Key takeaways

Some immediate takeaways for companies in the wake of this important decision include:

• Security Statement on website: The surviving claims emphasize that public-facing security statements on a company’s website can be considered material to investors by regulators and courts. Companies should develop protocols to vet these statements with Information Security leaders and legal counsel.
• Individual liability persists: The court upheld charges against Brown due to his role in approving and knowledge of the Security Statement's inaccuracies. Companies should consider risk-shifting provisions and insurance for Information Security professionals, who may not qualify for Directors and Officers (D&O) coverage.
• Risk disclosures: The court validated SolarWinds's risk disclosures in SEC filings, noting they adequately detailed the company's cybersecurity risks. Companies should ensure their filings similarly describe cybersecurity risks and potential harms. Developing a materiality playbook and 8-K holding statements can aid timely filings during cybersecurity incidents.
• Internal accounting and disclosure controls: The court's finding that cybersecurity controls are not "internal accounting controls" limits the SEC’s regulatory scope in this space. However, companies without adequate incident response plans remain vulnerable under the "disclosure controls and procedures requirement". Ensuring up-to-date plans and conducting tabletop exercises can help maintain compliance and preparedness.

In depth

In a much-anticipated decision issued on July 18, 2024, Judge Paul Englemayer of the Southern District of New York dismissed the majority of the charges in the Security Exchange Commission’s (SEC) groundbreaking enforcement action against SolarWinds and its Chief Information Security Officer, Timothy Brown. Notably, the court held that cybersecurity controls are not part of a company's "system of internal accounting controls" within the meaning of Section 13(b)(2)(B)(iii) of the Exchange Act, dismissing the claims under that section. While the decision marks a significant victory for the defense in this landmark case, the company and its CISO are not entirely off the hook. The court found that the SEC sufficiently pled charges that SolarWinds and Brown misled investors in a security statement posted on their website that touted the company's strong cybersecurity program.

Background on SEC claims against SolarWinds & its CISO

In October 2023, the SEC filed its initial complaint against SolarWinds and Brown, alleging a variety of cybersecurity-related failures related to the SUNBURST cyber attack on SolarWinds's marquis product, Orion, that went undetected for months and affected over 18,000 public and private sector SolarWinds customers. The complaint alleged that the company and Brown made material misrepresentations before and after the attack in (i) SEC filings and (ii) public-facing statements. The complaint also alleged that the company's cybersecurity deficiencies meant that SolarWinds and Brown failed to "devise and maintain a system of internal accounting controls," and that the failure to escalate certain cybersecurity incidents meant there was a lack of "effective disclosure controls and procedures."

The SEC's action was notable for individually naming the CISO and because it marked the first time the SEC used the "internal accounting controls" provisions of the Exchange Act to allege deficient cybersecurity controls. The action was the subject of intense criticism, with amicus briefs filed by current and former CISOs, former government officials, chambers of commerce, banking associations, and others urging dismissal.  

It is important to remember that SolarWinds involved legal claims brought by the SEC before issuers had disclosure obligations under the new SEC cybersecurity disclosure rules. We expect the SEC to remain aggressive in its cyber-enforcement initiative under these new rules, even in light of the setback in this case.

The claims that survived dismissal: Material misstatements in website Security Statement & Brown's individual responsibility

Judge Englemayer divided the alleged material misstatements to investors into two categories: (1) pre-SUNBURST statements, including the Security Statement posted on the company's website ("Security Statement"), the company's risk disclosures in connection with its SEC filings, press releases, podcasts, and blog posts, and (2) post-SUNBURST SEC filings, including two 8-Ks filed after the attack was discovered. Only the charges related to the Security Statement survived the dismissal motion, as the court found the SEC had sufficiently pleaded that the Security Statement was misleading and false, and that the misstatements were material to investors. While the Security Statement "held out SolarWinds as having sophisticated cybersecurity controls in place and as heeding industry best practices," the SEC adequately alleged that the company actually used poor password security and impermissibly broad access privileges. With regard to Brown specifically, the court cited several internal communications and presentations in which Brown made statements that were directly at odds with the representations made in the Security Statement. The court found  Brown knew or should have known that the Security Statement was false or misleading, citing the fact that he approved the Security Statement before it was posted, was aware of information contradicting the Security Statement's representations, and knew about cybersecurity incidents "tending to undermine the Security Statement's top-line message that SolarWinds had strong cybersecurity practices."  Even where the complaint lacked evidence that Brown knew directly about security flaws or incidents, the court held that "given his position as vice president of security and architecture, his duty to monitor SolarWinds’s cybersecurity, and his role as the company's cybersecurity spokesperson, the only rational inference is that he knew of them." Accordingly, Brown's conduct in approving the Security Statement and allowing it to remain in place despite its misleading nature was "plausibly pled as 'highly unreasonable or extreme misconduct.'"

Remaining charges dismissed: Court considered the context of filing 8-K's early

All of the remaining charges were dismissed. The pre-SUNBURST risk disclosures, which the SEC had characterized as generic, boilerplate, and misleading to potential investors, in fact, "enumerated in stark and dire terms the risks the company faced were its cybersecurity measures to fail," according to the court. "Although a reasonable investor could easily have been led astray by the Security Statement, such an investor could not have been misled by the risk disclosure." The court found that the other pre-SUNBURST statements, like blog posts and podcast interviews, were standard corporate puffery, and too vague to be materially misleading to any potential investor. The post-SUNBURST statements, specifically two 8-Ks filed regarding the attack, were alleged by the SEC to have been materially misleading as to the nature and extent of the attack, and whether or not the vulnerability in the software had been successfully exploited. The court disagreed, noting that "perspective and context are critical" and that SolarWinds was at an early stage of its investigation, with both 8-Ks having been filed within five days of SolarWinds learning of the attack.

The SEC alleged that SolarWinds's failure to safeguard its most vital assets with adequate cybersecurity controls meant that the company lacked a "system of internal accounting controls" as required by Section 13(b)(2)(B) of the Exchange Act. The court unequivocally rejected this novel theory, holding that the provision relates specifically to financial accounting, requiring that an issuer accurately report, record, and reconcile financial transactions and events. The court was unmoved by the SEC's argument that the cybersecurity deficiencies related to the security of the company's "crown jewel" assets, finding that applying the statute in this manner would make it impermissibly broad and was inconsistent with the statutory text and precedent.

Finally, the court similarly rejected the SEC's claim that SolarWinds violated the Exchange Act's requirement that companies "maintain disclosure controls and procedures." The claim was premised on the assertion that SolarWinds improperly classified the risk level of two cyberattacks that pre-dated SUNBURST, resulting in them not being reported to executive management or reported to the public. But, as the court noted, SolarWinds did have a system in place for escalating security incidents, and the SEC did not allege any deficiencies in that system, or any evidence that it didn't function properly. The court noted that "errors happen without systemic deficiencies," and refused to sustain the charge on that basis. It also dismissed the charge as to Brown, holding that "only with the benefit of post-SUNBURST hindsight" could it be plausibly alleged that Brown impermissibly failed to escalate the two incidents at issue. The court, in other words, recognized that the significance (or lack thereof) of a particular security incident will not always be apparent in its immediate aftermath.

Lessons learned from SEC vs. SolarWinds

Some immediate takeaways for companies in the wake of this important decision include:

• Security Statement on website: The surviving claims related to security statements on SolarWinds website send a strong message that regulators and courts consider public-facing statements posted on a businesses' website as material. Companies should develop processes and protocols to vet any public-facing security statements with both leaders of Information Security teams and legal counsel.
• Individual liability persists: While the court acknowledged the reality that cybersecurity incidents are fluid and rapidly evolving by nature, and that CISOs should not have their decisions viewed through the lens of hindsight, it upheld the charge against Brown that related to the Security Statement, citing his personal involvement in approving the statement, his knowledge of the inaccuracy of many of its claims, and his high-ranking role within the company. Given the risk of personal liability for decision-makers in the cybersecurity organization, businesses may want to consider appropriate risk-shifting provisions and insurance for Information Security professionals who are often not Directors/Officers of organizations and may not qualify for D+O Coverage.
• Risk disclosures: The court credited SolarWinds's risk disclosure in its SEC filings as adequately setting out the unique cybersecurity and related risks that the company faced. The decision describes in detail the content of the risk disclosure in finding that it sufficiently warned the investing public about the nature of the risks and the potential for "grave consequences" if the risks were realized. Companies would be well-served by reviewing both this language in the decision and the risk disclosure itself, and ensuring that their filings contain similarly detailed descriptions of any cybersecurity risks and the reputational and financial harms that may flow from them. Businesses subject to SEC's cyber rules should develop a materiality playbook and 8-K holding statements to ensure timely filings can be made if they experience a material cybersecurity incident.
• Internal accounting and disclosure controls: While the finding that cybersecurity controls are not "internal accounting controls" under the Exchange Act is a blow to the SEC's efforts to regulate more forcefully in this space, our view is that this theory was also the most novel and susceptible of SEC claims in this case.  It was the first time the SEC ever employed this theory in a cyber matter, and we expect it to be cautious in resurrecting this theory in future cyber cases.  The court's finding that SolarWinds's incident response plan was adequate and functioning, therefore leading to the dismissal of the disclosure controls and procedures count, bears closer watching.  The SEC has employed disclosure controls and procedures claims as a main weapon in its cyber arsenal for several years, and we expect the SEC to likely view the court's ruling as being limited to the facts of this case and not necessarily a significant obstacle to continued use of this theory.  That said, the ruling here is a clear demonstration that the SEC's unilateral say-so on what constitutes internal accounting controls and disclosure controls and procedures in the cyber context remains vulnerable to legal challenge. Still, companies are well-advised to ensure that their plans are up-to-date and consistent with best practices and should conduct tabletop exercises to ensure they're working properly.