Is Your Company Ready for the New SEC Cybersecurity Disclosure Requirements? Lessons Learned From the SEC Complaint Against Solarwinds and Its CISO
The Securities and Exchange Commission (SEC) recently sued SolarWinds Corporation and its Chief Information Security Officer (CISO), Timothy Brown, alleging their efforts to conceal the company’s poor cybersecurity practices and downplay its software’s vulnerabilities to cybersecurity attacks defrauded SolarWinds investors and customers. The landmark lawsuit asserts violations of the antifraud provisions of the federal securities laws against both SolarWinds and Brown and underscores the increased importance the SEC places on companies’ cybersecurity disclosures.
With the adoption of the new SEC cybersecurity disclosure rules that become effective on December 15, the SEC will increase its scrutiny of companies’ cybersecurity representations. A summary of these new cybersecurity disclosure rules, which are designed to allow investors to evaluate a registrant’s exposure to cybersecurity risks and incidents and its ability to manage and mitigate such risks, can be found in our August 4 Advisory.
We examine the interplay between the SolarWinds case and the new cybersecurity disclosure rules, and offer key takeaways for companies and individuals.
Background and Key Allegations in the Complaint
SolarWinds is an information technology firm that provides infrastructure management software. From October 2018 through January 2021, SolarWinds had nearly 300,000 customers, which included state, federal, and foreign governments. The SEC alleges that, despite statements that it followed well-recognized industry standard cybersecurity practices, SolarWinds’ internal assessments and communications made clear that the company, and Brown, were aware they were misleading investors. According to the SEC, the “true state” of SolarWinds’ poor cybersecurity practices, controls, and risks, were brought to light in December 2020 when SolarWinds disclosed that its flagship product, Orion, was the target of a major, two-year long cyberattack. We previously examined the lessons learned from the attack in our June 2021 Advisory.
The SEC’s complaint highlights several areas of public disclosures in which SolarWinds allegedly made multiple materially false and misleading statements and omissions, including the company’s Security Statement, SEC registration forms, and December 2020 Form 8-K filing, which disclosed the Orion attack.
SolarWinds’ Security Statement
The Security Statement which, according to the complaint, was posted on SolarWinds’ website and regularly provided to customers, indicated that the company followed industry standard cybersecurity practices, including: (1) complying with the NIST Framework; (2) creating and developing its software using a secure development lifecycle (SDL); (3) having strong password protection; and (4) maintaining access controls. As alleged in the complaint, however, internal emails, assessments, and presentations made clear that although SolarWinds claimed to adhere to well-recognized cybersecurity practices, it had no policies or practices in place for the NIST framework, did not consistently develop its software using an SDL, did not enforce strong password requirements on its systems, and failed to maintain adequate access controls.
Notably, the SEC relies on informal internal employee communications to support its position that SolarWinds suffered from “pervasive cybersecurity issues.” For example, the SEC highlighted instant messages between information security employees referring to SolarWinds as a house with “faulty electrics” and describing SolarWinds as being “so far from … a security minded company.” The SEC also pointed to an August 2018 email in which Brown “bluntly admitted” that SolarWinds did not fully comply with its Security Statement’s SDL section. These statements, according to the SEC, reflected a culture that did not take cybersecurity issues seriously and showcased SolarWinds’ scheme to conceal its poor cybersecurity practices from its investors and customers.
According to the SEC, although SolarWinds and Brown were aware that the company faced heightened cybersecurity risks, its SEC filings only contained boilerplate, generic disclosures. The SEC highlighted SolarWinds’ cybersecurity risk disclosure from its October 2018 Registration Statement on Form S-1, which stated that “if” the company suffered from system failures, cyberattacks, or other data security breaches it could suffer a loss of revenue and increased costs, exposure to liability, or reputational harm. The disclosures, which the SEC also characterized as hypothetical, failed to alert investors to known or elevated risks. For instance, despite two different customers providing SolarWinds with evidence of similar malicious activity on the Orion software, SolarWinds failed to disclose the attacks to investors or other customers and further concealed problems that riddled Orion.
The SEC also emphasized that although Brown documented the cybersecurity issues facing the company, SolarWinds not only failed to disclose and remediate the issues, but also continued to repeat the same materially false and misleading risk disclosures in its SEC filings. Moreover, although SolarWinds disclosed the vulnerability that was exploited as part of the Orion attack in December 2020, its disclosure “created a materially misleading picture” because it referred to the vulnerability as theoretical (and did not disclose that the compromise had actually already occurred).
Internal Control Failures
The SEC also alleged that SolarWinds lacked sufficient internal controls, including accounting controls, to protect its key assets, and had deficient disclosure controls. According to the SEC, as a result of its poor cybersecurity practices, SolarWinds failed to maintain sufficient controls to reasonably protect its critical assets such as its information technology network environment, source code, and products. Further, although Brown certified to the effectiveness of SolarWinds’ information technology controls, he could not identify the list of relevant controls to the SEC. The SEC also claimed that SolarWinds lacked controls to ensure that information related to potentially material cybersecurity risks, incidents, and vulnerabilities were reported to the executives that were responsible for SolarWinds’ disclosures.
The SolarWinds complaint, the new SEC cybersecurity disclosure rules, and past SEC enforcement cases showcase the SEC’s focus on cybersecurity disclosures and controls. Below are our key takeaways:
- Review your upcoming Form 10-K Risk Factors for “boilerplate” language. The SEC noted in the SolarWinds complaint that the company’s SEC filings referred to vulnerabilities as theoretical and made “boilerplate” disclosures. The SEC has brought other cases against companies in the past under a similar theory. Registrants should review their upcoming Form 10-K risk factors and update them as necessary, ensuring known cybersecurity threats or breaches are sufficiently disclosed and not described as theoretical. See our September 20 Advisory for other thoughts related to the upcoming annual reporting season.
- The SEC is taking a careful look at disclosure controls. In its statement announcing the lawsuit, the SEC noted that the action “underscores [its] message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.” The SEC alleges that SolarWinds had both deficient accounting controls and disclosure controls environments. SolarWinds is not the SEC’s first disclosure controls case, as it announced a settled action alleging a failure to maintain sufficient disclosure controls and procedures in 2021, and we discussed a recent example in our February 23 Advisory. We anticipate SEC disclosure controls cases will become more common with the implementation of the new cybersecurity disclosure rules. The next paragraph highlights that disclosure controls should include statements and speaking engagements by executive officers.
- Statements by CISOs (and all officers and directors of a public company) should be part of the disclosure controls process. The SEC’s action against Brown underscores the importance of disclosure controls related to all officer’s and director’s public statements. The SEC emphasized that Brown acted as SolarWinds’ cybersecurity spokesperson in multiple public statements, including podcasts, blog posts, and press releases. Brown’s statements, according to the SEC, failed to paint an accurate picture of SolarWinds’ cybersecurity practices. For instance, the SEC claims that although SolarWinds had multiple unaddressed cybersecurity problems, Brown made statements in blog posts and podcasts falsely claiming that SolarWinds adhered to sound security practices and procedures. CISOs and other company officers or representatives should work within their company’s disclosure control procedures to ensure that all their public disclosures and statements, regardless of format, accurately represent their company’s cybersecurity practices and ability to mitigate potential risks.
- Internal employee communications will be critically assessed. Throughout the complaint, the SEC pointed to numerous internal communications, including presentations, emails, and instant messages between SolarWinds’ employees, as evidence that the company and Brown were aware of its poor cybersecurity practices. For example, the SEC highlighted instant messages between employees describing the Orion platform as being “riddled” with vulnerabilities as evidence that SolarWinds and Brown knew about the company’s cybersecurity risks and failed to disclose them. Given the SEC’s reliance on internal employee communications in the SolarWinds lawsuit, companies should be mindful that even informal communications will be heavily scrutinized by the SEC.
The SEC’s allegations of scienter-based fraud charges not only against the company, but against the CISO, raise the stakes related to cybersecurity disclosures. This stance, coupled with the release of its new cybersecurity disclosure rules, highlights the SEC’s increased emphasis on companies’ cybersecurity disclosures and its intention to aggressively enforce cybersecurity disclosure regulations.
Please reach out to any of the authors of this Advisory or your regular Arnold & Porter contact with questions on this topic.
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.