SolarWinds Cyber-Attack Litigation Proceeds Against Company, Investors, and Individual

After the SolarWinds Supply Chain Attack in late 2020 became public, the value of SolarWinds stock on the public market decreased in one week from almost $25 per share to less than $15 per share—a substantial decline of approximately 40%.

After the significant loss in share-value, a class of SolarWinds shareholders sued the company, its executives, and its investors for violations of the Exchange Act—the federal law that prohibits public corporations and its leaders from making knowing misrepresentations or omissions that proximately cause financial harm. These types of securities lawsuits are common when share-value dramatically and unexpectedly declines allegedly due in part to misrepresentations or omissions about business prospects and/or growth projections.

But this is one of the first high-profile Exchange Act cases—along with, for example, In re Equifax Inc. Securities Litig.—where the alleged misrepresentations are related to a company’s privacy and cybersecurity measures. Last week, the Federal District Court in the Western District of Texas issued its first significant decision in this case—captioned In re SolarWinds Corp. Securities Litig. After the Complaint was served, the company and executives filed a Motion to Dismiss arguing, amongst other things, that the pleading failed to plausibly allege that “they engaged in material, misleading statements or omissions, failed to demonstrate a strong inference that they acted with scienter, and failed to allege that the material, misleading statements or omissions caused Plaintiffs’ losses.” The investor defendants also argued that the pleading failed to allege their adequate control over the company to establish liability.

The Court denied the motion and ruled that the litigation may proceed against SolarWinds as a company, as well as against its two largest private equity shareholders (each with a plurality stake but controlling a majority between them and a history of coordinated actions) and also its former Vice President of Security Architecture (a role functionally similar to the company’s former Chief Information Security Officer).

SolarWinds CISO Tim Brown had publicly touted that he was “focused on . . . heavy duty [cybersecurity] hygiene” as part of his professional responsibilities. In denying Mr. Brown’s and SolarWinds’ motion, the Court compared public statements made by Mr. Brown to similar public statements made by the Chief Executive Officer of BP plc in securities litigation related to the BP oil spill, see 843 F. Supp. 2d 712 (S.D. Tex. 2012):

The Court finds that Plaintiffs sufficiently plead that Defendant Brown acted with, at least, severe recklessness when he touted the security measures implemented at SolarWinds. Plaintiffs plead that Brown held himself out as a responsible and knowledgeable authority regarding SolarWinds’ cybersecurity measures. . . Plaintiffs assert Brown’s title was Vice President of Security Architecture, he often appeared in interviews endorsing SolarWinds’ cybersecurity efforts, he was the face (literally) of the Security Statement page on the company’s website, and he addressed cybersecurity issues when they arose. In BP, the court found a strong inference of scienter as to the defendant CEO because his “own actions as the spokesperson and champion for BP’s reform efforts weigh[ed] strongly in favor of the inference that [he] paid special attention to BP’s process safety efforts or, at the least, was reckless in not doing so while continuing to publicly tout improvements.” 843 F. Supp. 2d 712, 783 (S.D. Tex. 2012). The same applies here. . .

The decision to permit the case to proceed against SolarWinds’ two plurality shareholders is also notable. Neither private entity vehicle controlled a majority of SolarWinds’ shares, but the Court determined that, based on the pleadings, the parties were acting in unison and that when their shares were combined should be treated as majority shareholders.

This matter is still at the early stage and discovery is just now commencing. The plaintiffs still must prove their case, which includes the element of “scienter.” This requires demonstrating that the defendants either intended to deceive, manipulate, or defraud the public, or that they acted with severe recklessness when making their public statements. But even if the plaintiffs do not ultimately succeed, the months of fact-intensive discovery into the most intimate business practices of SolarWinds—and into the individual motives and intent of specific SolarWinds executives and investors—could potentially be long and expensive.

Regardless of the outcome, the public statements of corporate executives, including CISOs, are fair game and can form the basis for class actions alleging a variety of claims ranging from negligence to securities frauds in the aftermath of privacy and cybersecurity incidents. This decision reinforces the importance of a company’s focus on its privacy and cyber practices and defenses. As this decision shows, the Federal Courts will treat public statements regarding a company’s privacy and cyber practices seriously. If it turns out that these public statements may be inaccurate or inconsistent with actual practices, it may, as here, provide a basis for a court to permit similar claims to proceed to discovery.

The Court’s ruling highlights the need to examine cyber risk management best practices. This includes the accuracy of public statements by CISOs and other executives regarding specific security incidents and overall privacy and cybersecurity practices.

We will continue to monitor this case and will provide updates as they become available.