On July 18, Judge Paul A. Engelmayer of the Southern District of New York issued the court’s decision in the closely followed SolarWinds SEC action on the defendants’ motion to dismiss the Securities and Exchange Commission’s (SEC) securities fraud and internal accounting and disclosure controls claims. The action is notable for a number of reasons, including because it represents the first formal action by the SEC against a chief information security officer (CISO) and the first time the SEC has pursued civil fraud claims in federal court against a public company related to its cybersecurity disclosures, spurring amicus briefing by parties including the U.S. Chamber of Commerce and current and former cybersecurity executives.
The court granted the motion in large part and dismissed the SEC’s claims based on (1) “puffery” statements about the strength of the company’s cybersecurity; (2) statements about the company’s ongoing cybersecurity risks; and (3) statements describing the incident at issue. The court also dismissed the SEC’s claims alleging internal accounting and disclosure controls violations and the related aiding and abetting claims against the CISO.
The court, however, denied the defendants’ motion as to the representations in SolarWinds’ Security Statement, which was posted before the incident and touted specific strengths of SolarWinds’ cybersecurity, including access controls and the company’s password policy. The securities fraud claims as to statements in the company’s Security Statement are the only claims remaining for both SolarWinds and the CISO personally.
Surviving Claims
- The court denied the company’s motion to dismiss the SEC’s securities fraud claims against its Security Statement, which stated in relevant part that SolarWinds (1) had strong password protections; (2) maintained good access controls; (3) complied with the National Institute of Standards and Technology (NIST) framework for evaluating cybersecurity practices; (4) used a secure developmental life cycle to create its software; and (5) employed network monitoring.
- In denying the motion, the court focused primarily on the password protections and access controls and noted that SolarWinds posted the statement without addressing its known cybersecurity deficiencies for both. The court held that all purported misrepresentations in the statement collectively bear on the Security Statement’s central thesis that SolarWinds’ cybersecurity practices were strong, which the SEC alleged was false and misleading.
- The court further explained that a reasonable person contemplating investing in SolarWinds would have viewed the “gap” between SolarWinds’ statements on cybersecurity and its on-the-ground practices involving cybersecurity as highly consequential and “significant in making investment decisions.” The court also noted that, while data security is important for all companies, SolarWinds’ cybersecurity practices were of magnified importance because they were central to its ability to obtain and retain business.
- The court found that the SEC’s amended complaint “easily” pleaded the CISO’s scienter (intent) because he approved the Security Statement and was privy to internal information contradicting the statement’s representations. The court also found that the CISO’s scienter was properly imputed to SolarWinds as a corporate entity given the CISO’s lead role on cybersecurity matters at the company.
Dismissed Claims
- Internal Accounting Controls. Perhaps most notably, the court concluded that the SEC’s authority to regulate an issuer’s system of internal accounting controls cannot reasonably be interpreted to cover a company’s cybersecurity controls. The SEC had brought claims alleging that SolarWinds’ information technology network environment and software products were critical company assets, and therefore SolarWinds’ poor cybersecurity controls constituted a violation of internal accounting controls requiring issuers to develop reasonable safeguards against unauthorized access to company assets. The court concluded that the “internal accounting controls” plainly refers to financial accounting, and not other controls, as a matter of statutory construction. The court also dismissed the related aiding and abetting claim against the CISO.
- Disclosure Controls. The court dismissed the SEC’s disclosure control claims because SolarWinds had a system of controls in place to facilitate the disclosure of potentially material cybersecurity risks and incidents. The court also dismissed the SEC’s disclosure-control claim against the CISO, which was based on a presentation to the CISO making him aware of a VPN vulnerability, which later led to the incident at issue, as early as 2018. The court found that the SEC’s claim as to the presentation was only viable with the benefit of hindsight. The court also dismissed the related aiding and abetting claim against the CISO.
- Press Releases, Blog Posts, and Podcasts. The court dismissed the SEC’s allegations as to pre-incident statements about the company’s “high security standards” and “heavy-duty [cybersecurity] hygiene” made in press releases, blog posts, and podcasts, holding that each statement qualified as non-actionable corporate puffery and thus was too general for a reasonable investor to rely on.
- Risk Factor Disclosures. The court also dismissed the SEC’s allegations as to the risk factor disclosures in SolarWinds’ pre-incident SEC filings, which the SEC alleged were boilerplate and generic and did not adequately represent the risks SolarWinds faced because of its cybersecurity practices. The court found that the cybersecurity risk disclosure included in “stark and dire terms” the risks the company would face if its cybersecurity practices failed and was not required to disclose two less-critical prior incidents in light of such terms. The court noted in its analysis that the disclosure detailed the unique risks that SolarWinds faced as a cybersecurity company.
- The SEC had also alleged that the CISO acted with the requisite intent in failing to amend SolarWinds’ cybersecurity risk disclosures following the two smaller cybersecurity incidents before the incident at issue. The court rejected that theory and held that the SEC had not adequately pleaded that the CISO engaged in conscious misbehavior in failing to amend the cybersecurity risk disclosures.
- 8-K Disclosures of the Incident. The court dismissed all claims as to the post-incident disclosures, which the SEC alleged wrongfully portrayed the threat actor’s ability to compromise SolarWinds’ servers as hypothetical. The court found that the December 14, 2020 Form 8-K disclosing the incident was not materially misleading, in part because it disclosed the attack with appropriate gravity and detail, particularly in light of the fact that it was filed just two days after SolarWinds discovered the breach. The court noted that the SEC did not allege that any statement in the Form 8-K was factually inaccurate and that the “lengthy” disclosure, when read as a whole, adequately disclosed the severity of the attack. Note, however, that the SEC’s new cyber rules were not in place at the time SolarWinds issued the Forms 8-K at issue.
The district court’s decision on SolarWinds’ motion to dismiss is subject to appeal.
Key Takeaways
- Just a few weeks ago, the SEC reached a settlement in another cybersecurity-related action in which the SEC claimed the company failed to maintain “sufficient internal accounting controls” related to access to its technology systems and networks. Two commissioners publicly dissented, and now a federal court has declined to permit the SEC to extend its authority to pursue alleged violations of internal accounting controls regulations related to cybersecurity policies. Despite these “setbacks,” it remains to be seen whether the SEC will continue to pursue claims that expand the meaning of “accounting controls” to include what have been traditionally thought of as information security controls.
- While most (if not all) cyber-related enforcement actions have included disclosure controls related allegations, this appears to be one of the first times a federal court has considered the SEC’s allegations of cyber-related disclosure control violations. The court’s analysis of the disclosure control claims was highly fact-specific, and unlike the internal accounting controls decision, there is no question of the SEC’s statutory authority to pursue such disclosure control claims in future enforcement actions.
- Also apparently for the first time, a federal court allowed securities fraud claims brought by the SEC to proceed against a company’s most senior cybersecurity professional—in this instance, based on a statement posted on the company’s website. This may suggest that the SEC is focusing on individual liability of actors beyond the CEO and CFO and on non-traditional statements outside of SEC filings. Documents similar to the Security Statement should be considered in-scope for SEC enforcement and should be subjected to legal review accordingly.
- The court rejected all claims related to statements made after the incident, noting that the statements were made while the company’s understanding of the incident was still evolving. This is a notable acknowledgment by the court of the challenges of disclosing an incident soon after discovery when it is notoriously difficult to ingest rapidly changing information.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.
If you have any questions, or would like additional information, please contact one of the attorneys on our Securities Litigation Team or one of the attorneys on our Privacy, Cyber & Data Strategy Team or one of the attorneys on our Securities Law Team.