The U.S. Securities and Exchange Commission ("SEC") has charged SolarWinds Corp. (SolarWinds) and the company's chief information security officer ("CISO") with securities fraud and violations of internal controls requirements arising from alleged failures to disclose known material cybersecurity risks and vulnerabilities. While some of the SEC's allegations relate specifically to defendants' activities surrounding the high-profile SUNBURST attack in 2020, other allegations are broader and pertain to general statements about SolarWinds' cybersecurity posture. The SEC states in its complaint that the alleged "false and misleading statements and omissions" would have violated the federal securities laws "even if SolarWinds had not experienced a major, targeted cybersecurity attack." SolarWinds has published a blog post on its website calling the SEC's suit "fundamentally flawed—legally and factually."
Significance of the SEC's Complaint
The SEC's lawsuit against SolarWinds and its CISO stands apart from prior SEC enforcement actions against public companies related to cybersecurity and may signal a shift in the Commission's enforcement strategy. The SEC's complaint takes the unprecedented step of alleging violation of securities laws—including securities fraud—against a company's CISO. Previous cyber-related SEC enforcement actions have not named any individuals, and, more broadly, the SEC typically does not bring charges against individual executives who are not responsible for preparing the company's financial statements or SEC disclosures. The SEC alleges that SolarWinds' CISO, in addition to making or approving various public false statements about the company's cybersecurity posture, signed a false Sarbanes-Oxley sub-certification that other SolarWinds executives relied on in making the company's SEC disclosures.
Additionally, in sharp contrast to the SEC's prior cybersecurity enforcement actions, which focused on negligence-based disclosure violations, the SEC here alleges that SolarWinds and its CISO knowingly or recklessly (i.e., with "scienter") made materially false public statements to mislead investors.
The SEC's case against SolarWinds and its CISO provides a major warning for public companies and their cybersecurity leaders. The case signals that the SEC may carefully scrutinize a company's annual risk disclosures related to cybersecurity and expects those disclosures to be non-generic, detailed, and tailored to the company's specific circumstances and risks. Moreover, the case serves as a reminder that companies may be held liable for securities violations based on their public statements about their cybersecurity posture—not only in formal securities filings but also in blogs, on its website, on podcasts, and in marketing materials. For CISOs and other high-ranking cybersecurity professionals, the case underscores potential personal liability risks under securities laws, particularly where cybersecurity executives are publicly speaking about the company's cybersecurity posture, signing securities sub-certifications, and reporting about cyber risks to senior management and the board of directors. For both companies and their cybersecurity executives, the SEC's case against SolarWinds and its CISO should prompt critical rethinking of the CISO's responsibilities, reporting structure, and reporting obligations.
The SEC's action against SolarWinds and its CISO comes shortly after the Commission finalized its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule. That Rule, among other things, requires companies to disclose material cybersecurity incidents and make various annual disclosures about its cybersecurity risks and risk management practices.
Charges Against SolarWinds and Its CISO
The SEC's complaint, which was filed in the Southern District of New York on October 30, 2023, alleges that both SolarWinds and its CISO violated the antifraud provisions of the Securities Act of 1933 ("the Securities Act") and of the Securities Exchange Act of 1934 ("the Exchange Act"). The SEC also alleges that SolarWinds violated several reporting and internal controls requirements under the Exchange Act, and that the company's CISO aided and abetted SolarWinds' violations of both the antifraud and reporting/internal controls provisions.
With respect to the securities fraud allegations, the SEC charged SolarWinds and its CISO with violations of Section 17(a) of the Securities Act, Section 10(b) of the Exchange Act, and Exchange Act Rule 10b-5. Section 17(a)(1) of the Securities Act expressly prohibits use of any "device, scheme, or artifice to defraud" in the offer or sale of securities. Section 10(b) of the Exchange Act and related SEC Rule 10b-5 prohibits, in connection with the purchase and sale of any security, the making of any untrue statement of material fact or omitting to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading. Each of these three antifraud provisions requires a showing of "scienter"—i.e., an intent to mislead or defraud.
With respect to the internal controls allegations, the SEC charged SolarWinds with violations of Sections 13(a) and 13(b)(2)(B) of the Exchange Act, as well as Exchange Act Rules 12b-20, 13a-1, 13a-11, 13a-13 and 13a-15(a), and charged the company's CISO with aiding and abetting those violations.
The SEC's lawsuit against SolarWinds and its CISO seeks "permanent injunctive relief, disgorgement with prejudgment interest, [and] civil penalties." In addition, the SEC is pursuing an "officer and director bar" against SolarWinds' CISO, which would prohibit him from acting as an officer or director of a public company in the future.
Alleged Misstatements About Security Practices
The SEC's complaint identifies three categories of public disclosures in which SolarWinds and its CISO allegedly made materially false public statements touting the company's cybersecurity practices: (1) various public statements about the company's security posture, particularly in a "Security Statement" on SolarWinds' website; (2) statements in publicly filed Forms S-1, 10-K and 10-Q; and (3) statements pertaining to the SUNBURST attack and related vulnerabilities, including in a Form 8-K filed by SolarWinds in December 2020.
(i) The "Security Statement" and other public statements about SolarWinds' security posture
The SEC alleges that a Security Statement posted on SolarWinds' website contained materially false statements and omissions regarding the company's security practices, and that the CISO was "primarily responsible for creating and approving the Security Statement before it was posted." In addition, the CISO allegedly "disseminated the Security Statement, or a link to the Security Statement, to customers seeking more information about SolarWinds' security practices." Among other things, the SEC alleges that the Security Statement falsely represented—despite the CISO's knowledge to the contrary—that the company:
- Complied with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF), even though the company only met a small percentage of the relevant security controls and had "no program/practice in place" to address the remaining controls.
- Used a secure development lifecycle (SDL) process for developing customer software, even though the company did not follow an SDL, including for components of the company's "crown jewel" Orion platform, which was hacked by SUNBURST threat actors.
- Maintained a strong password policy and access controls, even though the company did not enforce its password policy and had poor access control practices, including by permitting broad use of admin privileges rights and failing to remediate a virtual private network vulnerability.
In addition to these alleged misrepresentations in the Security Statement, the SEC also alleges that SolarWinds' CISO made various material misstatements about the company's security posture in blog posts, podcasts, and elsewhere.
(ii) Forms S-1, 10-K and 10-Q
Regarding SolarWinds' public SEC filings, including its Form S-1 initial public offering and its quarterly and annual 10-Q and 10-K filings, the SEC alleges that SolarWinds and its CISO misled investors by omitting known cybersecurity risks and relying, instead, on "generic" and "hypothetical" statements about potential cybersecurity risks (for example, only broadly stating that the company could suffer various types of cyberattacks). Similar generic statements were contained in the company's 10-Ks and 10-Qs up and until November 2020. The SEC alleges these disclosures became more misleading over time as SolarWinds learned of malicious activity throughout 2020 in connection with SUNBURST and received more information about its cyber risks and vulnerabilities generally.
(iii) Statements Pertaining to SUNBURST and SolarWinds' Form 8-K
The SEC's lawsuit identifies a number of alleged misstatements made by SolarWinds and its CISO leading up to and in the wake of the SUNBURST attack. For example, the SEC alleges that in the lead-up to the SUNBURST attack, SolarWinds identified "an accumulating number of red flags" and "multiple successful intrusions against Orion." These red flags were allegedly documented by the company and discussed internally by the company's CISO and other SolarWinds employees with knowledge that "there had been multiple successful intrusions against Orion."
The SEC specifically alleges that SolarWinds' CISO was aware of but ignored warnings about the company's security vulnerabilities leading up to the SUNBURST hack. The agency highlighted a 2018 presentation by a SolarWinds engineer that flagged access vulnerabilities in the company's remote access setup, describing them as "not very secure." The SolarWinds engineer also stated, according to the SEC, that a threat actor could use this vulnerability to "basically do whatever without us detecting it until it's too late: It can easily download any content without being detected." The SEC alleges that the company's CISO failed to raise these security concerns up the chain of command and "willfully left the company systems unprotected."
When the SUNBURST hack occurred, SolarWinds prepared and filed a Form 8-K disclosing the attack. The SEC alleges that the Form 8-K "created a materially misleading picture of the Company's knowledge of the impact of the attack" by falsely stating that:
- The SUNBURST cyberattack "could potentially allow" a data compromise, when SolarWinds already knew that bad actors had compromised the company's server and exploited vulnerabilities with three different customers' software since May 2020;
- SolarWinds was conducting an investigation, including "whether a vulnerability in the Orion monitoring products was exploited," when SolarWinds already knew Orion had been exploited on multiple occasions; and
- SolarWinds was "still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited," even though the company and its CISO had "specific knowledge" that Orion products already had been exploited.
The SEC alleges in particular that the company's CISO participated in the meeting when these allegedly false disclosures were drafted and that he reviewed and confirmed their accuracy.
Alleged Control Failures
In addition to the fraud charges described above, the SEC brought charges against SolarWinds for internal controls violations and against the company's CISO for aiding and abetting those violations. Notably, this is the first cyber enforcement action that includes a charge under Section 13(b)(2)(B) of the Exchange Act, and the SEC's complaint appears to take a novel reading of that provision. Section 13(b)(2)(B) requires, among other things, that issuers devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that access to company "assets" is permitted only in accordance with management's general or specific authorization. Historically, company "assets" under Section 13(b)(2)(B) has been understood to refer to monetary assets, and charges have been brought under that provision where, for example, payments were made by company employees without proper authorization. In this case, however, the SEC takes the position that SolarWinds' relevant and most critical "assets" include the company's "information technology network environment, source code, and products," including its "crown jewel" Orion platform, and that SolarWinds violated Section 13(b)(2)(B) by failing to adequately prevent unauthorized access to those assets. If this reading is upheld, the Exchange Act effectively would have a stand-alone requirement for public companies to secure their technology systems against cyberattacks, and the SEC would likely bring similar charges under Section 13(b)(2)(B) in response to future cyberattacks.
The SEC also alleges that SolarWinds failed to maintain internal disclosure controls sufficient to ensure that information regarding potentially material cybersecurity risks, incidents, and vulnerabilities would be escalated to the executives responsible for disclosures, in violation of the Exchange Act Rule 13a-15(a). As a result, cybersecurity issues that had the potential to materially impact SolarWinds allegedly went unreported. The SEC alleges that company's CISO aided and abetted these violations, including by signing false sub-certifications and making other false statements.
Considerations for Companies and CISOs
Public companies and their cybersecurity leaders should consider the following when assessing how to effectively respond to the allegations in the SEC's SolarWinds complaint and the related risks under securities laws:
- Revisit the CISO's reporting structure: For years companies have debated where CISOs should sit within a company's reporting structure. Should the CISO be in the C-suite? Should the CISO report to the CIO, or are the CISO's and CIO's prerogatives too divergent? Should the CISO report to someone outside of information technology, such as a COO or directly to the CEO? While there is no one right answer to these questions, companies are advised to revisit these questions in light of the SEC's complaint against SolarWinds and its CISO. Ultimately, companies should adopt a reporting structure that empowers CISOs to raise security concerns to management in a timely and effective way.
- Consider dotted-line reporting relationships: Related to the prior point, companies should consider dotted-line reporting relationships for their CISOs to better facilitate effective reporting of security concerns. For example, if a CISO regularly reports to the CIO, the company might also create a dotted line structure from the CISO to the CFO, COO, CEO, or others to allow the CISO to report security concerns—even if those concerns are harmful to the CIO.
- Be mindful of public communications—even informal ones: The SEC's complaint alleges that SolarWinds' CISO made numerous false statements about the company's security posture in various "informal" settings, including in blog posts and podcasts. It is increasingly common for CISOs and other security leaders to find themselves being asked to serve as thought leaders and as public faces of the company to help tout the company's commitment to strong cybersecurity. CISOs should approach such thought leadership cautiously and, where possible, avoid speaking directly about their companies' cybersecurity posture and practices. CISOs might instead focus such thought leadership on their general experiences, lessons learned, commentary on emerging trends, etc.
- Focus on detailed and accurate disclosures: Companies need to ensure they fully – and accurately – disclose their cybersecurity practices and known risks. The SEC's lawsuit against SolarWinds and its CISO make clear that generic and hypothetical risk statements relating to reasonably known risks are likely to be deemed insufficient. When a material cybersecurity incident occurs, it is paramount to make full and timely disclosures. As evidenced by the allegations in the SEC's legal action, making incomplete or misleading disclosures carries the potential to erode investor trust and could trigger a significant enforcement action. At the same time, companies must strike an effective balance between adequate SEC disclosures and maintaining confidentiality about the specific nature of any security vulnerabilities and risks. As SolarWinds points out in the blog post responding to the SEC's complaint, a company could put itself at risk for further cyberattacks if it discloses excessively detailed information about its security weaknesses.
- Develop a vulnerability remediation plan: When cybersecurity risks and vulnerabilities are identified internally, there must be a plan in place to take swift action to address, remediate, and mitigate them. The SEC's complaint emphasizes the serious risks under securities laws that may arise from timely failure to remediate security issues.