SDNY Judge Limits SEC Cybersecurity Suit Against SolarWinds and CISO

Authors: Ilan Graff, Amir Ghavi, Michael Kleinman, Emily Ascherl

On July 18, 2024, U.S. District Judge Paul Engelmayer dismissed the majority of the Security and Exchange Commission's ("SEC") suit against SolarWinds Corp. and its Chief Information Security Officer ("CISO").[1] SolarWinds sells systems management software to public and private sector customers, including its flagship "Orion" product. Following a wide-ranging investigation into the December 2020 "SUNBURST" attack impacting SolarWinds and certain of its customers, the SEC Enforcement Division brought this headline-grabbing action, alleging that SolarWinds and its CISO misled the public through statements made in a "Security Statement" posted on the company's website and through a range of other public statements, including podcasts, blogposts, and required federal securities filings, by falsely touting the company's internal cybersecurity practices and its cybersecurity-focused products (including Orion) and understating known security risks present in its practices and products during two time periods: (i) pre-SUNBURST-when SolarWinds and its CISO were purportedly aware of company-specific security deficiencies-and (ii) post-SUNBURST-when SolarWinds and its CISO were purportedly aware of attacks perpetrated on certain of its customers.

The SEC also alleged that the company's cybersecurity deficiencies and failure to properly classify and escalate the customer attacks constituted failures to maintain appropriate internal accounting controls and disclosure control procedures, respectively.[2]

Public Statements Are Actionable

The Court sustained only the SEC's pre-SUNBURST claims based on alleged misrepresentations in SolarWinds' Security Statement regarding the company's internal cybersecurity controls, finding that the SEC adequately pled that the statement "portrayed a diametrically opposite representation" of those controls for "public consumption" from the internally acknowledged deficiencies known to the CISO and others at the company.[3] The Court rejected SolarWinds' argument that the Security Statement could not serve as the basis for a securities law violation because it was "directed to customers, not investors," deeming it "well established that false statements on public websites can sustain securities fraud liability."[4] The Court, however, dismissed as inactionable corporate puffery other pre-SUNBURST claims based on press releases, blogs, and podcast statements generally describing the importance of cybersecurity practices. The decision serves as an important reminder for companies-particularly those offering cybersecurity products and services-to carefully scrutinize marketing claims and other statements made on their websites; SolarWinds illustrates that the total mix of information on which investors rely includes more than just statements filed with the SEC.

Dismissed Claims

Reasoning that "[t]hey impermissibly rely on hindsight and speculation,"[5] the Court dismissed all of the SEC's post-SUNBURST claims, including those based on the company's December 2020 Form 8-K statements,[6] a novel claim that cybersecurity controls fell within the accounting controls requirement of Section 13(b)(2)(B) of the Exchange Act,[7] and a disclosure control claim under Exchange Act Rule 13a-15(a).[8]

Risk Factor Disclosures

The SEC took a strong position in SolarWinds with respect to the adequacy of the company's cybersecurity risk factor disclosures, which appeared to contradict longstanding SEC guidance that was recently reaffirmed in the adopting release accompanying the SEC's July 2023 cybersecurity risk strategy, governance, and incident disclosure rules. That guidance stated that, while risk factors must be tailored to actual risks, the SEC does "not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident."[9]

Judge Engelmayer's decision is consistent with the expectations the SEC has previously communicated to companies. In dismissing the claims based on SolarWinds' risk factor disclosures, the decision observes that "[s]pelling out a risk with maximal specificity may backfire in various ways, including by arming malevolent actors with information to exploit."[10] The Court rejected the SEC's characterization of the relevant disclosures as mere boilerplate, holding that the disclosures "set out in some detail the unique risks in this area that SolarWinds, as a cybersecurity company, faced."[11] These details included, among other things, that SolarWinds was "'heavily dependent on [its] technology infrastructure,'" was "'vulnerable to damage or interruption' from 'traditional computer hackers,' 'malicious code (such as viruses and worms)' . . . and 'sophisticated nation-state and nation-state-supported actors,'" and that the risks might be undetected, unanticipated, and could be damaging for the company.[12] The Court held that these disclosures were sufficient to alert investors of the type and nature of risks facing SolarWinds, the consequences that could result from the materialization of such risks, and were drafted with adequate breadth, specificity, and clarity.[13]

The Court similarly rejected the SEC's contention that the company should have updated its disclosures following early reports from two of its customers of cyber events. These events fell within the warnings set out in the disclosures, and given the information available to the company at the time, did not indicate a greater threat that would compel updated disclosures based on a duty to update. The Court noted, however, that had SolarWinds determined that those events were related and part of a material incident warned about in the risk factors, an updated disclosure may have been required.[14]

Form 8-K Disclosures

The Court also dismissed the SEC's claims asserting that the Company's post-SUNBURST disclosures on Form 8-K were materially misleading because they gave a false impression that SUNBURST was purely a theoretical problem (i.e., a vulnerability had the "potential" to impact customers) when the SUNBURST vulnerability had actually been exploited at that time with respect to at least two customers.[15] Here, the Court faulted the SEC for failing to read perspective and context into the disclosures made by SolarWinds, taking a holistic view that harm (i.e., the potential, widespread impact of the vulnerability on many customers) was sufficiently disclosed to investors (the disclosure "read as a whole, captured the big picture: the severity of the SUNBURST attack").[16]

Internal Controls

The Court summarily rejected the SEC's novel effort to read authority over cybersecurity controls into Exchange Act Section 13(b)(2)(B)(iii)'s requirement that issuers maintain appropriate internal accounting controls. Judge Engelmayer emphasized the lack of textual support for this reading, "as a failure to detect a cybersecurity deficiency . . . cannot reasonably be termed an accounting problem."[17] On the heels of the Supreme Court's landmark holding in Loper Bright,Judge Engelmayer's ruling exemplifies a Court's "exercise [of its] independent judgment in deciding whether an agency has acted within its statutory authority."[18] It is also the latest in a series of recent decisions anchored in skepticism of the SEC's exercise of its regulatory or enforcement authority.[19]

Notably, when assessing required disclosure controls under Exchange Act Rule 13a-15(a), the Court focused on the control system as a whole rather than individual decisions regarding whether to escalate a particular incident that could potentially require disclosure. The Court noted that the company's incident response plan used a scoring system to elevate potential risks to management responsible for disclosures, and declined to second-guess the company's classification of cybersecurity incidents absent allegations of significant breakdowns in that system's implementation.[20]

The recent SEC cybersecurity rules necessitate that companies remain vigilant in assessing and disclosing risks from cybersecurity threats and the occurrence of material cybersecurity incidents. However, Judge Engelmayer's decision signals courts' willingness to police SEC efforts to extend its enforcement power beyond its statutory authority.

This communication is for general information only. It is not intended, nor should it be relied upon, as legal advice. In some jurisdictions, this may be considered attorney advertising. Please refer to the firm's data policy page for further information.