The Securities and Exchange Commission (“SEC”) recently filed charges against SolarWinds for allegedly misleading investors regarding the company’s security posture and failing to fully disclose a material cyberattack to investors. Investigators allege that in March 2020, as the world retreated into COVID lockdowns, a Russian espionage operation—mostly likely Russia’s Foreign Intelligence Service—began a comprehensive takeover of the SolarWinds Orion platform, a network monitoring software used by thousands of companies to monitor their network devices and server operations and configurations. In December 2020, the Orion exploit was revealed to the world by the cybersecurity firm FireEye, which itself—along with countless other companies and government agencies—was a victim of the SolarWinds incident. On Monday, October 30, 2023, the SEC filed charges against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, alleging that the company, amongst other issues, misled investors by lying about the sophistication of its cybersecurity capabilities and the extent of its cyber risks.
The SEC describes four categories of false statements from SolarWinds related to cybersecurity: (1) complying with the NIST Framework for evaluating cybersecurity practices; (2) using a secure development lifecycle when creating software for customers; (3) having strong password protection; and (4) maintaining good access controls.
The SEC does not claim that following NIST is a legal requirement—but rather that SolarWinds deceived investors by stating that the company assessed its cybersecurity controls using the moderate level framework, while public statements did not disclose “just how poorly the Company was doing in following the framework”. For example, the SEC alleges that at one point during the relevant period, “in truth,” it had “no program/practice in place” for the majority of the cybersecurity controls identified by NIST. The SEC further alleges that SolarWinds failed to meet more than half of the NIST standards and scored “poorly” on the five-point scale in critical areas. The results from internal reviews stood in contrast to public statements made by Brown and the Company to customers in SolarWinds’ Security Statement. The SEC alleges that the internal assessments contained material information that a reasonable investor would need to know to understand SolarWinds’ cyber capabilities.
SolarWinds had also stated that it used a secure development lifecycle (“SDL”) methodology, using industry best practices to create secure software products. The SEC claims that, in fact, the Orion platform—which was the subject of the Russian attack—was not subject to an effective SDL program. To substantiate these allegations, the SEC relied upon a mix of internal presentations, messages, and public statements about the attack after the fact. The SEC states that SolarWinds should have disclosed the true state of its security regarding Orion development practices, as disclosure would be material information to an investor who is concerned about the company’s “crown jewel,” the Orion platform.
The SEC also claims that SolarWinds failed to comply with its own password protection standards, such as requirements for frequent password rotations, minimum lengths, and character mixtures and that passwords were individually salted and hashed. The company’s internal security assessments frequently identified gaps in its compliance efforts, including default passwords, shared credentials, and leaked credentials appearing on GitHub and reuse of default passwords.
The SEC claims that SolarWinds wrongly told investors that role-based access controls with managed authentication, authorization, and privileges were implemented to secure critical systems and information, when, in fact, “the access control environment was diametrically different from the [company’s] description.” The SEC says that SolarWinds “routinely and pervasively” granted administrative rights to employees far beyond the rights they needed for their respective roles. The SEC alleges that these failures were material to investors and should have led to a revision in the company’s disclosed cybersecurity risk factors.
Finally, the SEC claims that, once it learned of the incident, SolarWinds failed to fully disclose to investors the known impact of the Russian attack. The SEC alleges that SolarWinds knew, or should have known, that the previously disclosed Orion exploits at three companies may have been more widespread. As thousands of SolarWinds customers know, the facts surrounding the attack came out over days and weeks, with multiple patches attempting to eliminate the exploit. The company’s initial statements, according to the SEC, made the threat to SolarWinds customers appear hypothetical—it “could potentially allow” attackers to compromise the customer—when, in fact, attackers had actively exploited.
As we have noted in the past, the SEC continues to enhance enforcement efforts regarding cybersecurity. It has also been actively investigating SolarWinds—and companies using SolarWinds—for nearly three years. Of course, each of the allegations in the complaint also mirrors, to some extent, other ongoing government efforts (e.g., updates to the NIST Framework, new best practices for using a secure development lifecycle, de facto requirements to use strong password protections, and attempts to make executives individually liable for corporate security failings). In light of this enforcement action and the SEC’s continuing focus on cybersecurity, companies should be careful to ensure that any statement they make about cybersecurity—whether public or in internal policies—are backed by actual, often measurable, and verifiable security actions taken by the company. Also, companies must evaluate whether individual failures, risks, and incidents, when combined, should be disclosed in public filings for the cumulative negative effect on company cybersecurity. Vague statements are not a refuge from enforcement; the SEC found fault not just in specific claims that were untrue, but also in general statements that allegedly misled through omission. As the SEC has previously stated in the new public disclosure timing rule, the materiality standard for disclosure has not changed, whether for cybersecurity program performance, risk factors, or incidents. We anticipate further cybersecurity enforcement actions once the new public disclosure rule goes into full effect.