On July 18, 2024, U.S. District Judge Paul A. Engelmayer of the Southern District of New York dismissed most of the charges that the Securities and Exchange Commission brought against SolarWinds and its chief information security officer (CISO) related to its cybersecurity practices and disclosures.

The SEC’s complaint, filed in the wake of a Russian cyberattack on SolarWinds (SUNBURST), notably alleged that the company failed to maintain internal accounting controls to safeguard its software and failed to ensure that disclosure systems were in place so that upper management was informed of known security risks. More traditionally, the SEC also alleged that SolarWinds made material misrepresentations and omissions in public filings and on its website by touting cybersecurity protocols to which the company failed to adhere and understating the risks associated with the SUNBURST attack. Aiding and abetting charges were brought against SolarWinds’ CISO for the same conduct.

The complaint was novel in at least three ways. It was the first SEC contested proceeding asserting internal accounting control charges related to cybersecurity failures. It was also the first contested proceeding in which the SEC asserted fraud-based security disclosure violations related to a cybersecurity breach. And, it was the first time that the SEC charged a CISO individually.

The court dismissed all but the material misrepresentation claims related to the company’s website security statement, concluding that (i) Section 13(b)(2)(B) of the Exchange Act does not cover cybersecurity controls; (ii) the company’s erroneous internal rating of the severity of SUNBURST in the days after the attack, which resulted in a failure to elevate the incidents to top executives for disclosure evaluation, did not evidence inadequate disclosure controls; and (iii) the cybersecurity risk disclosures in the company’s S-1 and periodic disclosures were adequate and not misleading.

The Decision

The SEC’s claims against SolarWinds and its CISO fell into three buckets.

1. Securities Fraud

First, the SEC claimed that SolarWinds and its CISO made material misstatements and omissions about the company’s cybersecurity practices and risks in numerous public documents, including in the company website’s security statement, various press releases and blog posts, periodic reports, and Forms S-1 and 10-K, and sought to hold the CISO liable for aiding and abetting SolarWinds’ violations due to his involvement in drafting and reviewing the statements touting the company’s cybersecurity practices. Additionally, the SEC claimed that SolarWinds and its CISO were liable for material misrepresentations in disclosures filed in the days following the SUNBURST attack.

The court held that the SEC adequately alleged that SolarWinds’ website security statement — which touted five specific cybersecurity protections — was false. The court’s opinion focused on two of the practices (the company’s representations as to access controls and password protection policies), concluding that they “were materially misleading by a wide margin.” Rejecting SolarWinds’ argument that the website statement claims were not actionable because they were directed at customers rather than investors, the court held that the website security statement could constitute securities fraud because it altered the “total mix of information” available to investors.

However, the court dismissed the claims related to statements in the company’s press releases, blog posts and periodic reports that merely assured that the company was committed to “high security standards” and “backed by sound security processes, procedures and standards” as “non-actionable corporate puffery” that were “too general to cause a reasonable investor to rely upon them.” The court also rejected the SEC’s claims that SolarWinds’ risk disclosures in its Forms S-1 and 10-K were “unacceptably boilerplate” and “opaque,” instead holding that they “enumerated in stark and dire terms the risks the company faced were its cybersecurity measures to fail” and that a reasonable investor “could not have been misled by the risk disclosure.” The court similarly dismissed the claims related to the SUNBURST disclosures, finding them “sufficient to alert the investing public,” particularly given the “short turn-around” of the filings, the first of which was published “just two days after” discovery of the security vulnerability.

2. Failure To Maintain Internal Accounting Controls

Second, the SEC alleged that SolarWinds failed to devise and maintain a system of internal accounting controls sufficient to assure that its assets — here its information systems, source code and software products, including its crown jewel Orion software platform — were protected from outside access, in violation of Section 13(b)(2)(B) of the Exchange Act. And additionally, the complaint alleged that the CISO aided and abetted the violations by signing false sub-certificates attesting to the adequacy of SolarWinds’ cybersecurity internal controls.

In a significant holding, the court concluded that Section 13(b)(2)(B), which requires companies to “devise and maintain a system of internal accounting controls,” applies only to financial accounting controls and not to cybersecurity controls.

3. Failure To Maintain Disclosure Controls and Procedures

Third, the SEC alleged that SolarWinds’ erroneous internal rating of the SUNBURST attack evidenced the company’s failure to “maintain disclosure controls and procedures” in violation of various rules promulgated under Section 13(a) of the Exchange Act. SolarWinds misclassified the attack as a level “0,” which, according to SolarWinds’ policies, did not require lower-level officers to notify upper management of the incident, instead of a level “2”, which would have mandated elevation to top executives to determine whether public disclosure was required. The SEC also alleged that the CISO aided and abetted the company’s violations by failing to elevate or disclose the company’s cybersecurity vulnerabilities in order to allow timely public disclosure.

The court rejected these claims, holding that the SEC adequately pleaded that “SolarWinds had a system of controls in place to facilitate the disclosure of potentially material cybersecurity risks and incidents” and that the SEC’s claims had “traction only with the benefit of post-SUNBURST hindsight.” The court concluded that the CISO’s “one lapse” in reporting to upper management did not evidence a violation, noting that “errors happen without systemic deficiencies.”

Takeaways

1. While the decision may restrain the SEC from over-charging accounting control deficiencies, the SEC will continue to bring cybersecurity-related enforcement actions.

The court’s ruling limiting Section 13(b)(2)(B) to financial accounting controls should bring companies solace that the Exchange Act does not sanction all internal control failures. In settled actions and over the opposition of the two Republican commissioners, the SEC has recently used Section 13(b)(2)(B) to cover a wide range of control failures, including cybersecurity breaches. Notably, RR Donnelley paid a $2.1 million civil penalty to settle an enforcement action charging a failure to maintain adequate accounting controls related to a 2021 ransomware attack. However, the SEC will continue to regulate cybersecurity deficiencies. In particular, the SEC has recently enacted rules that require companies to disclose material cybersecurity incidents within four business days after the company determines that the incident is material, as well as annually report cybersecurity risk management strategies.

2. All compliance officers, including CISOs, should take care to ensure they are carrying out their compliance responsibilities, but compliance officers should not be held liable except when they have acted in bad faith.

The fact that certain claims still stand against the CISO may give corporate compliance officers pause. Because lower-level officers may be personally liable for company misrepresentations, the case should be a warning to officers to ensure accuracy in all company statements they have a hand in drafting, even if they are not themselves in charge of disclosures and even if the statements are directed at customers and not investors.

SEC Director of the Division of Enforcement Gurbir Grewal stated this fall in remarks to the City Bar Association that the SEC will continue to bring enforcement actions against compliance officers when compliance officers actively participate in misconduct and mislead regulators and also when there is “a wholesale failure to carry out compliance responsibilities and to conduct even basic inquiry and analysis.”[1]In those remarks, Grewal stressed that compliance personnel should create a “culture of proactive compliance” by educating themselves on regulatory requirements, engaging with all aspects of the company to adopt appropriate compliance policies and executing those policies consistently.[2]Given the SEC’s focus on cybersecurity deficiencies in recent years, CISOs should take care to ensure that they are elevating cybersecurity concerns to upper management and correctly representing cybersecurity risks and policies in company statements.

However, compliance officers, including CISOs, who have not engaged in “a wholesale failure” to meet their responsibilities should not be the subject of enforcement actions. Akin to the Caremark standard for bad faith liability for directors and officers, compliance officers should not be subject to liability when they have taken steps to ensure that the company has systems that are reasonably designed to identify red flags and to report those red flags to upper management, whether or not those systems prove effective.[3]

3. Company statements, even when not part of securities disclosures or directed to investors, may give rise to securities liability.

The fact that the only claims that survived concerned the website security statement, a marketing piece directed at customers, is a reminder that such company statements generally are part of the total mix of information that can form the basis of securities claims. They are, in effect, public “press releases” and therefore should be vetted from the same disclosure standpoint as any other release. Companies should be attuned to align those statements with their securities disclosures, particularly given that they may not be authored by or go through the same review process as ordinary securities disclosures.

Read the decision here.


[1]Gurbir S. Grewal, “Remarks at New York City Bar Association Compliance Institute” (Oct. 24, 2023).

[2]Id.

[3]In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 970 (Del. Ch. 1996).