On July 18th, a significant ruling came from a New York federal judge who dismissed most of the claims brought by the U.S. Securities and Exchange Commission (SEC) against SolarWinds Corp. and its Chief Information Security Officer, Timothy G. Brown. The decision pertains to the company's cybersecurity practices and disclosures before and after the infamous SUNBURST cyberattack.
The SEC's lawsuit against SolarWinds and Brown stemmed from the massive cyberattack that was discovered in December 2020. The attack, attributed to sophisticated hackers allegedly linked to Russian intelligence, compromised numerous SolarWinds customers, including multiple U.S. government agencies and Fortune 500 companies. The SEC accused SolarWinds of failing to adequately disclose cybersecurity risks and vulnerabilities, which allegedly misled investors about the company's security posture and internal controls.
[RELATED: Wells Notice Against SolarWinds CISO Could Be First of Its Kind]
In the recent ruling, the judge dismissed several critical aspects of the SEC's case:
-
Pre-SUNBURST Risk Factor Disclosure: The court found that the SEC did not sufficiently demonstrate that SolarWinds misrepresented its cybersecurity risk factors before the SUNBURST attack. These disclosures were deemed adequate in conveying the potential cybersecurity risks that the company faced at that time.
-
Post-SUNBURST Form 8-K Disclosure: The judge also dismissed claims related to SolarWinds' disclosures following the discovery of the SUNBURST attack. The Form 8-K filings, which are required for major events affecting a company, were considered to have met the necessary disclosure standards.
-
Internal Accounting and Disclosure Controls: The SEC's allegations that SolarWinds failed to maintain effective internal accounting and disclosure controls were also dismissed. The court determined that there was insufficient evidence to support claims that these controls were inadequate or misleading to investors.
However, the court allowed the SEC to proceed with one significant claim: securities fraud. The SEC's allegation that SolarWinds committed securities fraud by misrepresenting cybersecurity vulnerabilities on its website was upheld. The claim suggests that the company potentially provided false or misleading information about its cybersecurity practices and defenses, which could have misled investors about the true state of its cyber resilience.
"My advice/takeaway here is to focus on the surviving claims and not take too much solace from the fact that 'most' of the SEC's claims were dismissed by the court," said Jake Bernstein, Esq., Partner, Data Protection, Privacy & Security Group, K&L Gates LLP. "Appeals notwithstanding, the claim that survived is perhaps the most consequential and the most relevant to the SEC's enforcement goals: securities fraud can include overly vague or optimistic statements about a company's cybersecurity posture if later events prove such statements to be false or misleading."
The ruling has notable implications for SolarWinds and the broader landscape of cybersecurity disclosure practices. The dismissal of most claims sets a legal precedent for how cybersecurity risks and incidents should be disclosed by publicly traded companies. It emphasizes the importance of clear, accurate, and comprehensive risk factor disclosures.
The decision underscores the increasing regulatory scrutiny that companies face regarding their cybersecurity practices and public disclosures. Organizations must ensure that their cybersecurity risk disclosures are thorough and reflective of their actual security posture.
For SolarWinds, while the dismissal of most claims is a relief, the ongoing securities fraud claim could impact investor confidence. The company needs to address the allegations robustly and demonstrate improved cybersecurity measures to regain trust.
"I think a lot of security leaders are breathing easier after the dismissal. In my conversations with various security leaders, there was a lot of concern on how to have honest discussions about cybersecurity within an organization without exposing the organization to potential liability based on those discussions," said Richard Halm, Senior Attorney, Clark Hill PLC. "Had the case moved forward as-is, it really would have had a chilling affect on the ability of cybersecurity leaders to be honest both within their cybersecurity group and with leadership teams."
Halm continued, "By narrowing the scope of the case to statements regarding cybersecurity that were publicly posted on the company's website, companies now know that they must scrutinize what they say publicly regarding cybersecurity measures and processes more closely. These statements must accurately describe what is happening behind the scenes. Most importantly, cybersecurity teams can continue to have honest conversations both internally and with the leaders of their companies."
The case highlights the critical role of CISOs and other cybersecurity leaders in maintaining transparent and effective security practices. Accountability at the executive level is essential for fostering a culture of security and compliance.
