October 31, 2023

Cybersecurity Disclosure: SEC Enforcement Brings Fraud Charges Against CISO

Yesterday, the SEC announced that it has officially filed charges against SolarWinds – as well as its Chief Information Security Officer – in connection with the Enforcement Division’s long-running investigation of the cyberattack that came to light in December 2020 and was followed by a 35% drop in the company’s stock price. John flagged the “Wells Notice” a few months ago, noting that it was unusual (at least until now) for a CISO to be caught in the SEC’s crosshairs.

The 68-page complaint takes issue with alleged “hypothetical risk factors” and other perceived disclosure shortcomings – not just in SEC filings, but also on the company’s website. Here are a few of the claims that the SEC is making:

– In October 2018, the same month that SolarWinds conducted its Initial Public Offering through a registration statement with only generic and hypothetical cybersecurity risk disclosures, Brown wrote in an internal presentation that SolarWinds’ “current state of security leaves us in a very vulnerable state for our critical assets.”

– SolarWinds and/or Brown made materially false and misleading statements and omissions related to SolarWinds’ cybersecurity risks and practices in at least three types of public disclosures:

(a) Statements that purported to describe the Company’s cybersecurity practices and policies, including a “Security Statement” posted to the Company’s website throughout the Relevant Period;

(b) Form S-1 and S-8 Registration Statements and periodic reports filed with the SEC throughout the Relevant Period; and

(c) A Form 8-K filed with the SEC on December 14, 2020 regarding the massive SUNBURST cybersecurity incident that impacted SolarWinds’ Orion software platform.

– The Security Statement was materially misleading because it touted the Company’s supposedly strong cybersecurity practices.

– SolarWinds’ SEC filings similarly concealed the Company’s poor cybersecurity practices. They contained general, high-level risk disclosures that lumped cyberattacks in a list of risks alongside “natural disasters, fire, power loss, telecommunication failures…[and] employee theft or misuse.” The cybersecurity risk disclosure was generic and hypothetical, allowing for negative consequences “[i]f we sustain system failures, cyberattacks against our systems or against our roducts, or other data security incidents or breaches.”

This disclosure failed to address known risks. For example, it warned of an inability to defend against “unanticipate[d]… techniques” but failed to disclose that SolarWinds had already determined that it was not taking adequate steps to protect against anticipated and known risks, including failing to follow the steps outlined in the Security Statement. These general warnings were then repeated verbatim in each relevant filing, despite both the ongoing problems and the increasing red flags in 2020 that SolarWinds was not only being specifically targeted for a cyberattack, but that the attackers had already gotten in.

The complaint – which seeks permanent injunctions, disgorgement, a D&O bar, and civil penalties – lists internal communications and documents that the SEC says reflected known vulnerabilities that were not properly disclosed. According to the SEC, the defendants knew that the undisclosed information would be material to investors. The SEC also makes sure to note:

To be clear, SolarWinds’ poor controls, Defendants’ false and misleading statements and omissions, and the other misconduct described in this Complaint, would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack. But those violations became painfully clear when SolarWinds experienced precisely such an attack.

The lengthy complaint is full of interesting tidbits that I’m sure will be unpacked and analyzed over the coming months. It implies the SEC found it important that the CISO was an officer at the time of these events and signed sub-certifications attesting to the adequacy of the company’s cybersecurity internal controls. And in a parallel to the new Dodd-Frank clawback rules, the SEC didn’t like that he exercised options and sold SolarWinds stock during the time leading up to the announcement of the incident – “when SolarWinds’ stock price was inflated by the misstatements, omissions, and schemes discussed in this Complaint.”

That said, much of the 68-page complaint boils down to the basic notion that your disclosures can’t be materially misleading. For example, don’t say that you measured compliance with the NIST Framework but leave out that you don’t meet most of the Framework’s controls. And while the SolarWinds incident was unique in many ways, the alleged missteps also give the Enforcement Division a convenient opportunity to send a high-profile signal on disclosure controls – which have been the linchpin of a string of actions this year. The complaint also takes issue with internal controls over financial reporting, which SEC Chief Accountant Paul Munter warned companies about in August.

So, as Dave reminded us just last week, it’s as important as ever to “tune up” your cyber risk factors and take a close look at your policies & controls. We’ll be posting the inevitable flood of memos in our “Cybersecurity” Practice Area, but for now I leave you with these parting words from Enforcement Director Gurbir Grewal:

Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.

Liz Dunshee