A US District Court judge has upheld a securities fraud claim brought by markets watchdog the SEC against SolarWinds and its CISO Tim Brown.
But it has dismissed all others, in a court case that has revealed extraordinary levels of carelessness and torpor over the publicly listed software company’s security posture; despite engineers internally and on occasion its CISO Brown himself flagging the heightened resulting risks.
The software company and its cybersecurity leader knew a security statement it published on its website was “materially false and misleading” and the SEC “amply pleads, with particularity, that Brown knew of the substantial body of data that impeached the Security Statement's content as false and misleading” said Judge Paul Engelmayer on Thursday.
In a 107-page decision published on July 18 and reviewed by The Stack, Judge Engelmayer considered the evidence brought by markets watchdog the SEC in an amended complaint (“AC”) against SolarWinds.
That evidence reiterates that for nearly two years hackers “repeatedly accessed SolarWinds' network” undetected and undisturbed before ultimately tampering with the software of its flagship product then using that to hack its customers; including numerous federal agencies.
See also: As SEC’s SolarWinds charges reverberate, companies scrutinise cyber risk disclosures
Despite a litany of internal security incidents and issues – in 2019, for example, the company assessed 43 types of access controls required by the NIST 800-53 cybersecurity framework; it found that, of the 43 controls, only two were "in place" and for the subcategory "Identification and Authentication" precisely zero controls were rated "in place" – the company posted a "Security Statement" on its website, and in filings required under the securities laws that suggested its security was robust.
Per the Judge’s ruling today, that statement “held out SolarWinds as having sophisticated cybersecurity controls in place and as heeding industry best practices. In reality, based on the pleadings, the company fell way short of even basic requirements of corporate cyber health. Its passwords, including for key products, were demonstrably weak and the company gave far too many employees unfettered administrative access and privileges, leaving the door wide open to hackers and threat actors.”
(In 2019 an external security researcher also flagged to SolarWinds that a server it used to distribute software updates to customers was protected by the password "solarwinds123" and in 2018 an internal engineer had persistently raised a major VPN vulnerability that went unresolved; and which was used, six months later, as a key entry point by the hackers.)
The SEC had levied a range of charges against SolarWinds and its CISO however in the wake of what became known as the “SUNBURST” attacks.
Join peers following The Stack on LinkedIn
The Court said that it “sustains the SEC's claims of securities fraud based on the company's Security Statement. That statement is viably pled as materially false and misleading in numerous respects. The Court, however, dismisses the claims of securities fraud and false filings based on other statements and filings” and “as to post-SUNBURST disclosures, the Court dismisses all claims”; positive news for the company, which in 2023 settled for $26 million in a civil suit brought against it in Texas.
The SEC “plausibly alleges scienter with respect to Brown's dissemination and promotion of the Security Statement” the Judge said, using a legal term meaning "intent to deceive, manipulate, or defraud…”
“As alleged, Brown approved, disseminated, and promoted the Security Statement despite knowing of the ample evidence contradicting the Statement's rosy account of SolarWinds' cybersecurity practices. Thus, his dissemination and promotion of the Security Statement as an accurate depiction of SolarWinds' cybersecurity practice was reckless and an extreme departure from standards of ordinary care” the Judge found.
One commentator, Jennifer Lee, Partner, law firm Jenner and Block noted: “Notably, the Court found that the law does not require more specificity in a company’s risk factor disclosures about cybersecurity attacks.
“The Court also dismissed the internal accounting controls charge, reasoning that the statute focuses on ‘financial accounting’ (and that cybersecurity controls are outside the scope of the statute).”
(The SEC had brought one claim, uniquely, under Section 13(b)(2)(B) of the Exchange Act, alleging that SolarWinds failed to "devise and maintain a system of internal accounting controls” – the first time it had tried to bring an accounting control claim based on cybersecurity failings.)
To Lee, posting on LinkedIn, the big takeaways were that this is “the first time a court has analyzed (and largely narrowed) the SEC’s disclosure theories in the context of cybersecurity at the pleading stage.”
She added that “the Court’s decision permitting the fraud claim to proceed (at least in part) confirms that there is a basis to conclude that CISOs can have disclosure obligations under the federal securities laws…”
SolarWinds said it was pleased with the decision to throw out the majority of harged, and, per Reuters, called the remaining claim against the company "factually inaccurate."
