On October 30, 2023, the SEC filed suit against SolarWinds and their Vice President and Chief Information Security Officer, Timothy G. Brown for cyber fraud. The SEC alleged that SolarWinds intentionally misled investors about the company’s cybersecurity practices in public statements, SEC filings, and risk disclosures. SolarWinds sells high-end and purportedly secure software to government and private entities and was responsible for one of the worst cyber espionage attacks in 2020.
First hired by SolarWinds in July 2017, Brown was quickly met with noticeable defects in the company’s practices. SolarWinds annually conducted assessments of its products following the National Institute of Standards and Technology Cybersecurity Framework (NIST) which is, “a set of tools that an organization can use as one of its assessments of its cybersecurity posture and includes measuring themselves on a scale of zero to five,” zero being the lowest score, indicating a lack of compliance. In 2017-2019, SolarWinds conducted these tests and regularly discovered multiple specific controls (up to 25 in some years) scoring a zero yet made no substantial changes to its practices.
SolarWinds products were the target of four attacks from January 2019 to December 2020. In December 2020, a malicious attack on SolarWinds Orion software, which the company claimed as its “crown jewel” led to a major national security issues. This attack inserted malicious code into the Orion system to create a backdoor through which the hackers could access and impersonate users and accounts of the victim organization and access system files without detection. The aftermath of this, and prior, attacks on SolarWinds software led them to be the topic of investigation by the SEC.
Issuing its opinion on July 18, 2024, the Southern District of New York sustained the SEC’s charges against SolarWinds for securities fraud, brought under Section 10(b) of the Security Exchange Act. Securities Fraud is the act of misrepresenting or omitting information to appear favorable to potential investors. The SEC alleged that management, including Brown, was aware of the cybersecurity failures and lied to customers and investors about these threats in the company’s public statement. This case is the first in which the SEC brought cybersecurity enforcement claims against an individual.
First, the court found that SolarWinds' actions in routinely and freely granting administrative rights to employees and conferring access rights beyond those necessary, blatantly contradicted their security statement. Evidence of the previous NIST scorecards and presentations given by Brown, or approved by Brown, to the board members and employees effectively evidenced this allegation.
Second, the court found the SEC’s claims for fraud in the company statements regarding password protection plausible. The SEC alleged that the company’s password policy, stated to cover, “all applicable information systems, applications and databases,” as well as enforcing, “the use of complex passwords that include both alpha and numeric characters” and “individually salted and hashed,” was generally not enforced and that Brown and others failed to correct these known issues. The court found that the statement was, “materially misleading and false and held out SolarWinds as having sophisticated cybersecurity controls in place and as heeding industry best practices.” However, the company fell short of basic requirements of corporate cyber health.
The court found that both Brown and SolarWinds acted with scienter, acting with knowledge of the illegality or with reckless disregard for the truth, in keeping the Security Statement on the company website in the face of known deficiencies, deeming the statement false and misleading to potential investors. Additionally, the court found the SEC’s claim for securities fraud; scheme liability, plausible against both Brown and SolarWinds for their help in disseminating the Security Statement.
While the court dismissed several allegations, the charges relating to the company’s intentional misrepresentation in its public security statement was upheld. This decision serves as a sign to technology companies and all businesses to not display hopes and dreams for the company in a statement that could lead investors to believe that those statements are current characteristics of the company. The importance in truthfulness in these statements is likely to be heightened following the SolarWinds indictment and businesses should not only check on their current publicly posted statements, but ensure that these are current, truthful, and reliable, or liability may follow.
Comments