On July 18, in a devastating opinion, a federal judge in the Southern District of New York dismissed the bulk of the claims the Securities and Exchange Commission made against SolarWinds and its former Chief Information Security Officer ("CISO") in an amended complaint. The 107 page opinion provided a clear analysis of the manner in which the SEC's claims failed. If the decision stands, and it is a very well reasoned opinion, it undercuts much of the SEC's enforcement posture concerning cybersecurity disclosure under both the Securities Act of 1933 and the Securities Exchange Act of 1934 (the "'34 Act").
From the time it released Cybersecurity Disclosure Guidance in 2018, the SEC has been pressing issuers to provide more detailed information concerning the issuer's cybersecurity program, including details concerning weaknesses in the program. The SEC stated that risk factors with broad, formulaic, statements were not sufficient to provide investors with appropriate knowledge of the issuer's cybersecurity risks. Additionally, the SEC has taken the problematic position that a failure to protect networks such that the attacker had access to critical company data and software, constituted a failure under the ‘34 Act to have in place accounting controls that adequately protected the issuer's assets. The first test case of this new approach to Cybersecurity risk disclosure enforcement was the SolarWinds case.
As a very brief background, SolarWinds provides software for companies and government agencies to manage computer networks. SolarWinds was attacked by a foreign government (presumably Russian) threat actor and was used as a vector to penetrate numerous networks, including US Federal Agencies and companies in critical infrastructure. The attack was extraordinarily complicated, and it took some time, and multiple reports to SolarWinds, before a response was initiated.
The SEC took issue with three primary items in SolarWinds' disclosure and asset protection: (i) disclosures made prior to the discovery of the attack, (ii) disclosures made in a series of Form 8-K filings after discovery of the attack, and (iii) the protection of SolarWinds' critical assets. The Court in the current opinion allowed claims relating to a small portion of the disclosures prior to the attack to continue. The Court rejected the Form 8-K claims and the asset protection claims. For periodic reporting, the manner in which the claims were rejected undercuts the SEC's entire premise that it is not sufficient to make broad, but accurate, statements of the damage that may occur if a cyber attack, or other cyber failure, occurs. Additionally, the Court held that protection of networks generally is not the same as the protection of the systems that encompass financial reporting. There is a detailed discussion of the definition of financial and accounting controls that is crushing to this line of claims.
For the Form 8-K reporting, the Court refused to allow the SEC to review the disclosures with hindsight. As in all cyber events, there is significant confusion at the outset, and it is only after investigation that the facts become clear. The Court held that SolarWinds provided appropriate disclosure based on the information that the company had at the time.
What the Court allowed to stand were claims based on inaccuracies in a Security Statement that appeared on the SolarWinds website, and which was sent to customers and others by SolarWinds and the CISO. The Court recognized that the Security Statement could be considered to be a public statement by SolarWinds. The claims that remain are still problematic for SolarWinds and the CISO, but are far less sweeping.
There is a lot more detail in the decision surrounding the types of claims made, and why some claims against the company or the CISO fail because of the failure of other claims. These will be of significant interest to securities litigators. However, we are able to identify some clear takeaways for public companies.
- First, do not publish a security statement, or make public statements extolling the company's security. The sales team may be upset by this, but the risks outweigh the benefits.
- Second, keep the disclosures that are made in periodic filings, and in issuances, clear, descriptive and broad.
- Finally, put in place incident response controls that have an attorney cross trained on cybersecurity and securities law monitoring the incident and separately reporting to the disclosure team/committee.