In what the Wall Street Journal called a “milestone” in the SEC’s efforts to address public companies’ cybersecurity disclosures, the SEC has filed a civil enforcement action against software company SolarWinds and its Chief Information Security Officer, Timothy Brown. The agency alleges that the company repeatedly misled investors by understating the company’s cyber vulnerabilities and the ability of hackers to penetrate the company’s systems. According to statements from agency officials, the action is intended to send a message about cybersecurity disclosures and disclosure controls. A copy of the SEC’s complaint can be found here. A copy of the SEC’s October 30, 2023, press release about the action can be found here.

Background

In December 2020, SolarWinds disclosed that a suspected third-party governmental actor had installed vulnerability that could compromise the company’s network servers. The timeline in the SEC’s complaint starts earlier than the time of the breach incident disclosure. According to the complaint, as early as October 2018, the same month as SolarWinds completed its IPO (with a registration statement that the agency alleges presented only generic and hypothetical cybersecurity risks), Brown wrote in an internal presentation that the company’s “current state of security leaves us in a very vulnerable state for our critical assets.”

An internal engineering report, that was communicated to Brown, among others, said that the company’s remote access set-up was “not very secure,” with a vulnerability that could allow a hacker to “basically do whatever they want,” which could cause “major reputation and financial loss for SolarWinds.”  The SEC’s complaint also cites multiple internal communications in 2019 and 2020 questioning the company’s ability to protect is critical assets from cyberattack.

The complaint alleges that at the same time, in statements on its website as well as in its periodic SEC filings, the company published misleading statements and omissions about the company’s cybersecurity practices and policies; the agency alleges that the statements were misleading because they represented that the company had strong cybersecurity while concealing that the company had poor cybersecurity practices. The agency also alleges that the company’s disclosures failed to address known risks. The company, the agency alleges, repeated verbatim statements in successive filings statements about potential risks, despite ongoing problems and the increasing red flags in 2020. The complaint alleges that Brown was aware of the company’s risks and vulnerabilities but failed to resolve the issues or sufficiently raise them within the company.

The SEC’s complaint goes out of its way to clarify that SolarWinds is not being targeted because it experienced a cybersecurity incident; the complaint states “To be clear, SolarWinds’ poor controls, Defendants’ false and misleading statements and omissions, and the other misconduct described in this Complaint, would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack. But those violations became painfully clear when SolarWinds experienced precisely such an attack.”

In a portion of the complaint that sheds some interesting light on the cyber incident disclosure requirements in the SEC’s recently released cybersecurity disclosure guidelines, the SEC specifically alleges in its complaint that the company’s December 2020 filing on Form 8-K in which the company disclosed the hack was “incomplete” and misleading.

The complaint alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; that SolarWinds violated reporting and internal control provisions of the Exchange Act; and that Brown aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.

Discussion

As Liz Dunshee puts it in her October 31, 2023, post on TheCorporateCounsel.net blog about the SEC’s action against SolarWinds (here), the agency is using this enforcement action as “a convenient opportunity to send a high-profile signal about disclosure controls.” Indeed, the SEC’s press release about the action includes a statement quoting Enforcement Director Gurbir Grewal as saying that “Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failed to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

In order to deliver this message to reporting companies, the agency filed an action that the Wall Street Journal says represents “the first time securities regulators have gone to court with civil-fraud claims – the most serious charge at the agency’s disposal – against a public company over a hack.”

The SEC is clearly laying down a marker about cybersecurity risk disclosure, a position that its recent release of cybersecurity disclosure guidelines underscores. But the agency’s approach is, according to the Journal, regarded in some circles, as “controversial”; the Journal article attributes statements of business groups as saying the agency’s “investigations can shift the blame to the victims.” The Journal article also quotes a lawyer for SolarWInds as saying that “The SEC is improperly trying to appoint itself the cybersecurity police for public companies.”

The SEC’s action is noteworthy in a number of respects, not least of which because it not only targets the company, but also targets the company’s Chief Information Security Officer (CISO). The SEC’s action in that regard is sure to send a shiver down the collective spines of the CISO community. The Journal article notes that it “unusual’ for the SEC to target public company officials “who don’t directly oversee or prepare the company’s financial statements.”

The SEC’s allegations concerning the company’s December 2020 disclosure of the hack are also interesting. The fact that the agency targeted the company’s incident disclosure is particularly significant in light of the incident disclosure requirements in the agency’s recently issued cybersecurity disclosure guidelines; the agency is clearly signaling that it will be policing the adequacy of cybersecurity incident disclosures.

The bottom line is that cybersecurity disclosure is clearly at the center of the agency’s radar screen. The agency wants companies to know that companies’ disclosures about their cybersecurity risks are material, and are being monitored and policed.

The SEC’s enforcement action against SolarWInds represents the latest of the company’s woes resulting from the hack of the company. Among other things, the company was also hit with a securities class action lawsuit following the news of the hack; the securities suit partially survived a motion to dismiss and ultimately settled for $26 million. A separate shareholder derivative suit filed against the company’s board was dismissed.