July 25, 2024
The SEC’s action against SolarWinds related to a highly publicized compromise of the company in 2020 that was attributed to Russia’s Foreign Intelligence Service who had inserted malware into a routine SolarWinds software update.
On July 18, 2024, the U.S. District Court for the Southern District of New York largely granted SolarWinds’ motion to dismiss and dismissed most of the SEC’s claims against the company and its former Chief Information Security Officer (CISO).[1] The SEC’s action against SolarWinds related to a highly publicized compromise of the company in 2020 that was attributed to Russia’s Foreign Intelligence Service (SVR) who had inserted malware into a routine SolarWinds software update. Although thousands of SolarWinds customers received the software update, the SVR used the compromise to access the environments of certain SolarWinds customers in the government and private sector (the “SUNBURST” incident).
The court dismissed most of the claims advanced by the SEC relating to its disclosures, including SolarWinds’ Form 8-K filings, but did sustain claims against SolarWinds and its CISO alleging that a “Security Statement” posted on its website in 2017 may have been false or misleading.
The decision is noteworthy for several reasons:
Background
On October 30, 2023, the SEC filed a complaint against SolarWinds and its former CISO alleging that they made materially false and misleading statements and omissions on the company website, blog posts, press releases, Form S-1, and quarterly and annual SEC reports prior to the incident and did the same in two reports on Form 8-K in which the company disclosed the incident.[4] The SEC also conducted an investigation regarding the SUNBURST incident and issued a letter to certain companies because the SEC staff believed those entities were impacted by the SolarWinds compromise and requested that they provide information to the staff on a voluntary basis.[5] In February 2024, the SEC filed an amended complaint including factual details to support its allegations that SolarWinds and its CISO were aware of the company’s weak security practices yet made contrary statements about its strength in SolarWinds’ Security Statement.[6] The Defendants filed a motion to dismiss in March 22, 2024,[7] and the court issued its order on July 18, 2024.
July 18, 2024 Order
The court largely granted Defendants’ motion to dismiss, sustaining only the SEC’s claims alleging securities fraud based on allegations that the company made false or misleading representations in a “Security Statement” posted to SolarWinds’ website. Specifically:
The court dismissed most of the SEC’s securities fraud claims regarding SolarWinds’ statements about its strong security that it made in press releases, blog posts, podcasts and securities filings. However, the court allowed the SEC’s claims based on the Securities Statement on SolarWinds’ website to proceed.[8]
The “Security Statement”
The court found that the SEC adequately pled that the Security Statement posted on SolarWinds’ website contained materially misleading and false representations as to at least two of SolarWinds’ cybersecurity practices: access controls and password protection policies. The court’s holding was based on the allegations in the complaint that SolarWinds had made statements touting that it had strong access controls and password policies when its internal practices and discourse instead “portrayed a diametrically opposite representation for public consumption.”[9] Specifically, the court found that the complaint alleged that the company’s access controls had “deficiencies” that “were not only glaring—they were long-standing, well-recognized within the company, and unrectified over time,” and its password policies were generally not enforced.[10] The court also found that the amended complaint “amply” alleged scienter, including that the former CISO knew of the substantial body of data that impeached the security statement’s content as false and misleading.[11]
The court importantly explained that false statements on public websites can sustain securities fraud liability, as the security statement at issue appeared on SolarWinds’ public website, accessible to all, including investors, and therefore was, according to the court, unavoidably part of the “total mix of information” that SolarWinds furnished to the investing public.[12] The court emphasized that for purposes of evaluating materiality, each representation should be considered collectively, rather than in isolation, as investors evaluate the whole picture.
Press Releases, Blog Posts, and Podcasts
The court dismissed the SEC’s claims that SolarWinds made false and misleading statements related to the 2020 incident in press releases, blog posts, and podcasts explaining that each qualifies as non-actionable corporate puffery, “too general to cause a reasonable investor to rely upon them.”[13] As the court noted, while public statements, such as the website security statement, can serve as the basis for a material misstatement when they contain a degree of specificity, general statements by an issuer about the strength of their cybersecurity program were not sufficient to support a fraud violation.
Pre-Incident Public Filings
The court dismissed each of the SEC’s claims that SolarWinds’ cybersecurity risk disclosures in its SEC filings did not accurately reflect the risks that the company faced. The court found that, viewed in totality, the risk disclosures sufficiently alerted the investing public of the types and nature of the cybersecurity risks SolarWinds faced and the consequences these could present for the company’s financial health and future.[14] The court also held that, on the facts pled, SolarWinds was not required to amend its cybersecurity risk disclosures for certain cyber incidents as the company’s cybersecurity risk disclosures already warned investors of the risks “in sobering terms.”[15]
In the court’s view, issuers are not required to disclose cybersecurity risks with “maximum specificity,” as, according to the court, spelling out a cybersecurity risk may backfire in various ways, such as by arming malevolent actors with information to exploit or by misleading investors as other disclosures might be disclosed with relatively less specificity.[16]
Post-incident Form 8-K
The court found that the SEC did not adequately plead that the post-incident Form 8-K was materially false or misleading, as the disclosure fairly captured the known facts and disclosed what was required for reasonable investors. The court also acknowledged that the impact on stock prices indicated that the market “got the message” (noting SolarWinds’ share prices dropped more than 16% the day of the announcement, and another 8% the next day),[17] and emphasized that SolarWinds published the disclosure just two days after discovering the compromise, when it was still in the early phases of its investigation and had a limited understanding of the attack.
The court found that the SEC’s attempt to bring a claim under Section 13(b)(2)(B) of the Exchange Act (relating to internal accounting controls) was unsupported by legislative intent, as the surrounding terms that Congress used when drafting Section 13(b)(2)(B), which refer to “transactions,” “preparation of financial statements,” “generally accepted accounting principles,” and “books and records,” are uniformly consistent with financial accounting. [18] The court’s deep skepticism of the claim that Congress intended to confer the SEC with such authority is reflected in the analogy that doing so would be tantamount to “hid[ing] elephants in mouseholes.”[19] The court also found that the few courts that interpreted the term “internal accounting controls” as used in this section “have consistently construed it to address financial accounting.”[20] In this respect, the court’s conclusion is consistent with the views expressed in several dissents by Commissioners in other settled enforcement actions in which the SEC has used the internal accounting controls provision to impose liability for non-financial related conduct.[21]
The court sided with SolarWinds in rejecting the SEC’s claims that the company failed to maintain and adhere to appropriate disclosure controls for cybersecurity incidents. The court was unwilling to accept the SEC’s argument that one-off issues—even if the company misapplied its existing disclosure controls in considering cybersecurity incidents—gave rise to a claim that the company failed to maintain such controls. Importantly, this case relates to conduct prior to the adoption of the SEC’s 2023 cybersecurity rules, which have made it even more important for companies to maintain appropriate controls.
The court acknowledged that SolarWinds had misclassified the severity level of two incidents under its Incident Response Plan (IRP) and failed to elevate a vulnerability to the CEO and CTO for disclosure.[22] However, the court found that these instances—without more—did not support a claim that SolarWinds maintained ineffective disclosure controls.
The SEC did not plead deficiency in the “construction” of SolarWinds’ IRP, nor did it allege routine misclassification of incidents or frequent errors as a result of applying that framework.[23] The court implied that disclosure controls do not have to be perfect—they should provide reasonable assurance that information is being collected for disclosure consideration. The court thus found that the one-off issues identified by the SEC in applying the IRP and associated cybersecurity disclosure controls were not, without more, sufficient to “plausibly impugn [a] company’s disclosure controls systems.”[24]
Key Takeaways
Internal Accounting Controls.
Disclosure Controls and Procedures.
Assessing Fraud Claims Based on Public Disclosures.
[1] Opinion and Order, SEC v. SolarWinds Corp. and T. Brown, 1:23-cv-09518-PAE (S.D.N.Y. July 18, 2024) (hereinafter “Order”).
[2] Order at 3, 94–102.
[3] See Gibson Dunn Client Alert, “SEC as Cybersecurity Regulator” (June 20, 2024), available at https://www.gibsondunn.com/wp-content/uploads/2024/06/sec-as-cybersecurity-regulator.pdf?v2; R.R. Donnelley & Sons, No. 3-21969 (S.E.C. June 18, 2024) (order instituting cease and desist proceedings), available at https://www.sec.gov/files/litigation/admin/2024/34-100365.pdf.
[4] Complaint, SEC v. SolarWinds Corp. and T. Brown, No. 23-cv-9518 (Oct. 30, 2023), https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-227.pdf.
[5] In the Matter of Certain Cybersecurity-Related Events (HO-14225) FAQs, U.S. Securities and Exchange Commission, available at https://www.sec.gov/enforce/certain-cybersecurity-related-events-faqs.
[6] Am. Compl., SEC v. SolarWinds Corp. and T. Brown, No. 23-cv-9518-PAE (S.D.N.Y. Feb. 20, 2024).
[7] Mem. of Law in Support of Mot. to Dismiss, SEC v. SolarWinds Corp. and T. Brown, No. 23-cv-9518-PAE (S.D.N.Y. Mar. 22, 2024).
[8] See Order at 3.
[9] Order at 54.
[10] Order at 54.
[11] Order at 61.
[12] Order at 51 (citation omitted).
[13] Order at 68 (citation omitted).
[14] Order at 71–79.
[15] Order at 75.
[16] Order at 73.
[17] Order at 90.
[18] Order at 96.
[19] Order at 100.
[20] Order at 97–98.
[21] 2023 Year-End Securities Enforcement Update – Gibson Dunn (end notes 20–22); SEC Statement, The SEC’s Swiss Army Statute: Statement on Charter Communications, Inc. (Nov. 14, 2023), available at https://www.sec.gov/news/statement/peirce-uyeda-statement-charter-communications-111423#_ftn6.
[22] Order at 102–106.
[23] Order at 104.
[24] Order at 106.
[25] R.R. Donnelley & Sons, No. 3-21969 (S.E.C. June 18, 2024) (order instituting cease and desist proceedings), available at https://www.sec.gov/files/litigation/admin/2024/34-100365.pdf.
[26] Order at 96.
[27] Order at 96–97.
Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Securities Enforcement, Privacy, Cybersecurity & Data Innovation, or Securities Regulation & Corporate Governance practice groups:
Securities Enforcement:
Tina Samanta – New York (+1 212.351.2469, [email protected])
Mark K. Schonfeld – New York (+1 212.351.2433, [email protected])
David Woodcock – Dallas/Washington, D.C. (+1 214.698.3211, [email protected])
Privacy, Cybersecurity and Data Innovation:
Ahmed Baladi – Paris (+33 (0) 1 56 43 13 00, [email protected])
S. Ashlie Beringer – Palo Alto (+1 650.849.5327, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Joel Harrison – London (+44 20 7071 4289, [email protected])
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, [email protected])
Vivek Mohan – Palo Alto (+1 650.849.5345, [email protected])
Rosemarie T. Ring – San Francisco (+1 415.393.8247, [email protected])
Sophie C. Rohnke – Dallas (+1 214.698.3344, [email protected])
Securities Regulation and Corporate Governance:
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, [email protected])
Thomas J. Kim – Washington, D.C. (+1 202.887.3550, [email protected])
Brian J. Lane – Washington, D.C. (+1 202.887.3646, [email protected])
Julia Lapitskaya – New York (+1 212.351.2354, [email protected])
James J. Moloney – Orange County (+1 1149.451.4343, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, [email protected])
Michael Scanlon – Washington, D.C.(+1 202.887.3668, [email protected])
Lori Zyskowski – New York (+1 212.351.2309, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.