In my round-up of the Top D&O Stories of 2020, which I published earlier this week, I noted that the recent massive state-actor hack of U.S. government agencies and technology companies underscored the fact that cybersecurity represents a significant operational and management risk for organization of every type. I also noted that cybersecurity-related issues represent an ongoing D&O claims risk. As if to confirm these propositions, the first securities class action lawsuit of the New Year was filed against Solar Winds, the network infrastructure management company whose breached software is believe to have contributed to the recent massive hack. As discussed below, the newly filed complaint highlights the fact that cybersecurity represents a significant potential source of management liability risk.
Solar Winds is an information technology infrastructure management technology company. On December 13, 2020, Reuters reported that hackers allegedly working for the Russian government had monitored email traffic at the U.S. Treasury and Commerce departments and that the alleged hackers were believed to have gained access to the agencies’ email traffic as by interfering with software updates released by SolarWinds, which provides technology services to various government vendors in the executive branch, the military, and the intelligence services.
On December 14, 2020, SolarWinds filed a Form 8-K with the SEC, disclosing that the company “has been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products, which, if present and activated, could potentially allow a hacker to compromised the server on which the Orion products run.” The incident, the SEC filing went on to note, “was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state, but SolarWinds has not independently verified the identity of the attacker.” The filing noted that the company has retained third-party cybersecurity experts to assist with the investigation, and that the company was cooperating with the FBI, the U.S. intelligence community, and other governmental agencies. The release also noted that the vulnerability apparently was inserted in the Orion product between March and June 2020. The company’s share price fell 17% on this news.
On December 15, 2020, Reuters published an additional article reporting that in 2019 a security researcher had alerted the company that anyone could access SolarWinds’ update server using the password “solarwinds123,” and that days after SolarWinds realized its software had been compromised the malicious updates were still available for download.
On January 4, 2021, a plaintiff shareholder filed a securities class action lawsuit in the Western District of Texas against Solar Winds, its CEO, and its CFO. A copy of the complaint can be found here. The complaint purports to be filed on behalf of a class of investors who purchased the companies securities between February 24, 2020 and December 15, 2020. The complaint sets out several block quotations from the company’s SEC filings in which the company made various statements about the security of its technology operations and its vulnerability to possible cyberattack.
The complaint alleges that the defendants “made false and/or misleading statements and/or failed to disclose that (1) since mid-2020 Solar Winds Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran; (2) SolarWinds’ update server had an easily accessible password of ‘solarwinds123’; (3) consequently, SolarWinds’ customers, including, among others, the Federal Government, Microsoft, Cisco, and Nvidia, would be vulnerable to hacks; (4) as a result, the Company would suffer significant reputational harm; and (5) as a result, Defendants’ statements about SolarWinds’ business, operations, and prospects were materially false and misleading and/or lacked a reasonable basis at all relevant times.”
The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the plaintiff class.
At a minimum, the filing of this complaint highlights a point that I have frequently made, that companies experiencing cybersecurity incidents are vulnerable to getting hit with D&O claims. For that reason, I have emphasized in the past and reiterate here that cybersecurity represents a significant area of potential management liability exposure.
This lawsuit has only just been filed, and it remains to be seen how it will fare. With that caveat, I do think it is fair to note that this lawsuit is speculative at best. Were this complaint to be the operative complaint at the time the court considers the defendants’ motion to dismiss, the court will have to look very long and hard to find anything remotely resembling an allegation of scienter.
But even more critically for purposes of the possibility of the success of the plaintiff’s claims, the extensive block quotes from SolarWinds’ SEC filings seem to undercut rather than support the claims.
Thus, for example, paragraph 16 of the complaint sets forth a lengthy quotation for SolarWinds February 24, 2020 SEC filing on Form 10-K, in which the company expressly warns that “the risk of a security breach or disruption, particularly through cyberattacks or cyber intrusion, including by computer hacks, foreign governments, and cyber terrorists, has generally increased the number, intensity, and sophistication of attempted attacks, and intrusions from around the world have increased.”
The text goes on to state that “the foregoing security problems could result in, among other consequences, damage to our own systems or out customer’s IT infrastructure or the loss or theft of our or our customers’ proprietary or sensitive information.” The text also warns that “Despite our security measures, unauthorized access to, or security breaches of, our software systems could result in the loss, compromised or corruption of data, loss of business, severe reputational damage adversely affecting customer or investor confidence,” as well as the risk of governmental investigations, litigation, indemnity obligations, and remediation or other costs.
In other words, the company statements on which the plaintiff purports to rely in claiming that the class was misled in fact expressly, specifically, and in detail warned investors of the possibility of what ultimately happened and what the consequences to the company would be if such incidents were to occur.
Beyond the specifics, there is the reality of what happened here. The company’s software was the subject of an unprecedented targeted attack by sophisticated third-party governmental actors seeking to cause disruption, steal data, and otherwise interfere with governmental and business activities. This is a serious and dangerous event that should concern all of us. But just because the company suffered a serious hostile attack does not make the event an occasion for a securities fraud lawsuit.
This new lawsuit is of course the latest example of “event driven litigation” – that is, securities litigation that does not allege the kind of financial misrepresentations that in the past typically characterized securities lawsuits, but rather alleges that the company has experienced an unexpected set back in its business operations and therefore that investors were misled.
This lawsuit starkly shows the fundamental problem with this type of litigation. These kinds of lawsuits not only try to turn everything that happens to a company into securities fraud. They also try to turn the availability of remedies under the securities laws into a way for investors to try to insulate their investments from the vicissitudes of business operations that could affect the value of their investments. The truth is that in the hurly burly of day to day business, bad things can happen, even really really bad things, like what happened here. If bad things happen to businesses, the price of the businesses’ shares could and likely will go down. But merely because bad things happened and share prices declined as a result does not mean that there has been securities fraud.
One final note. In my post last year about the cybersecurity-related shareholder derivative lawsuit filed against Laboratory Corporation of America, I noted that the plaintiff’s allegations in that lawsuit included allegations that the company’s board had reached its fiduciary duties in connection with a cybersecurity breach that occurred at one of the company’s third party vendors.
I have always thought this kind of allegation is, shall we say, a stretch. But the events at SolarWinds affecting as they did the company’s customers, provides an interesting context to think about this idea that organizations could be subject to management liability claims based on the cybersecurity incident at their third-party vendor, Solar Winds. It would be as if, say, the boards of Microsoft, Cisco Systems, or Nvidia could be alleged have breached their fiduciary duties as a result of the breach at SolarWinds. This seems like a highly dubious proposition to me, but at least based on the LabCorp case it is a theory that at least the plaintiff attorneys in that case are trying to promote.