SEC Escalates Its Approach to Cybersecurity Enforcement

On October 30, 2023, as if to mark the end of Cybersecurity Awareness Month, the U.S. Securities and Exchange Commission (“SEC”) filed an enforcement action against software monitoring provider SolarWinds Corp. and its current Chief Information Security Officer (“CISO”), arising out of the 2020 “SUNBURST” cyberattack. 

The SEC’s complaint alleges that: 

• SolarWinds and its CISO (who was SolarWinds’ Vice President of Security and Architecture during the period covered by the complaint) violated the antifraud provisions of the U.S. federal securities laws through misstatements, omissions and schemes that concealed SolarWinds’ poor cybersecurity practices and its heightened and increasing cybersecurity risks; 
• SolarWinds violated its reporting and internal controls obligations; and 
• its CISO aided and abetted SolarWinds’ violations. 

The SEC is seeking injunctive relief, disgorgement and monetary penalties against SolarWinds and its CISO as well as a ban on the CISO acting as an officer or director of an SEC registrant.

The enforcement action comes in the wake of a series of recent SEC cybersecurity developments and events that we previously flagged, including:

• the adoption of new cybersecurity disclosure rules to enhance and standardize disclosures with respect to cybersecurity risk management, strategy, governance and incidents by public companies;
• the presentation by SEC Enforcement Division Director Gurbir Grewal in connection with cybersecurity and disclosure obligations (the “Cybersecurity Enforcement Principles”); and
• the SEC’s issuance of “Wells Notices” to SolarWinds’ CISO and certain other current and former executives of the company in connection with the SUNBURST attack. A Wells Notice is a letter notifying the recipient of the substance of potential civil charges that the SEC may bring against them.

Key Takeaways

• This is a significant step up in SEC enforcement action in the cybersecurity space – The enforcement action against SolarWinds and its CISO comes following an increased focus on cybersecurity by the SEC since 2018, as demonstrated by the SEC’s evolving enforcement approach, the Cybersecurity Enforcement Principles and the SEC’s new cybersecurity disclosure rules, each of which has echoes in the SolarWinds complaint. However, the complaint raises the bar with respect to SEC enforcement and heralds a number of “firsts” for the Commission. The SolarWinds complaint is the first time that the SEC has charged a company with scienter-based fraud in connection with alleged cybersecurity disclosure deficiencies. By contrast, three prior cybersecurity-related enforcement actions dating back to 2018 involved misstatements or omissions absent accusations of intent or recklessness. The SolarWinds action is also the SEC’s first against an individual for scienter-based fraud relating to cybersecurity disclosures and its first litigated cybersecurity enforcement action.
• Necessity of robust cybersecurity and cyber resilience program – The SolarWinds’ enforcement action highlights the importance of a robust cybersecurity and cyber resilience program that is incorporated throughout an organization, including its culture. The program should be reviewed, tested and updated regularly and executives should ensure that it is actually implemented and reinforced through employee training, not only with respect to data protection, but also with respect to relevant securities laws. 
• Expanded scope of liability for cybersecurity professionals – As mentioned above, the SolarWinds complaint is the first action against an individual for scienter-based fraud relating to cybersecurity. It is also significant that the SEC has brought the complaint against the CISO and none of the senior executives more closely associated with the disclosure process. The action serves as a potent warning to senior cybersecurity executives of the importance of their administration of effective cybersecurity disclosure controls and procedures, their verification and certification of cybersecurity disclosure and the exercise of caution in their public statements regarding company cybersecurity.
• Importance of robust disclosure controls and procedures to underpin the integrity of cybersecurity disclosures – Companies should review their disclosure controls and procedures to ensure that they appropriately detect and escalate cybersecurity risks and deficiencies to senior management, including the disclosure committee. In assessing the effectiveness of cybersecurity disclosure controls and procedures, those involved in disclosure, including the legal function, should work closely with cybersecurity executives to establish clear reporting lines and practices for the prompt evaluation and escalation of risks and incidents. When considering cybersecurity risks, companies should assess risk in the aggregate and remember that individually immaterial risks may accumulate such that, when taken together, they may be material and require reflection in the company’s public disclosure. 
• The SEC may consider cybersecurity to be an internal controls matter – The SEC alleges that SolarWinds had ineffective internal controls over financial reporting (“ICFR”) because it did not adequately implement and comply with the National Institute of Standards and Technology (“NIST”) framework in securing its assets. This relies on the SEC’s assertion that SolarWinds’ IT network environment, source code and products are “critical assets” of the company to which the internal controls statute applies. The SEC supports its assessment of the critical nature of these assets by quoting the company’s own words and noting that Orion was among the company’s “crown jewel” assets. Making cybersecurity assets an ICFR matter is a novel and expansive application of the statute which, if upheld, may impact how companies with significant cyber assets consider the scope of their internal controls over financial reporting. 
• Cybersecurity issues should be appropriately represented on the disclosure committee – With the implementation of the SEC's new cybersecurity disclosure rules, SEC-registered companies will be required to make cybersecurity disclosures for the first time. The SolarWinds complaint highlights the importance of operational personnel escalating and certifying disclosure related to cybersecurity issues to those responsible for disclosure. Accordingly, companies should evaluate how the cybersecurity function is represented on the disclosure committee and consider including the CISO or another equivalent executive on the committee. 
• Regularly evaluate and exercise caution when using hypothetical risk disclosure in SEC filings – The SolarWinds action serves as a reminder that companies should make sure that risk disclosure accurately reflects known risks and material incidents. The SEC criticized SolarWinds’ risk disclosure for being generic, hypothetical and boilerplate at the time of its IPO and failing to evolve and reflect the true nature and scale of SolarWinds’ cybersecurity risks as more and more red flags emerged over time. This builds on previous cases where the SEC has criticized hypothetical risk disclosure in cases where the hypothetical event has in fact already happened.
• Review informal disclosures about cybersecurity to ensure they accurately reflect current practices – The SolarWinds complaint includes allegations of fraud regarding informal company communications that were not filed with the SEC, including website statements, podcasts, blog posts and press releases. Companies should review all of their public disclosures to ensure that they are balanced, do not overstate the company’s cybersecurity position and practices, and adequately reflect known cybersecurity risks.

Background

SolarWinds is an NYSE-listed designer and vendor of network monitoring software used by companies and governments. SolarWinds’ flagship product was Orion, an IT infrastructure and management platform. SolarWinds considered Orion to be one of its “crown jewels,” and the product accounted for 45% of SolarWinds’ revenue in 2020.

Between January 2019 and December 2020, the SUNBURST attack, one of the most significant cyberattacks in history, exploited SolarWinds’ security failings and compromised customer systems running Orion. Threat actors inserted malicious code into three software builds for Orion products, which were then delivered to more than 18,000 customers. SolarWinds’ customers impacted by the attack included numerous U.S. federal and state government agencies, and more than 1,500 publicly traded U.S. companies, banks, broker-dealers, accounting firms and other entities. According to the SEC’s complaint, SolarWinds and its CISO became aware of attacks involving customers using the Orion product in May 2020, October 2020 and December 2020. On December 14, 2022, SolarWinds made a filing with the SEC reporting the SUNBURST attack. By the end of the month, SolarWinds’ shares had lost approximately 35% of their value.

Alleged Misstatements and Omissions

The SEC’s complaint alleges that, between October 2018 and January 2021, SolarWinds and its CISO made materially false and misleading statements and omissions about the company’s cybersecurity risks and practices in at least three types of public disclosure: (i) a security statement promoting the company’s commitment to cybersecurity practices that was posted on SolarWinds’ website before its IPO (the “Security Statement”); (ii) SolarWinds’ SEC filings and (iii) the Form 8-K announcing the SUNBURST attack. The SEC attributes the cybersecurity issues at SolarWinds to an alleged culture that did not take cybersecurity seriously and an alleged scheme to conceal issues from investors.

In each case, the SEC alleges that the company’s cybersecurity disclosures are material because reasonable investors considering whether to trade in SolarWinds shares would have considered it important to know about SolarWinds’ allegedly poor cybersecurity practices because they could negatively impact revenue and the company’s reputation. The SEC argues that cybersecurity practices are particularly important where SolarWinds’ primary product is software that other organizations install to manage their own computer networks.

Security Statement 

The SEC alleges that the Security Statement was materially misleading because it promoted SolarWinds’ strong cybersecurity practices and concealed serious known cybersecurity deficiencies. According to the SEC, the statement contained material misstatements and omissions relating to SolarWinds’ compliance with the NIST Framework for evaluating cybersecurity practices, SolarWinds’ use of a secure development lifecycle when creating software, SolarWinds’ strong password protection and good access controls. The SEC alleges that SolarWinds failed to meet more than half of the NIST standards, did not always develop software in a secure development lifecycle, failed to enforce the use of strong passwords on all systems (in one alleged instance, the default password was “password” and another publicly available password was “solarwinds123”), and did not remedy persistent access control problems. One of the primary access control weaknesses was a security gap in SolarWinds’ virtual private network (“VPN”) that the SUNBURST attackers ultimately infiltrated. According to the complaint, SolarWinds’ employees were aware of and reported errors in the Security Statement but determined to hide the falsity of the statements and worked to make them true instead of amending the statement.

The SEC alleges that the CISO was the “maker” of the material misstatements and omissions in the Security Statement. The CISO was the internal owner of the Security Statement and was prominently identified on the website as the head of the group responsible for the statement. According to the complaint, the CISO was allegedly aware of the misstatements through his involvement in internal presentations and discussions regarding SolarWinds’ cybersecurity deficiencies. The SEC further claims that the CISO failed to ensure that other senior executives were sufficiently aware of, or understood, the severity of cybersecurity risks, failings and issues that he and others knew about, including the VPN security gap. Furthermore, the complaint argues that press releases, blog posts and podcasts made by the CISO also violated the antifraud provisions of the federal securities laws.

SEC Filings

The SEC also alleges that SolarWinds and its CISO made materially false and misleading statements about its cybersecurity practices in its SEC filings, which included SolarWinds’ IPO registration statement, its quarterly reports, its annual reports, a follow-on registration statement, and employee share registration statements. In its IPO registration statement, the SEC alleges that SolarWinds disclosed a hypothetical, generalized and boilerplate description of its cybersecurity risks, vulnerabilities and incidents that failed to disclose known risks and did nothing to alert investors to the elevated risks of which SolarWinds, the CISO and other SolarWinds’ employees were aware. According to the complaint, even though SolarWinds’ employees knew that the company had serious cybersecurity deficiencies, and warned of their severity internally, the company did not specifically disclose the issues or the increased risk they collectively posed. The SEC alleges that SolarWinds repeated this hypothetical risk disclosure in at least 13 SEC filings, even as red flags indicating that SolarWinds had been the victim of a significant cyberattack accumulated throughout 2020. 

According to the complaint, the CISO knew, or was reckless or negligent in not knowing, that SolarWinds’ critical assets were vulnerable, that it was not following its cybersecurity policies and that it had been subject to cybersecurity attacks. Nevertheless, he signed sub-certifications relied on by senior executives confirming that all material incidents had been disclosed to executives responsible for SolarWinds’ securities filings in spite of the filings failing to disclose the actual state of the company’s cybersecurity risks.

Incident Disclosure 

The SEC also alleges that SolarWinds’ Form 8-K disclosing the SUNBURST attack was materially misleading because it did not fully disclose the known impact of the SUNBURST attack. According to the SEC, the December 2022 announcement created a materially misleading impression of the attack’s impact by saying that SolarWinds was still investigating the potential risk that customer systems running Orion had been compromised when SolarWinds already knew this had happened at least three times.

The SEC alleges that the CISO knew of three Orion-related cyberattacks and participated in drafting the Form 8-K and approving its technical/factual accuracy. In light of his knowledge of the attacks, the SEC alleges that the CISO knew, or was reckless or negligent in not knowing, that the Form 8-K contained material misstatements and omissions.

Allegations of Multiple Internal Controls Failures

In addition to its allegations of fraud, the SEC alleges that SolarWinds did not have sufficient internal controls over financial reporting to reasonably protect its critical assets. The SEC classes SolarWinds’ IT network environment, source code and products as being among the company’s most critical assets. It then alleges that, because SolarWinds did not have a program in place for most of the controls under the NIST Framework, which the company used to assess its cybersecurity controls, SolarWinds did not comply with its statutory obligations to maintain a system of internal controls sufficient to provide reasonable assurance that access to the company’s assets was only in accordance with management’s general or specific authorization.

Furthermore, the SEC alleges that SolarWinds failed to comply with its statutory obligation to maintain disclosure controls and procedures designed to ensure that information regarding potentially material cybersecurity risks, incidents and vulnerabilities was reported to the executives responsible for disclosure. According to the complaint, this resulted in the cybersecurity issues described above going unreported. 

The SEC alleges that the CISO aided and abetted these violations by falsely certifying the effectiveness of the company’s controls and other means.

Other Recent SEC Cybersecurity Developments and Events 

As previously noted, the enforcement action against SolarWinds and its CISO comes against the backdrop of an increased focus on cybersecurity by the SEC, as demonstrated by both the SEC cybersecurity disclosure rules and the Cybersecurity Enforcement Principles, each of which has echoes in the SEC’s complaint.

Under the SEC Cybersecurity Rules, registrants must, among other things, “describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial conditions.”

Among the five Cybersecurity Enforcement Principles enumerated by Director Grewal are the following:

• “When there are cyber attacks on publicly traded companies and other market participants, we consider the investing public to also be potential victims of those incidents”;
• Companies must “regularly review and update relevant cybersecurity policies to keep up with constantly evolving threats”; and
• The Enforcement Division has “zero tolerance for gamesmanship” or for companies that do not “com[e] clean with shareholders and the customers whose data is at risk”, with Director Grewal:
  • warning that a company that violates its disclosure obligations “will most likely face stiffer penalties once the breach gets out, as it invariably will”;
  • cautioning companies not to seek to avoid disclosure through “hyper-technical readings of the rules or by minimizing the cyber incident”; and
  • citing multiple seven-figure SEC settlements with companies that referred to “hypothetical” risks in their public reports even though data incidents had already occurred.

                                                            * * * 

We are working with numerous clients on cyber preparedness, governance, strategy and disclosure together with incident response, and we invite you to reach out to your regular Linklaters contact if you would like to discuss approaches and options.

We will continue to monitor developments in these areas and encourage you to contact us if you have any questions.