SolarWinds Knocks Out Most of SEC’s Claims in Novel Cybersecurity Case
August 9, 2024
On July 18, 2024, in a 107-page decision, a New York federal court dismissed nearly all of the Securities and Exchange Commission’s (“SEC’s”) claims in its closely watched case against software company SolarWinds Corp. and its chief information security officer (“CISO”) Timothy G. Brown arising from the company’s cybersecurity-related disclosures.1 Most significantly, the court rejected the SEC’s novel and aggressive claim that SolarWinds’ cybersecurity deficiencies constituted an internal accounting controls failure as defined by Section 13(b)(2)(B) of the Exchange Act. In doing so, the court held that a failure to detect a cybersecurity deficiency cannot reasonably be construed as an “accounting” problem. Further, the court rejected the SEC’s claims under Rule 13a-15(a) for alleged ineffective disclosure controls. By sustaining only one of the SEC’s fraud claims, the court gutted most of the complaint in a significant setback for the SEC’s growing efforts to bring enforcement actions against corporations and individuals for alleged cybersecurity controls shortcomings.
As discussed in a prior client alert, the SEC’s complaint alleges that, from October 2018 through December 2020, SolarWinds and its CISO defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks and breaches. The SEC further alleged that SolarWinds and its CISO failed to maintain proper internal accounting and disclosure controls.
Internal Accounting Controls
The SEC alleged that SolarWinds failed to devise and maintain appropriate “internal accounting controls” because (1) the company’s source code and databases were vital assets and (2) the company failed to limit access to these assets. The court dismissed this allegation, interpreting “internal accounting controls” under Section 13(b)(2)(B) to mean a company’s financial accounting. It reasoned: “Section 13(b)(2)(B) does not govern every internal system a company uses to guard against unauthorized access to its assets . . . . The SEC’s rationale . . . would have sweeping ramifications.”2
This is the first court to interpret “internal accounting controls” under Section 13(b)(2)(B) as applied to cybersecurity. Before SolarWinds, the SEC charged one other company, R.R. Donnelley & Sons, Co., under a similar theory, but that case ultimately settled resulting in a $2.1 million civil penalty. This court’s decision is a significant blow to the SEC’s attempt to expand the application of “internal accounting controls” and could chill future litigated enforcement actions based on the same legal theories.
Disclosure Controls
The court also dismissed the SEC’s claim that SolarWinds had ineffective disclosure controls in violation of Exchange Act Rule 13a-15(a) because the company internally misclassified two incidents as “minimal” cybersecurity risks. The SEC alleged that this misclassification prevented the company from properly elevating the incidents for disclosure evaluation to key executives.3 But the court concluded that the SEC had failed to allege “any deficiency in the construction of [the] system.”4 Because SolarWinds had a system in place to facilitate timely and accurate disclosure, the mere alleged misclassification of two incidents in the Company’s incident response plan was an “inadequate basis on which to plead deficient disclosure controls.”5 Indeed, the court observed that “errors happen without systemic deficiencies.”6
Securities Fraud
The SEC predicated its misrepresentation claims on statements made on SolarWinds’ website, press releases and blog posts, in addition to its securities filings. The court largely dismissed the SEC’s misrepresentation claims based on the CISO’s press releases and blog posts, finding that those statements amounted to “non-actionable corporate puffery.”7 Similarly, the court dismissed the risk disclosure misrepresentation claims because SolarWinds cybersecurity risk disclosure sufficiently “enumerated in stark and dire terms the risks the company faced.”8
As for the remaining securities filings, the court found that SolarWinds properly disclosed the December 2020 cyberattack in its Form 8-K, which was filed just two days after the SolarWinds’ CEO was notified of the vulnerability.9 Such prompt disclosure appears largely consistent with SEC cybersecurity rules, adopted in July 2023, requiring the disclosure of material cybersecurity incidents “within four business days of determining the incident is material.” While it remains unclear what circumstances make a cybersecurity incident “material” under these rules, disclosing such an incident only two days after the CEO was informed appears timely. In any event, the SEC rules do not apply to this case because the relevant conduct occurred before the rules’ effective date.
The court, however, determined that the SEC sufficiently pled that the Security Statement, posted on the company’s website, contained misrepresentations regarding at least two of SolarWinds’ cybersecurity practices.10 While the company publicly represented that it maintained strong access controls and password policies, the SEC sufficiently alleged that the company simultaneously knew about significant deficiencies in access controls, resulting in a widespread grant of administrative rights to employees and a failure to enforce password policies.11 These alleged gaps, the court reasoned, would be “highly consequential” to a “reasonable person contemplating investing in SolarWinds.”12
The court also determined that the SEC sufficiently alleged that the CISO acted with knowledge as to these alleged misrepresentations because the CISO allegedly approved the Security Statement and knew about internal information contradicting the company’s representations of its access controls and password policies. Even though the SEC did not point to “direct evidence” of the CISO being alerted to security lapses, the court reasoned that the SEC’s allegations supported an inference that the CISO would have known about such lapses, given his high-ranking position, “his duty to monitor SolarWinds’ cybersecurity, and his role as the company’s cybersecurity spokesperson.”13 The court concluded that such an inference is sufficient for the SEC to proceed past the pleading stage both as to the CISO and SolarWinds, as to whom the court imputed the CISO’s knowledge.
Takeaways
The decision reflects significant judicial skepticism of the SEC’s efforts to expand internal accounting controls violations to cyber incidents and to disclosure controls violations that are premised on relatively isolated lapses—particularly when the facts suggest that such lapses might occur in even the most robust system of controls. Furthermore, the court’s distinction between specific, actionable statements and “non-actionable corporate puffery” signals a potential future enforcement narrowing on specific statements made in companies’ cybersecurity policies and practices that could be deemed misleading.
Ultimately, however, the court allowed the SEC to pursue some claims against the CISO. That alone could affect how CISOs, who are typically not experts in the intricacies of securities laws, approach their responsibilities. And although SolarWinds disclosed a December 2020 cyberattack only two days after its CEO was informed, the SEC may be inclined to charge, under its new cyber disclosure rules, public companies subject to similar attacks if they take longer to make such disclosures (with new Item 1.05 of Form 8-K now requiring disclosure within four business days following a company’s determination that a cybersecurity incident is material).
O’Melveny’s White Collar Defense & Government Investigations Group and Public Company Advisory Group are well positioned to discuss these issues and provide guidance regarding the SEC cybersecurity disclosure rules and best practices in implementing related disclosure controls and cybersecurity controls more generally. For an overview of the SEC’s new cybersecurity rules, please consult this reference guide.
1 Order Granting in Part and Denying in Part Mot. Dismiss, Securities and Exchange Commission v. SolarWinds Corp. et al, No. 1:23-cv-09518-PAE (S.D.N.Y. July 18, 2024), ECF No. 125.
2 Id. at 100.
3 Id. at 103.
4 Id. at 104.
5 Id.
6 Id. at 103-106.
7 Id. at 68.
8 Id. at 70.
9 Id. at 86.
10 Id. at 52.
11 Id. at 52-53, 56-57.
12 Id. at 59.
13 Id. at 63.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Jorge deNeve, an O'Melveny partner licensed to practice law in California; Mia N. Gonzalez, an O'Melveny partner licensed to practice law in New York; Shelly Heyduk, an O'Melveny partner licensed to practice law in California; Michele W. Layne, an O'Melveny of counsel licensed to practice law in California; Sid Mody, an O'Melveny partner licensed to practice law in Texas; Waqas A. Akmal, an O'Melveny counsel licensed to practice law in California; Bill Martin, an O'Melveny counsel licensed to practice law in New York; and Neriah Yue, an O'Melveny associate licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2024 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, 1301 Avenue of the Americas, Suite 1700, New York, NY, 10019, T: +1 212 326 2000.