As I have noted in numerous posts on this site (most recently here), plaintiffs’ lawyers seem drawn to filing D&O claims against companies that have experience cybersecurity incidents. But as I have also noted, the plaintiffs’ lawyers’ track record in these cases is not particularly good. However, as discussed in the following guest post by Jarett Sena, Director of Litigation Analysis, ISS Securities Class Action Services, the cybersecurity-related securities class action lawsuit pending against SolarWinds recently resulted in a significant and noteworthy settlement. This article previously was published on ISS Securities Services’ ISS Insights. I would like to thank Jarett and ISS Securities Class Action Services for allowing me to publish this article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Jarett’s article.
When it was revealed in December 2020 that SolarWinds Corporation was subject to a massive data breach by suspected Russian-backed hackers who injected malicious code into the company’s “Orion” software update for nearly two years, the company’s stock price plummeted by more than a third. Customers abandoned the company’s software, and then homeland security adviser to President Donald Trump declared that “[t]he magnitude of this ongoing attack is hard to overstate” – as Russian agents were able to gain access to top-secret government systems.
Following the data breach, investors filed a securities class action against the network monitoring software company whose customers include Fortune 500 Companies, the Pentagon, the FBI, and the National Nuclear Security Administration. The complaint alleges that SolarWinds falsely and misleadingly told investors that it had a robust cybersecurity program and adhered to the cybersecurity practices in the “Security Statement” on its website. However, in actuality, the company’s cybersecurity program is alleged to have been “woefully deficient”: there was no security team, password policy, security training, or documentation regarding data protection.
The company’s CEO and its private equity backers Silver Lake and Thoma Bravo allegedly eschewed common security practices in favor of short-term profits. For example, the password for the company’s server – “solarwinds123”— was purportedly set by an intern and publicly available for a year and a half. The complaint further alleges:
- SolarWinds former Global Cybersecurity Strategist gave a presentation on the company’s inadequate cybersecurity practices to the company’s top executives, but the company rejected the changes causing him to resign in protest.
- Ten former employees of the company reported that the company did not have the cybersecurity policies and procedures in place that it told investors it had.
- SolarWinds’ CEO, Silver Lake, and Thoma Bravo sold $281 million worth of stock shortly before the breach was revealed.
Per the company’s recent 8-K SEC filing, the securities class action now appears to have been resolved with the company and the other named defendants including – CEO Kevin B. Thompson, Vice President of Security Architecture Tim Brown, Silver Lake, and Thoma Bravo – agreeing to a tentative $26 million settlement.
Investor Class Action Details
|Court Venue||U.S.D.C. – Texas (Western)|
|Initial Complaint||Filed on January 4, 2021|
|Case Status||Tentatively Settled|
|Class Period||October 18, 2018 – December 17, 2020|
|Class Definition||On behalf of all persons who purchased or otherwise acquired the securities of SolarWinds Corporation during the Class Period|
|Lead Plaintiffs’ Counsel||Bernstein Litowitz Berger & Grossmann|
|Defense Counsel||Edmundson Shelton Weiss, King & Spalding, Kirkland & Ellis, Ropes & Gray, Willkie Farr & Gallagher|
Prior to the claims filing procedure – which will allow investors to participate within the recovery process – the $26 million tentative settlement must first be approved by U.S. District Judge Robert Pitman. Judge Pitman previously denied in large part the defendants’ motion to dismiss the action, finding in particular that Tim Brown acted with at least severe recklessness when he touted the security measures employed by SolarWinds.
While cybersecurity has become a critical business and legal concern, cyber-related securities class actions so far have received mixed success in court. A number of high-profile cases have been dismissed, including against Capital One, Marriott, and Zendesk (as well as a derivative action against SolarWinds). On the other hand, a few meaningful cases have settled for significant sums, including Equifax in June 2020 ($149 million) and Yahoo! in September 2018 ($80 million). Additionally, there are a number of active cases still being litigated, including those against Alphabet, Okta, and Block (f/k/a Square).
Important Note for Investors:
The U.S. Securities and Exchange Commission (“SEC”) has also made the initial recommendation to file an enforcement action against SolarWinds for alleged violations of the federal securities laws with respect to its cybersecurity disclosures as well as its internal controls. The SEC enforcement action could result in the creation of a “Fair Fund” that benefits investors.
ISS Securities Class Action Services will continue to closely monitor cyber-related securities class actions, including the SolarWinds action and the potential SEC enforcement action – and share updates to its clients and the investment community, as developments occur.
By Jarett Sena, Director of Litigation Analysis, ISS Securities Class Action Services