Between January, 2019, and December 2020, SolarWinds experienced one of the worst cybersecurity incidents in history. The SUNBURST supply chain cyberattack, which was highly sophisticated and purportedly conducted by Russian government threat actors, compromised SolarWinds “Orion” software that is used to manage networks of thousands of entities in the US and abroad. Over 18,000 entities, including many US government agencies, were impacted.
The SEC filed multiple securities fraud claims against SolarWinds and its Chief Information Security Officer (CISO) related to the breach. Although there are a number of other claims, the action references a “Security Statement” from the SolarWinds website 61 times in 38 separate paragraphs. The declarations from the Security Statement are the basis for many of the security fraud claims, even though the Security Statement was not included in SolarWinds’ publicly filed 10-K or 10-Qs reports. The SEC cites failures in access controls, authentication, password policies and the software development lifecycle (SDLC) as the basis for claiming that the Security Statement made was false and misleading. The SEC also used internal SolarWinds emails and chats to demonstrate that the Security Statement declarations are false. Then, the SEC claimed that the information in the emails and chats demonstrated weaknesses that were not appropriately described in the Security Statement, and should have been disclosed in public filings.
First, although the SEC recently enacted Rules to require companies to improve their disclosure on Cybersecurity, using a Security Statement from the website as the basis of securities fraud claims is somewhat novel. Many companies have similar statements that are high level and not written in the way that a securities disclosure would be written. And, the SEC complaint refers to statements made outside of the Security Statement by the CISO as contributing to the securities fraud.
Every company struggles with access controls, authentication, and a secure SDLC. Many companies publish high-level security statements. Public companies with a similar statement should very carefully review it with securities disclosure in mind. And, they should more carefully consider any public statement on cybersecurity to potentially be viewed as a securities disclosure. Also, public companies shouldn’t just look to the Rules. The SEC claimed violations of the Securities Act of 1933 (’33 Act) from disclosures, or lack thereof, in the Form S-1 filed in connection with SolarWinds’ public offering. The Rules do not address ’33 Act requirements.
Second, reading how the SEC used emails and chats in this way was chilling. Every company has IT and Information Security personnel complain about the poor status of systems, failure of management to invest in new security products, and the risks of breaches. They also make poor jokes, which the SEC also cites in the SolarWinds complaint. Paragraph after paragraph cite these internal statements to demonstrate the falsity of the Security Statement, and hence, the public filings. It is not practicable for companies to stop email and chat grumbling. They can, however, develop risk management policies and procedures, up to and including risk quantification, to provide clear evidence of risk acceptance and mitigation decisions.
Third, the SEC didn’t take into account that this was not one, but two, of the most sophisticated cyber attacks in history. It took the Russians (purportedly) multiple novel, also called 0 day, attacks to achieve the full breach. Then existing SDLC standards, even if they were fully implemented, would not have detected or prevented the inclusion of the malicious code in the final version of the Orion software. After the breach, SolarWinds published a white paper that outlines one of the top SDLC processes available and which is designed to prevent these attacks. The SEC did not recognize the extraordinary facts surrounding the breach. Even the top cybersecurity companies were initially stymied by it. And, most of the SEC’s quoted facts in the complaint did not appear to lead to the actual breach.
Finally, the SEC published Interpretative Guidance in 2018 that spelled out requirements for public company cybersecurity disclosure. The SolarWinds action appears to be the first attempt to broadly enforce US Securities laws based on the 2018 Guidance, although the SEC does not refer to it at all in its complaint. This suggests that the SEC will be much more aggressive in enforcement of the new Cybersecurity Rules than has been speculated. Given this, public companies should consider strategies to address cybersecurity disclosure, both in annual filings, as well as during a breach. Based on the SEC’s aggressive stance, disclosure controls must be very tight, and all of the parties involved need to understand cybersecurity controls at the level they currently understand financial controls.
Public companies, and outside counsel to public companies, should contact counsel who has a deep understanding of both securities law and cybersecurity to more fully develop these strategies and their resulting securities disclosure.