A judge has dismissed most of the SEC’s fraud charges against software firm SolarWinds and its top cybersecurity executive over how the software company dealt with a breach. The incident was disclosed in 2020 and affected customers, including US government agencies.
The decision is a significant blow to the SEC’s cybersecurity approach as the securities watchdog attempts to hold companies accountable for their security oversight.
Civil fraud charges
The move had been a bit of a long-shot. The agency had never before pursued civil fraud charges in court against the corporate victim of a nation-state attack for claims it made to investors about cybersecurity practices.
Last October, the SEC sued both SolarWinds and its chief information security officer (CISO), Tim Brown, claiming that the company had presented misleading and false statements about its internal cybersecurity practices from October 2018 to January 2021.
On its website, the company claimed it complied with government-recommended cyber standards, had strong password protections, and followed a secure protocol for software development, among other measures.
The SEC alleged that internal conversations suggested the company didn’t follow all of the practices mentioned in the statement at the time it was published online and shared with customers.
In the SEC’s view, shareholders deserve to know how public companies respond to the risk of attacks, and those statements should reflect reality, since cyber attacks can depress the firm’s stock price. In the eyes of SolarWinds and its allied business groups, the SEC’s enforcement action was blaming the victim.
The SEC’s claim that SolarWinds didn’t reveal the full scope of the attack to shareholders was based on “hindsight and speculation,” US District Judge Paul Engelmayer said in his judgment. But the judge let the agency’s lawsuit proceed based on other claims SolarWinds made before the attack about its cybersecurity defenses and risks.
Engelmayer threw out almost every other charge levied against SolarWinds and Brown, characterizing many of the company’s other statements about cybersecurity as “non-actionable corporate puffery.”
Interestingly, Engelmayer also dismissed the SEC’s claim that SolarWinds violated rules that govern how companies guard against accounting errors. The judge said cybersecurity controls aren’t part of that process. “That reading is not tenable,” the judge wrote, saying the controls clearly apply only to financial accounting.
A SolarWinds spokesperson said the company is pleased with the judge’s ruling, but it plans to fight the remaining claim as factually inaccurate.
Targeting the CISO
The SolarWinds case was also unusual because the SEC chose to also pursue claims against a senior cybersecurity executive over a breach. CISOs, other executives, and trade associations expressed concern that bringing a lawsuit against Brown shows the SEC is now on a path toward pursuing CISOs individually.
The SEC’s lawsuit was filed shortly after Joseph Sullivan, a former CISO at Uber Technologies, was sentenced for criminal obstruction related to his actions during the company’s 2016 data breach.
Sullivan had been accused of executing a scheme to prevent any knowledge of the breach from reaching the Federal Trade Commission.
The SEC successfully showed that Sullivan had arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which they promised not to reveal the hack to anyone. And those contracts, drafted by Sullivan and a lawyer assigned to his team, falsely represented that the hackers did not take or store any data in their hack.
Obviously, the allegations against Sullivan differ from the ones against Brown – but any CISO being charged with legal action after their companies have been hacked causes great concern among those in the industry.
The existing case
The SEC will be allowed to pursue action against SolarWinds and Brown for statements and other claims made about the cybersecurity posture of the company prior to its compromise. Disclosures and statements made about the company’s security posture prior to the breach are “viably pled as materially false and misleading in numerous aspects,” the judge wrote.
In one example offered by the SEC, the SolarWinds “Security Statement” on its website falsely claimed compliance with the National Institute of Standards and Technology Cybersecurity Framework. And, after joining SolarWinds in 2017, the SEC alleged Brown internally highlighted deficits in the company’s defenses while delivering more positive-sounding assessments to customers.
About the Security Statement, Engelmayer said SolarWinds held itself out as having sophisticated cybersecurity controls in place and as heeding industry best practices. “In reality, based on the pleadings, the company fell way short of even basic requirements of corporate cyber health,” the judge wrote.
“Its passwords – including for key products – were demonstrably weak and the company gave far too many employees unfettered administrative access and privileges, leaving the door wide open to hackers and threat actors.”
But, again, Engelmayer threw out almost every other charge levied against SolarWinds and Brown, characterizing many of the company’s other statements about cybersecurity as “non-actionable corporate puffery.”
SolarWinds now has 14 days to respond to the remaining charges, according to court documents.