Notwithstanding, the biggest move here is the handling of the SEC’s “internal accounting controls” and “disclosure control” allegations in connection with SolarWinds’ cybersecurity practices. Here, the court dismissed charges related to Section 13(b)(2)(B) of the Securities Exchange Act, stating that while the SEC has the authority to regulate accounting controls, “that term, as a matter of statutory construction, cannot reasonably be interpreted to cover a company’s cybersecurity controls such as its password and VPN protocols.” See Opinion and Order at 95. The court clearly states that accounting controls provisions do not and were not intended to apply to cyber controls – in fact, accounting disclosures must have some nexus with financial accounting. The disclosure control claims were also dismissed, but on less sweeping grounds.
What Stuck?
In terms of what parts of the case continue to move forward, claims related to pre-attack cybersecurity statements largely survived. Specifically, claims relating to a Security Statement were posted on SolarWinds’ website. That statement was publicly posted and used as SolarWinds’ “official response to customer questionnaires about its cybersecurity practices.”
The court pointed out that these statements were made despite both the CISO (Brown, who is also charged) and the company knowing that critical vulnerabilities persisted. Indeed, the court extensively cites SolarWinds’ NIST audits, which repeatedly scored the company’s cyber controls as weak across numerous categories. The court also took issue with the Security Statement’s representations about access controls and password protection, finding them materially misleading. Importantly, the court rejected SolarWinds’ argument that the Security Statement was customer facing, (i.e., it was not intended for investors), finding that because the Security Statement was placed on SolarWinds’ public website, not only was it making misleading claims to customers, but it was accessible to all, including investors, making it part of the “ ‘total mix of information’ that SolarWinds furnished to the investing public.” See Opinion and Order at 51.
Finally, the court addresses additional critical weaknesses, such as failure to manage admin rights and protecting an Akamai server with a publicly available password (solarwinds123), were unremediated, persistent, and known to both Brown and the company. Notwithstanding, the company’s Security Statement remained posted for customers and investors alike to see.
That claims relating to these statements survived is unsurprising.
What’s Out?
Perhaps the bigger story here are the claims that were dismissed.
The court quickly dismissed claims related to disclosures in the company’s S-1 and 8-Ks, finding that the statements either adequately warned of the risk or accurately portrayed facts that were available at the time of filing. Further, the court found there was no affirmative obligation for SolarWinds to amend their previous statements.
More significantly, the court eliminated the SECs claims relating to accounting controls and disclosure controls.
Accounting Controls:
Section 13(b)(2)(B)(iii) requires that public companies “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that... access to assets is permitted only in accordance with management’s general or specific authorization.” In several cases, the SEC has used accounting controls as the basis for cyber actions, including in a recent settlement with R.R. Donnelly. However, the court takes issue with the use of accounting controls as the basis for cyber enforcement.
Pointedly, the court points out that accounting controls must relate to “financial accounting.” Dismissing this use of accounting controls, the court writes there is nothing in the rule, congressional history, or enforcement of the rule to indicate it can apply to cybersecurity controls. In fact, any interpretation that accounting controls could go this far, would be to accept that the concept had no limiting principle. In theory, such a broad reading could be used to enforce against a range of corporate behaviors that are not in scope for the SEC such as “background checks used in hiring nighttime security guards, the selection of padlocks for storage sheds, safety measures at water parks on whose reliability the asset of customer goodwill depended, and the lengths and configurations of passwords required to access company computers.” See Opinion and Order at 100.
In reaching this decision, the court distinguished a case from the District of Arizona that applied Section 13(b)(2)(B) to controls related to insider trading. The court explained that the controls in that case were more closely aligned to accounting controls because they “directly related to ensuring the integrity of the company’s financial transactions.” See Opinion and Order at 99. Thus, the court left open the possibility that Section 13(b)(2)(B) may apply to some degree more broadly than just strict accounting controls.
This may be a single decision, but when read together with the recent Supreme Court decision overturning Chevron, momentum suggests that the SEC may face difficulties in pursuing future cyber claims based on accounting disclosures, unless it receives a more clear mandate for cyber authority. As the court succinctly states, “the history and purpose of the statute confirm that cybersecurity controls are outside the scope of Section 13(b)(2)(B).” See Opinion and Order at 100.
Disclosure Controls:
Claims based on disclosure control failures were also dismissed. Although the dismissal did not pose as many existential questions as the accounting controls dismissal.
Disclosure controls, covered in Exchange Act Rule 13a-15(a), require companies to maintain disclosure protocols that ensure complete information is communicated to executives, companies and shareholders.
In SolarWinds, these claims related to two specific instances. First, one allegation related to handling of alerts and incidents that would later be connected to the 2020 hack. Particularly, the SEC claimed that SolarWinds failed to adequately classify the severity of two incidents, indicating a defect in its Incident Response Plan. Per the SEC, SolarWinds misclassified both incidents as a “0” severity level, when they should have been classified as a “2”, according to internal procedures. Here, the court said that while those two incidents were misclassified, the SEC was not able to show systemic deficiencies that could support a disclosure control claim.
The other disclosure claim related to whether Brown properly escalated a VPN vulnerability in 2018. The SEC alleged that a SolarWinds engineer, and eventually several other personnel, alerted Brown of the VPN vulnerability and that Brown should have escalated the issue to the CEO and CTO for public disclosure. Failure to escalate, according to the SEC, was a failure in SolarWinds’ disclosure control program. But the court disagreed. Rather, the court found that the decision not to escalate, did not impugn SolarWinds’ disclosure controls systems. Indeed, the court highlighted that the engineer who initially raised the issue received some level of pushback with respect to his findings, suggesting that there was some element of internal debate about the severity of the VPN issue.
What’s Next?
In the near term, the claims related to SolarWinds’ cybersecurity statements will move forward but claims related to its more formal SEC filings will not. As already stated, the court’s reasoning and decision with respect to certain statements is not surprising.
But looking at the big picture, the SEC seems to have less power to pursue cyber cases as accounting controls failures. This is just one district court, but the logic is convincing, especially considering other rulings on federal agencies’ power where they do not have explicit authority.
And lastly, some of the claims against Brown stand, establishing more of a precedent to bring cyber related claims directly against individuals.