Latest Developments In The SolarWinds Case And Implications For SEC's Cyber Incident Response Efforts And Litigation

On Thursday July 18, a Southern District of New York court dismissed much of the U.S. Securities and Exchange Commission's (SEC) case against SolarWinds Corp.

While not binding on other courts, the thorough 107-page opinion may have implications for the SEC's approach as it continues to pursue cyber incident litigation against corporate defendants. Among other things, the opinion recognized that, even when a public company has a duty to disclose a material cybersecurity incident, the sufficiency of those disclosures cannot be judged by hindsight and must fairly consider the information known to the company at the time.

In addition, the Court's opinion rejects the SEC's efforts to expand the requirement that companies maintain a system of "internal accounting controls" to cover cybersecurity controls. At the same time, in sustaining a portion of the SEC's claim, the opinion shows that statements outside of securities filings—in this case, on the company's website—can form the basis for actionable securities fraud claims and that companies should ensure that such statements do not become stale or inaccurate over time due to changing information.

Background

On December 12, 2020, SolarWinds received information from a customer that it had a vulnerability in its Orion product as a result of a malicious code inserted by a threat actor, which had infiltrated thousands of networks (the "Sunburst Attack").

The SEC soon began investigating the adequacy of SolarWinds' cybersecurity related disclosures to investors, and, in October 2023, filed an enforcement action in the Southern District of New York again SolarWinds and the head of its information security group. The SEC alleged that (i) various statements by SolarWinds—both before and after the Sunburst Attack—violated the anti-fraud provisions of the U.S. securities laws and (ii) SolarWinds failed to devise and maintain a system of internal accounting controls and had ineffective disclosure controls and procedures.

Key Holdings in the SolarWinds Case

The Court's decision rejected most of the SEC's theories. While a discussion of every theory addressed by the Court in its 107-page opinion is beyond the scope of this summary, we highlight three issues below that are likely to have particular significance:

1. Certain Pre-Attack Claims Allowed to Proceed. While dismissing most of the SEC's theories, the Court found that the SEC had adequately pled a securities fraud claim against both SolarWinds and the head of information security based on a "Security Statement" posted on SolarWinds' website in the years before the Sunburst Attack. The Court rejected the defendants' argument that the statement was not actionable because it was directed to customers, not investors, noting "it is well established that false statements on public websites can sustain securities fraud liability." Further, the Court found that the Security Statement's representations regarding SolarWinds' access controls and password protection policies "were materially misleading by a wide margin." The Court cited evidence that "SolarWinds was routinely promiscuous in freely granting administrative rights to employees and conferring access rights way beyond those necessary for employees' specific job functions" and that "the company's stated password policy was generally not enforced."
   
   
2. Court Dismissed Claims Based on Post-Sunburst Attack Form 8-Ks. In the days following the Sunburst Attack, SolarWinds made a series of disclosures concerning the attack in its Form 8-K filings. The SEC alleged that those disclosures were materially misleading because they did not disclose two earlier cyber incidents and gave the impression that the vulnerability was "purely theoretical." The Court rejected this theory, emphasizing that, "as to this claim, perspective and context are critical." SolarWinds filed the first Form 8-K two days after the customer first contacted SolarWinds. As such, the Court explained that "the disclosure was made at a time when SolarWinds was at an early stage of its investigation, and when its understanding of that attack was evolving." The Court concluded that "the lengthy Form 8-K disclosure, read as a whole, captured the big picture: the severity of the SUNBURST attack."
   
   
3. Dismissal of Internal Accounting Control and Disclosure Control Theories. The Court also rejected in total the SEC's internal control theories. First, the SEC claimed that the Sunburst Attack showed that SolarWinds had failed to devise and maintain a system of "internal accounting controls," as required under Section 13(b)(2)(B) of the Exchange Act. The SEC has expansively interpreted "internal accounting controls" in settled proceedings over the years. But in this litigated acton, the Court rejected the SEC's theory based on a plain reading of the word "accounting," which it held "refers to a company's financial accounting" and not "every internal system a public company uses to guard against unauthorized access to its assets." The Court also rejected the SEC's theory that SolarWinds violated an SEC rule requiring it to have "disclosure controls and procedures." The Court noted that SolarWinds, even as alleged by the SEC, "had a system of controls in place to facilitate the disclosure of potentially material cybersecurity risks and incidents," which was "designed to ensure that material cybersecurity information was timely communicated to the executives responsible for public disclosure." The system "scored" various events to determine whether they required disclosure to executives. The Court found SolarWinds in fact investigated pre-Sunburst cyber incidents and essentially rejected the SEC's contention that they had not been assigned the appropriate "score."

Takeaways

1. Ensure Website and other Disclosures Remain Accurate. The one theory the Court sustained related to a statement on the company's website. While the Court found this statement false and misleading from publication, the decision nevertheless highlights that companies should maintain a process to ensure that informal disclosures (such as on a website or promotional materials) do not become stale and potentially misleading over time.
   
   
2. Proactive Cybersecurity Measures: Organizations should invest in robust cybersecurity frameworks and regular audits to mitigate risks and demonstrate due diligence in protecting sensitive information and responding cybersecurity incidents. The Court's dismissal of the SEC's formal disclosure related claims and disclosure (i.e., the company's Form 8-K disclosures) is notable and useful for companies because it recognizes that "perspective and context are critical," and post-incident disclosures should not be judged with perfect hindsight. At the same time, the fact that SolarWinds was able to defeat these claims was based, in part, on the fact that it did have disclosure procedures in place and issued a lengthy, detailed, appropriately caveated Form 8-K following the Sunburst Attack.
   
   
3. Reigning-In on Internal Accounting Controls. Finally, the Court's ruling on the plain meaning of the internal accounting controls claim—i.e., the "accounting" means "accounting"—may cabin the SEC's more expansive internal controls theories of enforcement in both cybersecurity cases and more broadly.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.