On July 18, Judge Paul Engelmayer of the Southern District of New York issued a lengthy order dismissing the majority of the SEC’s enforcement case against SolarWinds Corporation (SolarWinds) and its CISO, Timothy Brown. The ruling is relevant for any company crafting disclosures about its cybersecurity practices, and also includes important analysis for securities fraud cases more broadly, including what constitutes pleading by hindsight and speculation.1
The SEC brought securities fraud claims alleging that SolarWinds made materially false and misleading statements in (1) a “Security Statement” that SolarWinds published on its website describing its cybersecurity practices; (2) SolarWinds’ risk disclosures regarding cybersecurity risks contained in its SEC filings; (3) two reports SolarWinds issued on Form 8-K in December 2020 disclosing the SUNBURST hacking incident and the company’s investigation and remediation to date; and (4) various other public statements SolarWinds made prior to the hacking incident regarding its cybersecurity practices. The court granted defendants’ motion to dismiss all of these securities fraud claims except the claims relating to the Security Statement.
Risk Disclosures. The court accepted the SEC’s general theory that a risk disclosure can be actionable if it could have misled a reasonable investor about the nature of the risk, but the court noted that this applies only in certain narrow circumstances, for example, if the disclosure warns of a risk that has already occurred. The court found that the SEC failed to meet that standard here. The court rejected the SEC’s arguments that the risk disclosure was boilerplate, generic, and concealed the gravity of the risks SolarWinds faced. Explaining that companies are not required to articulate risk disclosures with “maximum specificity,” the court found that the risk disclosure set out unique, specific risks based on the company’s technology infrastructure and business model, and was sufficient, viewed in totality, to alert the investing public of the nature and types of risks and the grave consequences these risks could present. SEC v. SolarWinds, Corp., 2024 WL 3461952, at *36 (S.D.N.Y. July 18, 2024).
The court also rejected the SEC’s argument that the risk disclosure needed to be modified following two earlier hacking incidents. Although the court accepted the SEC’s theory that risk disclosures must be updated if a latent risk materializes, the court found that SolarWinds had no obligation to update here. The court noted that the risk disclosure explicitly warned investors that their systems were vulnerable to damage from cyberattacks or cyber intrusion, that the company did not identify the root cause of the earlier attacks, and that it was not until the SUNBURST attack that the company was aware of any systematic intrusion. The court rejected the SEC’s arguments as impermissibly based on hindsight, as opposed to the proper standard of evaluating risk disclosures based on information available at the time. The court concluded that, based on what was known at the time about the two earlier incidents, the company’s general warning was sufficient.
Finally, the court found that the SEC did not adequately plead Brown’s scienter. The court noted that because the risk disclosure was not inaccurate, the SEC could not plausibly allege that Brown understood that SolarWinds’ public statements were inaccurate. Further, the SEC itself acknowledged Brown’s role in revealing the cybersecurity deficiencies through internal presentations that he shared and openly discussed with other top-level executives, directly in contrast to any allegation that he attempted to conceal the issues.
Information Security Officer’s Statements Regarding Cybersecurity Practices. The SEC also brought securities fraud claims based on Brown’s statements in press releases, blog posts, and podcasts regarding SolarWinds’ cybersecurity practices. The court dismissed the SEC’s claims on the basis that all of these statements were non-actionable corporate puffery and too generic to express any objective fact. (The court did not, however, suggest that Brown could not be personally held liable for such statements if they were in fact false or materially misleading.)
Form 8-K Reports. Two days after the SUNBURST hacking incident, SolarWinds issued a Form 8-K disclosing the incident and the company’s investigation and remediation to date. SolarWinds followed up with a subsequent Form 8-K three days later. The SEC claimed that the first Form 8-K was materially misleading because it did not directly state the extent of the vulnerability from the attack and failed to disclose the two prior incidents. The court rejected this claim, noting that the statement must be evaluated in context, including that it was filed only two days after SUNBURST in the midst of the ongoing investigation. The court found that the “lengthy” disclosure, “read as a whole, captured the big picture: the severity of the SUNBURST attack,” thus making the absence of the two prior attacks immaterial. Id. at *46. The second Form 8-K provided more information on the SUNBURST attack and again did not disclose the two prior incidents. The court found that it was not materially misleading for the same reasons. The court also held that the SEC failed to plead Brown’s scienter with respect to the Forms 8-K. Id. at *47.
Although the court dismissed the majority of the SEC’s securities fraud claims, it allowed claims regarding the company’s Security Statement—which appeared on SolarWinds’ website and described its cybersecurity practices in detail—to move forward against both SolarWinds and Brown.
The court first rejected defendants’ arguments that the Security Statement is not actionable because it was directed at customers, not investors, and that each individual representation must be considered in isolation. As to the first argument, the court recognized the Security Statement was aimed at persuading customers to buy SolarWinds’ products, but explained that because it was on the public website and “accessible to all, including investors,” the Security Statement was “unavoidably, part of the ‘total mix of information’ that SolarWinds furnished the investing public.” Id. at *26. As to the second, the court rejected defendants’ methodology as wrong, stating that although the representations should be viewed collectively as to materiality, each representation should be considered individually when evaluating if it has been plausibly pled as misleading.
Turning to the SEC’s allegations, the court found that the SEC adequately pleaded that the Security Statement contained misrepresentations regarding at least two of SolarWinds’ cybersecurity practices, access controls and password protection. Regarding access controls, the court focused on the SEC’s allegations that (1) before the Security Statement was published, SolarWinds had recognized deficiencies in access controls, including granting employees administrative rights beyond their necessary functions with little restrictions; and (2) after the Security Statement was published and SolarWinds went public, it did not resolve these issues, with internal presentations by Brown and others documenting these deficiencies and warning of issues with administrative access restrictions. Concluding that the SEC pleaded misrepresentations regarding access controls based on these facts, the court found those misrepresentations material in light of the importance of cybersecurity to SolarWinds’ business model. Id. at *28. Similarly, with respect to password protection, the court outlined the SEC’s allegations that the company’s stated password policy was generally not enforced and that executives were alerted to that fact both pre- and post-IPO, finding that the Security Statement’s representations regarding passwords were therefore well pled as potentially misleading. Id. at *29.
Taking the Security Statement as a whole, the court found that the SEC cleared its pleading burden, concluding that a “reasonable person contemplating investing in SolarWinds would have viewed the alleged gap between SolarWinds’ words and on-the-ground reality as highly consequential—as significant in making investment decisions.” Id. at *30.
Finally, the court held that the complaint pleads Brown’s scienter. Id. at *31. As vice president of security and architecture, Brown was responsible for the company’s cybersecurity protocols and the cybersecurity architecture of its products. Beginning in 2017, he created presentations and assessments identifying the company’s shortcomings on access controls and password protection. Further, he knew of cybersecurity incidents that directly contradicted the messaging in the Security Statement, allegedly leading him to be aware of data over many years that could have suggested that the Security Statement’s content was false and misleading. Id. at *32.
SolarWinds and Brown remain free to argue that the pre-IPO context of the Security Statement supports the contention that they were directed to customers, not investors, in order to potentially undercut the scienter element of a securities fraud claim.
Internal Accounting Controls. The SEC brought claims against SolarWinds under § 13(b)(2)(B) of the Exchange Act, which governs “internal accounting controls,” on the basis of SolarWinds’ cybersecurity deficiencies. The court rejected these claims as a matter of statutory interpretation, accepting SolarWinds’ argument that a “system of internal accounting controls” cannot reasonably be interpreted to cover cybersecurity controls.
The SEC had argued that the statute could be applied to SolarWinds’ cybersecurity practices because the company’s source code, databases, and products were its most vital assets. However, the court pointed to statutory language requiring public companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that ... access to assets is permitted only in accordance with management's general or specific authorization.” Id. at *49. That language, the court explained, plainly applies to a company’s internal accounting control, not controls more generally. Id. The court also found that the history and purpose of the statute were consistent with this narrow definition of accounting principles. Id. at *51.
The court’s analysis thus emphasized that in construing the reach of the statute, the context about the harm that the statute was seeking to address was important. This is similar to the Supreme Court’s approach in June when they addressed the scope of the statute enacted following the destruction of records during the government’s investigation into the Enron accounting scandal in the wake of Enron that criminalized the obstruction of a “official proceeding.” In Fischer v. United States, 144 S. Ct. 2176 (June 28, 2024), the court ruled that to violate the statute (18 U.S.C. § 1512(c)(2)), the government had to show that a defendant impaired the availability or integrity of documents or records, and the government could not use it to prosecute the January 6 Capitol rioters whose violence obstructed a congressional proceeding. Id. at 2190. Taken together, these two decisions should serve to restrain white-collar government enforcers’ aggressive attempts to expand internal controls and similar statutes into novel areas that were not contemplated when the statutes and rules were enacted.
Disclosure Controls. The SolarWinds court found that the SEC failed to plead that SolarWinds’ disclosure controls violated Exchange Act Rule 13a-15(a), which requires companies to “maintain disclosure controls and procedures.” The SEC’s allegations admitted that SolarWinds had a sufficient system of disclosure controls in place to ensure that material cybersecurity information was communicated to executives responsible for public disclosures. However, SEC brought a disclosure control claim on the basis of that system’s scoring methodology, which (the SEC alleged) assigned a lower score than warranted for the two previous hacking incidents, which did not require notification to executives, including the CEO and CTO. The court rejected this claim, holding that, without more, “the existence of two misclassified incidents is an inadequate basis on which to plead deficient disclosure controls.” SolarWinds at *53. The court also dismissed as inadequately pled the SEC’s separate disclosure control claims based on each of the allegedly mischaracterized prior incidents. Id.
The court’s order does not allow the SEC to amend its complaint to try to replead the part of the case that was dismissed. The case will proceed against SolarWinds and Brown only on the claim that the Security Statement on SolarWinds’ website was false and misleading.
Footnotes
1 In July 2023, the SEC adopted new cybersecurity rules. These require the disclosure of material cybersecurity incidents and annual disclosure of cybersecurity risk management, strategy, and governance. See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 88 Fed. Reg. 51896 (Aug. 4, 2023) (codified at 17 C.F.R. §§ 229.106, 232, 239, 240, 249). These new rules are not implicated in this case, which involves conduct predating the new rules’ effective date.