Insight Analytical Note

Read

SEC Charges SolarWinds with Making Misstatements about Cybersecurity

Summary:

  • On October 30th, 2023, the Securities and Exchange Commission (“SEC”) announced charges against SolarWinds Corporation and its chief information security officer, Timothy G. Brown (“Brown”), for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.
  • SolarWinds provides software to companies and government agencies to manage information technology infrastructure. According to the SEC, the company made misleading statements about its own cybersecurity practices. The true nature of SolarWinds’ cyber deficiencies came to light after it suffered a massive cyber attack that affected its customers and shareholders.
  • SolarWinds and Brown were charged with ten violations of the Federal securities laws including Section 17(a) of the Securities Act and Section 10(b) of the Exchange Act.
  • While SolarWinds was not an investment manager, the fact pattern alleged in the complaint is very applicable to the investment management industry.

Key Facts and Relevant Allegations:

  • False Statements: SolarWinds made several false statements about its cyber practices, many of which were revealed to be false through a review of internal communications. For example:
    • The company published a Security Statement on its website that falsely claimed that SolarWinds had a robust cyber infrastructure. In addition, the Security Statement omitted that SolarWinds a) failed to consistently maintain a secure development lifecycle for software it developed and provided to thousands of customers, (b) failed to enforce the use of strong passwords on systems, and (c) failed to remedy access control problems that persisted for years.
    • SolarWinds’ SEC filings failed to disclose its poor cybersecurity practices and failed to list cybersecurity as a risk factor.
    • Internal communications supported the notion that SolarWinds made these statements knowingly.
  • Failure to Disclose Red Flags: SolarWinds failed to disclose red flags and warning signs in the lead up to the revelation that they had been subject to the SUNBURST cyberattack.
    • Threat actors accessed SolarWinds’ systems in 2019 and inserted malicious code into its Orion product. Throughout 2020, Brown learned of multiple serious unexplained vulnerabilities in Orion, observed hackers’ unusual knowledge of SolarWinds’ user settings in a hacking attempt of SolarWinds’ MSP platform and received information that indicated that threat actors had directly breached SolarWinds’ systems. This information was not disclosed to customers or shareholders and in some instances the SEC alleges that Brown had to lie to conceal this information.
  • Equivocal Disclosure: Once SolarWinds learned of the attack, it prepared a form 8-K that painted a misleading picture of the impact of the attack. Specifically, it used equivocal language in situations that were already clearly defined. For example:
    • The attack “could potentially allow an attacker to compromise the server” when in fact the server had been compromised.
    • That SolarWinds was still investigating “whether a vulnerability in the Orion monitoring products was exploited” when it was clear that a vulnerability was indeed exploited.
    • That SolarWinds was “still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited” when it knew exactly the extent of the exploitation.

Takeaways:

  • Disclosure is Still Key: Cybersecurity is a complex topic but the SEC still relies heavily on timely disclosure as the basis for underlying violations. This case also highlights that the Commission will focus on omissions as much as it focuses on misleading statements. Good disclosure should include information about key aspects of the cybersecurity program and information about material security breaches.
  • Equivocal Disclosure: In situations that are well defined, the Commission views equivocal disclosure – disclosures using words such as may, could, still investigating – the same as it would view an omission and therefore violative of the Federal securities laws.
  • ADV Risk Factors: While the SEC does not opine on the appropriate level of detail in cyber disclosure, ADV risk factors, although often general, provide some level of regulatory protection. Well-crafted risk factors may be the most practical method managers have to proactively reduce cyber disclosure risk.
  • Vendor Diligence: Investment managers who do not do basic cyber diligence on vendors risk exposing themselves to regulatory risk if their vendors cause data loss or identity theft. It remains to be seen if any SolarWinds customers will be charged with violations related to this hack.