On October 30, 2023, the Securities and Exchange Commission (“SEC”), filed a complaint against SolarWinds Corp. (“SolarWinds” or the “Company”) for fraud and internal and disclosure controls failures relating to allegedly known cybersecurity risks and vulnerabilities for a period spanning from October 2018 until January 2021. The complaint also charged the Solar Winds Chief Information Security Officer, Timothy G. Brown (“Brown”) with fraud and for aiding and abetting the company’s violation of securities laws, (collectively, the “Complaint”). Notably, it was during this period of time (December 2020) that FireEye, a cybersecurity firm, uncovered and announced SUNBURST – a supply chain compromise of the SolarWinds Orion network management software (“Orion”).1
The SEC alleges that SolarWinds defrauded its investors and customers through misstatements and omissions that concealed the company’s alleged poor cybersecurity practices and cybersecurity risks. Among other things, the SEC seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.
We note that this Complaint is significant for a number of key reasons. First, it focuses not only on SEC filings, but also on statements on the Company’s website. Second, although the Complaint refers to the SUNBURST supply chain attack, it alleges there were violations even without the breach. Third, it stands out for implicating both SolarWinds and its CISO personally, who is typically not a primary participant in the securities disclosure process. Fourth, the Complaint does not target other management who typically are involved in that process. Finally, it highlights the SEC’s focus on ensuring that statements on a company’s website or in its securities filings align with a company’s actual practices.
At a time where many, if not most, public companies are preparing for compliance with the new SEC cybersecurity disclosure rules (see our blog and our post on this topic), the Complaint underscores a stark message to companies to:
- ensure that all of their public statements conform to their actual practices (taking into account known issues);
- implement strong internal and disclosure controls calibrated to their cybersecurity risk environments;
- confirm that disclosures and documentation reflect the company’s actual governance mechanisms; and
- confirm that escalation pathways for disclosure assessments are properly documented and implemented.
We will provide additional thoughts and recommendations in a forthcoming client alert. As an initial matter, we have provided a high-level summary of some key allegations below.
Summary of Key Allegations
The Complaint alleges that “SolarWinds and/or Brown made materially false and misleading statements and omissions related to SolarWinds’ cybersecurity risks and practices in at least three types of public disclosures: statements purporting to describe the Company’s cybersecurity practices and policies (the “Security Statement”), SEC registration statements and periodic reports (i.e., Form S-1 and S-8 Registration Statements and Forms 10-K and 10-Q), and the Form 8-K filed December 14, 2020 regarding SUNBURST.
The Security Statement
The Complaint alleges that before the Company’s IPO, SolarWinds posted a “Security Statement” on its public website, which the SEC characterized as a the “positive” portrayal of the Company’s cybersecurity practices: “assuring the public that SolarWinds followed well-recognized cybersecurity practices when, in reality, the Company’s cybersecurity practices fell significantly short of those standards.” More specifically, the Complaint alleges that SolarWinds made false statements pertaining to its compliance with the National Institute of Standards and Technology Cybersecurity Framework (“NIST”) with respect to its evaluation of cybersecurity practices, use of a secure development lifecycle (“SDL”) when creating software for customers, password protection protocols, and access controls, among other things.
As an example, the SEC alleges that despite claiming to follow the NIST framework in its Security Statement, SolarWinds met only a small fraction of the cybersecurity controls laid out in NIST (according to multiple internal assessments between 2019 and 2021). Similarly, the Complaint also alleges that internal employee communications reflect that the SDL did not apply to certain programs. With respect to passwords, the SEC alleges that SolarWinds did not comply with its password policy.
SEC Filed Registration Statements and Periodic Reports
Among other things, the SEC alleges that at no point between the time of its IPO in October 2018 and the disclosure of Sunburst in December 2020 did SolarWinds disclose the numerous risks, vulnerabilities, and incidents affecting its products in its SEC filings or elsewhere. Instead, the SEC alleges, “SolarWinds disclosed the same hypothetical, generalized, and boilerplate description that had appeared in its October 2018 Form S-1” in each of its subsequent periodic disclosure and registration statements.
The SEC further alleges that SolarWinds then repeated the generic disclosures in certain additional 10-Q, 10-K, S-8 and S-1 filings during the relevant period. Notably, the Complaint asserts that even if some of the individual risks did not rise to the level of requiring disclosure, their aggregate created an increased risk warranting disclosure.
Form 8-K Disclosing the SUNBURST Attack
The SEC alleges that on December 14, 2020, SolarWinds filed a Form 8-K with the SEC that publicly disclosed the SUNBURST attack, but which created a materially misleading picture of the Company’s knowledge of the impact of the attack. According to the Complaint, in the Form 8-K SolarWinds stated that the vulnerability “could potentially allow an attacker to compromise the server on which the Orion products run” despite knowing that this vulnerability was not, in fact, theoretical.
Similarly, the SEC notes that SolarWinds stated that it hired third-party cybersecurity experts to investigate , including to determine “whether a vulnerability in the Orion monitoring products was exploited,” however, the SEC alleges that SolarWinds definitely knew that the vulnerability was exploited.
Other allegations in the Complaint pertain to the CISO, including charges that Brown aided and abetted SolarWinds in its various securities laws violations. With respect to alleged materially false or misleading statements and alleged cybersecurity lapses and failure to escalate appropriately, the SEC charges Brown with having “knowledge or reckless lack of knowledge.” For example, the Complaint alleges that in June 2018, a Company engineer identified a security gap relating to access to SolarWinds’ virtual private network (VPN) by which a user could log on from an unmanaged device. The Complaint alleges that this vulnerability was shared with Brown and that despite the gravity of the concern raised, Brown failed to elevate the matter further.
Furthermore, the SEC alleges that Brown signed sub-certifications for each quarter and that he “knew, or was reckless or negligent in not knowing, that certification was false because the numerous, documented cybersecurity failures prevented SolarWinds from having effective controls.”
1 In a blog post published January 11, 2021, SolarWinds said the attackers first compromised its development environment on September 4, 2019. Impacted customers included numerous federal and state government agencies, and more than 1,500 publicly traded U.S. companies.