Uncharted Territory: The SEC Sues SolarWinds and its CISO for Securities Laws Violations in Connection with SUNBURST Cyberattack

On October 30, 2023, the Securities and Exchange Commission (the “SEC”) filed a civil lawsuit charging SolarWinds Corporation (“SolarWinds” or the “Company”) and its chief information security officer, Timothy G. Brown (“Brown”), with securities fraud, internal controls failures, misleading investors about cyber risk, and disclosure controls failures, among other violations.  The SEC’s claims arise from allegedly known cybersecurity risks and vulnerabilities at SolarWinds associated with the SUNBURST cyberattack that occurred between 2018 and 2021.

Background

Founded in 1999, SolarWinds, a publicly traded company, provides software that thousands of companies and many government agencies use to manage their information technology infrastructure by, for example, monitoring activity on networked servers.  SolarWinds conducted its first initial public offering (“IPO”) in 2009 and remained a public company until February 2016, when it was acquired by several private equity firms in a take-private transaction. The Company conducted a second IPO in October 2018 and remains a public company.  The Company filed a Form S-1 registration statement with the SEC in connection with its October 2018 IPO, which became effective on October 18, 2018.  The Company conducted an additional public offering of shares through a Form S-1 registration statement filed on May 20, 2019.  The SEC alleges that SolarWinds falsely promoted its cybersecurity practices and, furthermore, deprived investors of key information when the Company went forward with its 2018 offering without disclosing known vulnerabilities.

The SUNBURST cyberattack on SolarWinds compromised “SolarWinds’ Orion software platform, a flagship product that the Company considered to be a ‘crown jewel’ asset and which accounted for 45% of [SolarWinds’] revenue in 2020.”  See Complaint at ¶ 1.  Orion, a monitoring and management software, is used by government agencies and organizations worldwide. Consequently, the SUNBURST cyberattack sparked significant concerns related to risk in the cybersecurity supply chain.

The Complaint

Filed in federal district court in the Southern District of New York, the SEC’s complaint alleges:

• • SolarWinds and Brown defrauded investors by misstating SolarWinds’ cybersecurity practices in a “Security Statement” on the SolarWinds’ website, and making disclosures that failed to convey known cybersecurity risks;
  • SolarWinds made materially misleading disclosures by disclosing hypothetical and generic cybersecurity risks, which were repeated verbatim in numerous securities filings, instead of disclosing specific, elevated risks faced by SolarWinds;
  • The Company knew of specific deficiencies in SolarWinds’ cybersecurity practices when it made statements about the strength of its cybersecurity practices, and which deficiencies the Company documented in internal assessments;
  • Internal SolarWinds communications questioned the Company’s ability to protect its critical assets from cyberattacks, which were inconsistent with regulatory frameworks that the Company adhered to and required protecting entity assets from external threats;
  • Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities and failed to resolve them or sufficiently raise the issues to the Company’s attention; and
  • After learning of the SUNBURST attack on SolarWinds, SolarWinds made incomplete disclosures about the SUNBURST attack in its December 14, 2020, Form 8-K filing, which Brown participated in drafting and also confirmed the accuracy of technical statements in that filing.

The SEC alleges that SolarWinds and Brown violated several laws, including:

• • Section 17(a) of the Securities Act (false statements in connection with the offer or sale of securities);
  • Section 10(b) of the Exchange Act and Rule 10b-5 (securities fraud);
  • Section 13(a) of the Exchange Act (false or misleading periodic securities filings);
  • Section 13(b)(2)(B) of the Exchange Act (failure to maintain sufficient internal accounting controls);
  • Exchange Act Rule 13a-15a (inadequate disclosure controls); and
  • As to Brown individually, aiding and abetting the Company’s violations.

Among other remedies sought, the SEC seeks an officer and director bar against Brown.

Takeaways

The SEC’s latest action highlights the importance of cybersecurity practices at publicly-traded companies, as well as considering cybersecurity practices and incidents as part of disclosure controls.  The SEC’s action comes just months before its recent final rules come into effect for public company disclosures about cybersecurity risk management and disclosures about material cybersecurity incidents.

***

Crowell & Moring attorneys are monitoring this SEC development and enforcement activity relating to cybersecurity, generally.  Please contact us if you have any questions about how the SolarWinds litigation or your current cybersecurity posture may impact your business.