US SEC charges SolarWinds and its CISO for alleged cybersecurity misstatements and controls failures

On October 30, 2023, the SEC announced charges against software company SolarWinds Corporation and its chief information security officer ("CISO"), Timothy Brown, for allegedly making material misstatements regarding its cybersecurity practices, the description of breach, for not having reasonable internal controls to safeguard the company's crown jewel assets, and for not having reasonable disclosure controls.¹ The SEC investigation began following SolarWinds' widely reported 2020 breach, which was felt throughout the US economy. This case emphasizes the need for companies to ensure that those approving public disclosures have the necessary, accurate and complete information about cybersecurity risks and incidents and individuals who have the relevant information may be liable for failing to escalate cybersecurity incidents and vulnerabilities to those responsible for the public disclosures.

SolarWinds designs and sells network monitoring software. One of its network managements platforms, Orion, accounted for approximately 45 percent of SolarWinds' revenue. Between 2019 and 2020, SolarWinds experienced a two-year long cybersecurity incident where the threat actor inserted malicious code into the Orion products, which were then sold to more than 18,000 customers globally. The SEC's Complaint alleges that between 2018 and 2021, the Company and the CISO misled investors about the strength of its cybersecurity protocols, which were allegedly not reasonably designed to protect its critical assets, including Orion. Furthermore, the SEC alleges that the Company and the CISO misled investors about the incident and its impact.

According to the SEC, between October 2018 and January 2021, SolarWinds and the CISO made allegedly false public statements touting strong and secure cybersecurity practices in line with internationally recognized standards. These statements were allegedly starkly different from the known vulnerabilities to cybersecurity incidents. The SEC alleges that the false statements fell into four categories: (1) compliance with the National Institute of Standards and Technology Cybersecurity Framework ("NIST Framework") for evaluating cybersecurity practices; (2) using a secure development lifecycle ("SDL") when creating software for customers; (3) having strong password protection; and (4) maintaining good access controls.

According to the SEC, contrary to its public statements, SolarWinds did not follow a majority of the controls laid out in the NIST Framework and had "no program/practice" in place for a majority of the controls. In addition, the SEC alleges that SolarWinds, contrary to its disclosures, did not follow an SDL process for its software platforms, including Orion. After an engineer pointed out to senior managers that the SDL section in its public statements was false, SolarWinds made a plan to incorporate and roll out an SDL. But per the SEC, "taking steps to implement an SDL is a far cry from presently employing an SDL as represented."² In addition, the SEC alleged that while SolarWinds claimed it had a strong password policy, in reality it failed to enforce or comply with its own password policy on multiple occasions. Finally, the SEC alleges that the Company had poor access controls, granting employees unnecessary "admin" rights and privileges to more systems than necessary for their work. In fact, in June 2018, a security gap related to access to the virtual private network (VPN) was identified whereby a user could evade the Company's data loss prevention software by logging into the VPN network from a personal device. Despite the warnings of this risk, the CISO failed to escalate the matter or remediate this vulnerability.

The SEC's Complaint is riddled with internal electronic communications, including emails and instant messages, which the SEC contends demonstrate that employees knew that the cybersecurity practices were insufficient. For example, the CISO wrote in a presentation that the "current state of security leaves us in a very vulnerable state for our critical assets."³ In addition, the SEC' alleges that the CISO signed sub-certifications attesting to the adequacy of the Company's cybersecurity internal controls, which executives relied on in connection with periodic reports that were filed with the SEC. Yet, according to the SEC, nothing in the Company's SEC filings alerted investors about the actual risks that existed.

SolarWinds subsequently suffered a cyberattack whereby the threat actors used the VPN on an unmanaged third-party device to steal credentials and to exfiltrate employee and customer data. The threat actors then inserted malicious code into the Orion software that impacted thousands of SolarWinds' customers by enabling access to SolarWinds' customers' systems. According to the SEC, after the Company and the CISO learned of the increased threats and attacks against customers, the Company's public filings remained silent on those issues. For example, in May 2020, the SEC alleged that a US government agency alerted the Company and the CISO that the Orion software was attempting to contact unknown websites and asked the company the investigate the issue. The subsequent internal investigation, although finding numerous vulnerabilities, failed to discover the root cause of the malicious activity or otherwise remediate the issue and protect the Orion platform from future attacks. Nevertheless, the Company's public statements in this time period did not address these issues.

Moreover, later that year, a cybersecurity firm notified SolarWinds that the firm was also having an issue with the Orion software. The SEC contends that instead of disclosing this issue, the Company instead actively concealed it from the cybersecurity firm. Despite these reports, SolarWinds did not disclose the cybersecurity incident publicly until December 2020 and the SEC alleged that even then, the disclosure was insufficient.

After learning that malicious code had been inserted in the Orion platform, the CISO and Company ultimately prepared a Form 8-K disclosing the attack. However, the SEC alleged that the disclosure was materially misleading because the language spoke in hypothetical terms. Specifically, the Form 8-K stated that the malware inserted into the Orion product "could potentially allow" an attacker to compromise the server on which Orion runs.⁴ This statement was false, according to the SEC, because at this point, SolarWinds knew the risk was definitive, not merely hypothetical. The SEC charged the CISO for violating the antifraud provisions of the Securities Act of 1933 and for aiding and abetting the Company’s violations.  Importantly, the SEC placed significant weight on Brown’s allegedly false statements in reports, such as the Form 8-K, and false sub-certifications to executives.

The SEC also alleges that the Company had multiple internal control failures and deficient disclosure controls. A reporting company must devise and maintain a system of internal accounting controls that provide reasonable assurances that access to assets is permitted only in accordance with management's general or specific authorization. In addition, a company must maintain disclosure controls and procedures designed to ensure that information regarding potentially material cybersecurity risk, incidents, and vulnerabilities are timely reported to executives. The SEC's Complaint alleges that the Company's Incident Response Plan only required incidents that impacted multiple customers to be reported upward, leading to numerous issues going unreported. For all of the reasons cited above, the SEC alleges that the Company's information technology infrastructure failed to protect one of its most critical assets, the Orion platform. However, the SEC alleges that even absent the cybersecurity incident, the internal controls and disclosure controls were not reasonably designed given the known risks facing the Company.

Key takeaways

• When cybersecurity incidents occur, companies cannot make generic and hypothetical risk disclosures stating that cybersecurity incidents could result in significant loss. In those circumstances, lumping in cybersecurity incidents as a potential and hypothetical risk, along with a long list of other risks, is not sufficient.
• Senior management, including CISOs and other senior cyber or IT employees, should make sure that what they are sharing about the company's cybersecurity framework is accurate and that the existence and impact of incidents are shared with individuals making disclosure determinations. Companies should train IT and cybersecurity personnel on how and when they should escalate such issues. And certainly, any individual who knowingly conceals issues from disclosure can face individual liability. In this particular case, the CISO allegedly said, "I'm in control of what we share…I called the [pending issues] that were partially mitigated as mitigated."⁵
• Companies' disclosure controls and procedures need to ensure that potential cybersecurity risk, incidents, and vulnerabilities are reported timely to executives responsible for disclosures. These procedures should be overinclusive in order to avoid unreported incidents.
• When a company discloses a cybersecurity incident, the disclosure needs to describe the impact of the incident and not create a misleading impression that minimizes the impact or risk.
• Companies need to ensure they have internal controls to protect their critical assets. In this case, the Company knew that there were gaps in its program well before the cybersecurity incident occurred, but did little to enhance its practices.
• The Complaint excerpts a number of internal grumblings about the Company's cybersecurity culture. Even casual communications between employees on internal instant messages—which are often devoid of context—are subject to being twisted into an alleged narrative that may be used against the participants in those communications.

Special thanks to Law Clerk Ian Slingsby (Washington, DC) for his assistance in the preparation of this content.