By: Mary Roberts
The United States Securities and Exchange Commission’s (SEC’s) recent focus on improving cybersecurity by increasing regulatory requirements and the frequency of enforcement actions has struck a nerve with the telecommunications community. However, the latest update in a 2023 action against a Texas-based technology company and its Chief Information Security Officer, Securities and Exchange Commission v. SolarWinds Corp. & Timothy G. Brown, demonstrates that the SEC may need to chart a different course in its efforts to regulate where registered entities and cyberspace overlap. An alternative path includes (i) utilizing a task force that already exists within the SEC’s organizational structure and (ii) revising the window for assistance so that it occurs during a reported cyber-attack, instead of afterward. Shifting to a “real time” strategy would help not only the entities experiencing the attack but could also drastically improve data security on both a domestic and global scale.
BACKGROUND
Over the last three years, the SEC has steadily increased its focus on cybersecurity regulations and requirements. At the start of this era, Gary Gensler, Chair of the SEC, elaborated on the Commission’s renewed focus and strategy regarding cybersecurity in his keynote address at Northwestern Pritzker School of Law’s Annual Securities Regulation Institute on January 24, 2022. In his address, Gensler discussed the state of cybersecurity, especially the steady increase in cyberattacks, and how the SEC intended to address the risks and impacts felt by U.S. markets and consumers. Gensler’s primary message was that the SEC’s then-existing regulatory schemes for cyber infrastructures were insufficient, and the best path forward demanded an increase in all facets of cyber regulation. Most notably, Gensler emphasized the importance of expanding reporting and disclosure requirements associated with cyber risks and events. In response to this address, a panel of ex-SEC officials and experts in the community observed that an increase in mandatory disclosure requirements would be a “heavy lift” and even cited specific evidence that companies subject to the cybersecurity reporting requirements at the time were almost entirely non-compliant.
In the years since his address, Gensler and the SEC have made strides toward his cybersecurity goals. The SEC reinstated and expanded its Crypto Assets and Cyber Unit (formerly known as the Cyber Unit); developed and proposed two new agency rules expanding companies’ cybersecurity policy and disclosure requirements (one directed at registered investment advisors and funds, and the other at public companies); and increased the number of claims initiated against organizations for cybersecurity violations, such as data privacy and incident reporting. However, the SEC had never initiated a litigated action against a public company regarding its cybersecurity disclosures. This brings us to SolarWinds.
SOLARWINDS & SUNBURST
On October 30, 2023, the SEC filed suit against SolarWinds Corp. (SolarWinds) and its Chief Information Security Officer (CISO), Timothy Brown (Brown), asserting violations of the antifraud provisions of the Securities Act of 1933 (Securities Act) and the Securities Exchange Act of 1934 (Exchange Act). The SEC’s Complaint (Complaint), later amended on February 16, 2024 (Amended Complaint), alleges nine violations of securities law. Included in the nine claims are allegations of material misstatements and misrepresentations by the Defendants that caused subsequent consumer harm in connection with what has since been labeled by industry experts as “one of the most sophisticated cyberattacks in history”: SUNBURST.
SUNBURST, a “trojan horse” attack, was perpetrated by Russian-government-sponsored hackers. According to an amicus curiae brief filed by over fifty cybersecurity leaders in SolarWinds’s defense, the sophistication of SUNBURST made it almost impossible to detect. Specifically, the malicious code was inserted into SolarWinds’ “crown jewel” software product, Orion, shortly before it was distributed to customers. The code was inserted in a way that avoided detection before distribution and even after Orion was downloaded, running disguised as a common “command” that evaded additional scrutiny by both users and SolarWinds’ support teams.
The SEC alleges that from October 2018, through January 12, 2021, the Defendants defrauded both investors and customers through misstatements, omissions, and schemes that concealed not only its poor cybersecurity practices, but also its escalating cybersecurity risks. Allegedly, the Defendants’ public statements about the company’s cybersecurity practices and risks “painted a starkly different picture” than was actually the case and led to improper reliance by consumers and investors.
In addition to alleged misrepresentations regarding company practices and policies, the SEC argues that the Defendants violated reporting requirements after learning of SUNBURST’s presence in its systems. The Complaint alleges that, while the Defendants did follow basic reporting requirements by filing a Form 8-K disclosure with the SEC, the Form was false and misleading due to material omissions. The Defendants concede that they were not aware of SUNBURST’s presence when it first entered their systems, however, they maintain that the required filing procedures were completed within two days of its eventual discovery and authentication (well within the SEC’s requirement that filing be completed within four business days of occurrence/discovery).
In short, the SEC alleges that the Defendants violated securities laws in a manner that led to improper reliance on misleading and false policies and practices as to the security of the company’s top-selling software product, Orion. This improper reliance then led to consumer (which included almost all Fortune 500 companies and several government agencies) and investor harm at the hands of the SUNBURST attack, which was subsequently not reported by the Defendants in accordance with SEC filing requirements.
CASE STATUS
As of July 18, 2024, the U.S. District Court for the Southern District of New York has ruled on this matter in a way that will have significant impacts on related SEC action moving forward. The court’s Order explains that of the SEC’s original nine claims against Defendants, only two will survive Defendants’ Motion to Dismiss. Which two claims? The surviving securities fraud claims are that SolarWinds’s publicly available Security Statement contained misrepresentations as to the company’s (1) access controls, and (2) password protection policies. Both of these surviving claims concern the differences between public statements and actual practices employed by the Defendants. The district court found that there was sufficient evidence to show that SolarWinds’ publicly available Security Statement advertised (1) very restrictive access controls that limited each user’s access following strict guidelines, and (2) robust password practices suited to ensure it remained secure. Per the SEC’s Complaint, the Defendants defied these representations by allegedly (1) approving users’ requests for increased access readily and without additional investigation, and (2) using simple and easily guessed passwords, such as “solarwinds123” for one of its own company servers. Overall, this limitation by the district court serves as a significant success for the general telecommunications community that vocalized concerns about the SEC’s chosen course of action.
Among the claims dismissed, there are two whose dismissal notably aligns with the telecommunication community’s stance on this matter, as expressed in the amicus curiae brief filed in support of the Defendants: each of the claims against Brown, individually, and the claims of material omissions in the Defendants’ Form 8-K filings with the SEC.
First, dismissing all claims against Brown in his capacity as SolarWinds’s CISO is an outright rejection of a strategy the SEC has never attempted: holding a company’s information security officer personally liable for any contributions they may have had while carrying out actions their role requires. This failure could indicate to the SEC that future attempts will have the same or similar results. Removing the concern of personal liability for information security officers, no matter their title, is beneficial to the position of CISO (and equivalents), as well as the broader telecommunications community. Per the arguments presented in the amicus curiae brief, concerns of personal liability for these positions—which are already challenging to fill—will only serve to further impede this role. The brief goes on to emphasize that professionals operating in these roles are conferred significant flexibility, which the nature of the office requires. These adaptable frameworks provide CISOs and similar roles the ability to employ policies and procedures that best suit their company’s distinct organizational needs. Thus, allowing these professionals to make decisions that prioritize the best interests of their organization without the risk of violating overbearing regulatory requirements. Hypothetically, should any fear of personal liability be added to these officers’ concerns during times of complex issues and even more complex solutions, it would likely be impossible for them to operate in a timely and effective manner without sacrificing their organization’s priorities, or blatantly violating regulatory demands.
Additionally, the court dismissed the SEC’s claims that the Defendants’ Form 8-K filings included material omissions that constituted a violation of securities laws. The SEC’s Complaint asserted that the Defendants specifically omitted reference to two incidents that had been reported prior to the discovery of the SUNBURST attack, to which both were eventually deemed connected. When initially discovered in 2020, each of these additional incidents were handled according to company procedures that determined the appropriate course of action by looking to the information revealed about the attacks. However, it was later found that these initial incidents also contained the SUNBURST code, but SUNBURST’s aforementioned sophistication prevented discovery during initial procedures. The SEC asserts that the Defendants’ omission of these two additional incidents when eventually discovering and reporting SUNBURST constitutes a violation of securities laws even though all other reporting procedures and analysis requirements were followed for each event. In fact, the Defendants also filed an additional Form 8-K once the connection between the two initial attacks and SUNBURST was discovered. The SEC argues that there was a violation because it believes that the Defendants, specifically Brown, knew about the connection to SUNBURST during initial reporting in 2020 but chose to omit this information from the required Form 8-K filings.
The telecommunications community argues that these allegations are counterproductive to the SEC’s mission. Per the Amended Complaint, the SEC claims that filings such as the Form 8-K disclosure should include every known risk an organization faces, otherwise they are materially misleading. The court broadly dismissed these claims because they were insufficiently pled, specifically regarding scienter on the part of Brown or SolarWinds. This is favorable, per the amicus curiae brief, for a number of reasons but, most importantly, because a requirement to disclose all risks that an organization faces on publicly available filings poses an entirely new risk of widespread harm across the cybersecurity ecosystem. Public disclosures that outline each organization’s vulnerabilities would provide potential threat actors with foolproof, step-by-step instructions on how to infiltrate and take advantage of critical infrastructures across industries with the click of a button.
TAKEAWAY
Ultimately, the court’s decision to dismiss these particular claims by the SEC demonstrates an express limitation on a strategy of enforcement-via-ligitation that the SEC attempted to employ, here. Had the claims against SolarWinds and its CISO survived judicial scrutiny, there would have been substantial and long-lasting impacts on the cyber community and its individual employees. It is important that regulating bodies are able to achieve their intended purposes, especially as it relates to matters with national security implications; however, it is just as important that these regulatory bodies are not empowered to overstep in the name of enforcement.
Comments