The SEC’s Risk Disclosure and Controls Claims Against SolarWinds Fall to the Cutting Room Floor

Judge Engelmayer of the Southern District of New York issued his much-anticipated opinion in Securities and Exchange Commission v. SolarWinds Corp. et al. last week,[1] dismissing most of the SEC’s claims against SolarWinds Corporation (“SolarWinds” or the “Company”) and its Chief Information Security Officer (“CISO”). The decision represents a significant victory for the Company and undoubtedly will affect the future scope of SEC cybersecurity enforcement and strategy. The case serves as a reminder, however, that public statements with detailed and specific cybersecurity information must be complete and accurate.

Key Takeaways

• Companies must ensure that detailed and specific public statements about their cybersecurity practices, risks, and posture are accurate and current. Although he gutted much of the SEC’s complaint, Judge Engelmayer allowed claims based on SolarWinds’ Security Statement to proceed against both the Company and its CISO. In particular, he found that the SEC adequately pled that the Security Statement misleadingly touted SolarWinds’ access controls and password policy as strong, when internal communications and presentations suggested otherwise. This underscores the significance of making certain that public statements about cyber practices are accurate. That said, the judge dismissed claims based on non-specific, marketing statements in blogs and podcasts as “corporate puffery” and, therefore, insufficient to support a claim of securities fraud.[2]
• Risk disclosures that, when viewed in their totality, alert the investing public to the types and nature of cybersecurity risks faced by a company are sufficient: issuers are not obligated to spell out risks with “maximum specificity.” Judge Engelmayer rejected the SEC’s risk disclosure liability theory. He highlighted several policy considerations weighing against a requirement for issuers to provide overly specific risk disclosures.[3] A high level of specificity could inadvertently empower threat actors by furnishing them with exploitable information. It could also potentially mislead investors regarding other risks disclosed at a lower level of specificity. In his ruling, Judge Engelmayer also noted that companies are not required to revise risk disclosures for individual cyber incidents if the existing disclosures already provide robust coverage of cybersecurity-related risks and consequences, particularly when a company does not have sufficient information about the incident to offer more specific details.[4]
• The SEC’s charge of internal accounting controls violations based on Section 13(b)(2)(B) of the Securities Exchange Act of 1934 stemming from allegedly deficient cybersecurity controls was dismissed, injecting uncertainty into whether the SEC will bring these charges in future cybersecurity enforcement actions. In dismissing the Section 13(b)(2)(B) charges, Judge Engelmayer held that cybersecurity controls fall outside the scope of the statute, based on a straightforward textual interpretation of “internal accounting controls,” and the history and purpose of the statute when initially drafted by Congress. However, given that this order represents only one federal court judge’s analysis, it remains uncertain whether the SEC will continue to pursue internal accounting controls violations under a theory of inadequate cybersecurity controls in other forums. Additionally, the order leaves open the possibility for the SEC to pursue Section 13(b)(2)(B) violations for unauthorized payments in connection with cyber incidents, such as unauthorized ransomware payments.[5]
• CISOs, like other executives, may face securities laws liability for specific, materially misleading statements they make about their companies’ cybersecurity posture, practices, and risks. The SEC alleged that SolarWinds’ CISO was aware of material misrepresentations in the Security Statement about the state of the Company’s access controls and password policies but nevertheless approved that statement. Judge Engelmayer ruled that, as pled, SolarWinds’ password policies were “generally not enforced,”[6] and the deficiencies in access controls were “glaring” and “unrectified over time.”[7] Finding that reasonable investors “would have viewed the alleged gap between SolarWinds’ words and on-the-ground reality as highly consequential,”[8] and that as alleged, the CISO “at a minimum should have known” about the purported shortcomings, Judge Engelmayer allowed the SEC’s securities fraud claims to proceed against the CISO.

Case Analysis

On October 30, 2023 the SEC accused SolarWinds and its CISO of committing scienter-based securities fraud for allegedly misleading investors about SolarWinds’ cybersecurity practices and risks before and after a cyberattack caused by Nobelium, a likely state-sponsored threat actor. The agency alleged that the Company and the CISO promoted the strength of SolarWinds’ cybersecurity practices in public statements, including in a Security Statement on the company’s website. It also alleged that SolarWinds’ risk disclosures materially misrepresented the state of SolarWinds’ cybersecurity by presenting risks faced by the company as generic and hypothetical in the face of known, material risks. In bringing its first ever cyber enforcement action to include Section 13(b)(2)(B) charges, the agency also alleged that SolarWinds failed to employ a system of internal accounting controls that would safeguard its critical assets (namely, source code and IT networks) during a breach, in supposed violation of Section 13(b)(2)(B).

Securities Fraud Claims and Cybersecurity Risk Disclosures. Apart from securities fraud claims arising from the Security Statement,[9] Judge Engelmayer dismissed all charges against the Company and its CISO based on the cybersecurity risk disclosures in SolarWinds’ public filings, as well as other public-facing materials such as blog posts, podcasts, and press releases. If other courts follow this lead, public companies and their CISOs can take comfort that non-specific marketing statements regarding cybersecurity may not lead to individual securities laws liability.

In his ruling, Judge Engelmayer held that SolarWinds’ cybersecurity risk disclosures “enumerated in stark and dire terms the risks the company faced were its cybersecurity measures to fail” and that while a reasonable investor “could easily have been led astray by the Security Statement, such an investor could not have been misled by the risk disclosure.”[10] He noted that “the case law does not require . . . the company set out in substantially more specific terms scenarios under which its cybersecurity measures could prove inadequate,” as this could “backfire” by giving threat actors information to exploit or otherwise mislead investors about risks disclosed by the company in less detail.[11] As for the SEC’s argument that the risk disclosures should have been updated after two incidents leading up to the SUNBURST attack,[12] Judge Engelmayer ruled that while companies have a duty to tell the whole truth once they speak on an issue or topic, SolarWinds did not have an obligation on the facts as pled to update its cybersecurity risk disclosures since it had already warned investors “in sobering terms”[13] of the relevant risks of a cyberattack.[14] Instead, the Company’s risk disclosures should be evaluated “based on the information the company had in real-time and the conclusions it reasonably drew from that information,” not with the benefit of hindsight.[15] By extension, Judge Engelmayer also dismissed all claims against SolarWinds’ CISO related to sub-certifications he provided to senior management responsible for certifying the Company’s SEC filings, deeming them “logically unsustainable.”[16]

Internal Accounting Controls Violations Under Section 13(b)(2)(B). Relying on well-established canons of statutory interpretation[17] and case law precedent analyzing Section 13(b)(2)(B),[18] Judge Engelmayer held the statutory requirement to devise and maintain a system of internal accounting controls requires issuers to “accurately report, record and reconcile financial transactions and events.”[19] Adopting the SEC’s expansive interpretation of the statute to cover all systems companies use to protect all of their assets (such as cybersecurity controls) was not supported by the plain reading of the statute and would have undesirably “sweeping ramifications,” by granting the agency authority to regulate a host of activities that Congress did not originally intend.[20] Thus, the court concluded while cybersecurity controls are important, they are not internal accounting controls.[21]

Disclosure Controls. The court also dismissed claims by the SEC that the failure to accurately access the severity of a cybersecurity incident is not sufficient to establish that there is a disclosure control problem. The court made clear that “errors happen without systematic deficiencies.”[22]

Conclusion. As a result of this decision, the remaining claims involve Section 17(a) of the Securities Act and Section 10(b) of the Exchange Act, which may be challenging, though not impossible, to dispose of at summary judgment. Given the ruling, companies should carefully consider the benefits of sharing detailed, non-mandatory statements about cybersecurity controls (and the accuracy of such information) against the potential risks of these statements being used to support a violation of the securities laws.

[1] No. 125, 1:23-cv-09518-PAE (S.D.N.Y. July 18, 2024) (hereinafter “ECF 125”).

[2] ECF 125 at 68.

[3] ECF 125 at 74.

[4] ECF 125 at 75–76.

[5] Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, SEC Release No. 84429 (Oct. 16, 2018).

[6] ECF 125 at 57.

[7] ECF 125 at 54.

[8] ECF 125 at 59.

[9] In particular, statements made by the Company that it had strong access controls and a strong password policy, despite internal awareness of an allegedly expansive use of administrative privilege rights and a virtual private network vulnerability.

[10] ECF 125 at 70.

[11] ECF 125 at 73.

[12] In late 2020, certain SolarWinds customers discovered that Russia-backed hackers had accessed SolarWinds’ systems and inserted malicious code into its Orion software platform, which allowed the threat actors to access certain customers’ network environments.

[13] ECF 125 at 75

[14] ECF 125 at 74–75.

[15] ECF 125 at 76.

[16] ECF 125 at 81.

[17] Namely, the principle of “noscitur a sociis,” which states that a word should be interpreted in the context of neighboring words it is associated with.

[18] See, e.g., SEC v. World-Wide Coin Investments, Ltd., 567 F. Supp. 724 (N.D. Ga. 1983); McConville v. SEC, 465 F.3d 780 (7th Cir. 2006), as amended on denial of reh’g and reh’g en banc (Jan. 17, 2007).

[19] ECF 125 at 98.

[20] ECF 125 at 100.

[21] ECF 125 at 98.

[22] ECF 125 at 104.