimal vulnerability to cyberattacks (“pre-Sunburst disclosures”). The SEC also alleged that SolarWinds “minimized the scope and severity of the attack” in its disclosures and public statements following the Sunburst incident (“post-Sunburst disclosures”), which were made in the “immediate aftermath” of the public disclosure regarding the incident, “including by omitting that customers had previously reported similarly malicious activity involving the Orion product.” Additionally, the SEC alleged that deficiencies in SolarWinds’ cybersecurity program constituted a failure to “‘devise and maintain a system of internal accounting controls’” and that SolarWinds “had ineffective ‘disclosure controls and procedures.’”[2]

Alleged Violations. The SEC brought the claims under Sections 10(b) and 13(a) of the Exchange Act, Exchange Act Rules 10b-5(b), 12b-20, 13a-1, 13a-11, and 13a-13, and Section 17(a) of the Securities Act of 1933 (“the Securities Act”). Note that the alleged violations took place before the SEC adopted its new Cybersecurity Disclosure Rules, and the court asserts that these “new rules are not implicated in this case, which involves conduct predating the new rules’ effective date.”[3]

There are a number of findings in the decision that are noteworthy for public companies and their cybersecurity programs and disclosure planning processes.

• The court rejected the SEC’s claims that SolarWinds’ cybersecurity risk disclosures were inadequate and said companies should not be required to outline cybersecurity risks in unnecessary detail. The court found that a reasonable investor could not have been misled by SolarWinds’ Form S-1 risk disclosure, [4] which explained, in some detail, the unique risks that it faced as a cybersecurity company.[5] The court disagreed with the SEC’s claims that the disclosures concealed the gravity of the cybersecurity risks that the company faced.[6] The court explained that “[s]pelling out a risk with maximal specificity may backfire in various ways, including by arming malevolent actors with information to exploit, or by misleading investors[.]”[7] In evaluating the warning that SolarWinds provided investors, the court considered that the company was forthcoming about the fact that it “was not positioned to, and could not be expected to, anticipate or prevent all such intrusions[;]”[8] the court found that the disclosure was “fulsome” and therefore did not require the disclosure of individual incidents.[9] Following the two incidents, the court said that the SEC could not expect the company to update its cybersecurity disclosure because “based on the information the company had in real time and the conclusions it reasonably drew from that information[,]” the company did not have a legal duty to update the risk disclosure given the uncertain character, source, and relatedness of the two incidents, which the company was still investigating.[10]
• The court rejected the SEC’s claims that SolarWinds’ Form 8-K disclosures lacked sufficient detail, noting that a company’s cybersecurity incident disclosures provided in real time should be evaluated in light of perspective and context. The court ruled that SolarWinds’ lengthy initial Form 8-K disclosure, read as a whole, captured the severity of the Sunburst incident, and the absence of a reference to two earlier incidents was immaterial. The court explained that “perspective and context are critical” to determining whether a Form 8-K filing was misleading, and explicitly took into account that the filing was submitted in the early stages of the investigation on a “short turn-around.”[11] Notably, the SEC did not allege that statements in the Form 8-K were inaccurate, only that the Form 8-K omitted disclosure of two earlier incidents — specifically, that in both incidents the malicious software found in Orion had attempted to connect with, or in fact connected with, external servers — and the omission alone was not sufficient to find the filing misleading.[12]
• The court ruled that SolarWinds’ cybersecurity controls were not part of its “internal accounting controls” and that, as a result, the SEC did not have authority to bring a claim based on the alleged inadequacy of such controls. The SEC alleged that SolarWinds’ cybersecurity deficiencies violated the “internal accounting controls” provision[13] of Exchange Act Section 13(b)(2)(B), which requires public companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that […] (iii) access to assets is permitted only in accordance with management’s […] authorization.” The SEC argued that the company’s source code, databases, and products were “assets” that were not adequately safeguarded. The court rejected the claim, reasoning that a cybersecurity control does not naturally fit within the term “internal accounting controls” because “a failure to detect a cybersecurity deficiency cannot reasonably be termed an accounting problem.”[14] The court stated that “the text of the statute strongly supports that the term ‘system of internal accounting controls’ instead refers to a company’s financial accounting.”[15]
• The court ruled that a company’s disclosure controls and procedures may be reasonably designed even if they are not free of errors or do not elevate all potential issues for disclosure consideration. The SEC also alleged that SolarWinds had ineffective disclosure controls and procedures.[16] Exchange Act Rule 13a-15(a) & (e) requires public companies to maintain disclosure controls and procedures designed to ensure that “information required to be disclosed […in their public filings] is recorded, processed, summarized, and reported” within the required time periods.[17] The court noted that the SEC pleaded that SolarWinds had a system in place to escalate significant cybersecurity incidents to management’s attention.[18] The defect, the SEC alleged, was that SolarWinds incorrectly categorized the severity of two incidents under the organization’s Incident Response Plan, so they were not escalated.[19] The court further noted that the SEC did not allege any defect in the construction of the system or that the system had previously produced errors.[20] Therefore, the court found that isolated errors can occur even in a reasonably designed system: “[T]he existence of two misclassified incidents is an inadequate basis on which to plead deficient disclosure controls.”[21]
• Other Public Communications. The judge dismissed the SEC’s claim that the company’s podcasts, press releases, and blog posts (pre-Sunburst disclosures) stated a cause of action for fraud under Securities Act Section 17(a) and Exchange Act Section 10(b). The court found that the public statements made by Brown on these mediums amounted to “non-actionable corporate puffery” and fall into the category of commonplace statements “‘too general to cause reliance by a reasonable investor.’”[22]

The only claim that survived the motion to dismiss is the SEC’s claim that the Security Statement on SolarWinds’s website was materially misleading. The judge upheld the SEC’s claim that the company’s Security Statement stated a cause of action for fraud under Securities Act Section 17(a) and Exchange Act Section 10(b).[23] The court reasoned that as a company that sells high-end and purportedly secure software to governmental and private entities, SolarWinds’ cybersecurity practices were highly relevant for its customer retention strategy. Nevertheless, its Security Statement contained five problem areas relevant to its cybersecurity practices: (1) alleging that the company complied with the NIST Cybersecurity Framework for evaluating cybersecurity practices, (2) claiming the use of a secure developmental lifecycle in its software development, (3) asserting that it employed network monitoring, (4) claiming to have a strong password policy, and (5) alleging to maintain adequate access controls.[24]

The court sustained misrepresentation and scheme theories of fraud liability with respect to the company’s Security Statement, reasoning that it was misleading as to a material fact, meaning a reasonable investor would have considered it significant in making investment decisions.[25] The court viewed the five representations individually for purposes of evaluating whether they were plausibly pled as misleading, but viewed them together to determine materiality.[26] Although the court only found the access controls and password protection policies to contain misrepresentations, it found it unnecessary to determine whether the other three cybersecurity practices were also misleading because Brown made the misrepresentations as to access controls and password protection policies with scienter when he allowed the Security Statement to be issued on the company website and remain in place while knowing about the cybersecurity deficiencies.[27] The court imputed Brown’s scienter to the company through the doctrine of respondeat superior.[28] In its analysis, the court found that the representations in the Security Statement contradicted internal assessments, presentations, and communications related to the state of the company’s cybersecurity program.[29]

Notably, the claims that survived are associated with statements the company made voluntarily, and not in response to items required under SEC rules or forms. As discussed above, the claims related to the Form S-1 cybersecurity risk disclosure, raised under misrepresentation and scheme theories of securities fraud liability and under false filings, were dismissed.[30] Similarly, the claims related to the Form 8-Ks did not survive because the court found that the company’s disclosures were not materially false or misleading.[31]

Conclusions and Takeaways.

It is worth noting that this is but one decision of a district court, and the litigation and possible appeal, are not complete. Nonetheless, the decision merits attention, and public companies should continue to be mindful of a number of key points.

1. Companies’ public communications regarding its cybersecurity, including statements on their public website, can create securities fraud liability. Companies should review the information publicly available through their websites with expert counsel, and also compare their public statements on their cybersecurity program against internal documents and correspondence regarding the state of their program.
2. Risk factor disclosures regarding cybersecurity should be reviewed regularly and updated when necessary to avoid materially false or misleading statements or omissions, including, when specific events demonstrate that a risk is not purely hypothetical.
3. Companies should have a system of disclosure controls and procedures in place to facilitate the disclosure of potentially material cybersecurity risks and incidents, designed to ensure that material information is timely communicated to the executives responsible for public disclosures. Isolated failures in disclosure controls and procedures do not necessarily mean the system is deficient, however.
4. The SEC may reconsider whether, and under what circumstances, it will allege that “internal accounting controls” include cybersecurity controls in the future.
5. The new cybersecurity incident reporting rules require a company to file a Form 8-K within four days of determining that a cybersecurity incident it experienced is material. The requirement may be triggered by a series of related unauthorized access incidents.[32] While the SolarWinds decision involved Forms 8-K that were not required under the new cybersecurity incident reporting rules, we note this court’s emphasis on perspective and context when evaluating the incident description and its effect on the company. In particular, the court understands that a company faces challenges when it is required to report on complicated incidents in short turn-arounds and potentially in the early stages of an investigation. But note: under the new rules, companies must amend Form 8-Ks as more information comes to light. Companies should consider consulting with counsel to evaluate quick-to-deploy response plans for compliance with the new rules.
6. Finally, under the new rules companies must periodically report on their cybersecurity risk management strategy, including descriptions of the roles that the board of directors and management play in the company’s cybersecurity response. This requirement contemplates conversations with the board and senior management about cybersecurity risk outside the context of a particular incident. Companies should consider reviewing their response strategy with counsel before an incident occurs, and assessing (after an incident, if one should occur) the effectiveness of the roles it designed.

* * *

If you have any questions concerning the material discussed in this advisory, please contact the members of our Securities and Capital Markets and Data Privacy and Cybersecurity practice groups: