Could the SEC's Fraud Charges Against SolarWinds and its CISO Reshape Cybersecurity Oversight?

November 2, 2023 

Privacy Plus+

Privacy, Technology and Perspective

Could the SEC's Fraud Charges Against SolarWinds and its CISO Reshape Cybersecurity Oversight? This week, the U.S. Securities and Exchange Commission (“SEC”) sued SolarWinds Corporation, and its chief information security officer (“CISO”) a/k/a “Vice President of Security and Architecture,” Timothy G. Brown (“Brown”) for alleged fraud and lapses in internal controls related to reported cybersecurity weaknesses and exposures.  A link to the SEC’s Press Release and Complaint follows:

• Press Release: https://www.sec.gov/news/press-release/2023-227

  Complaint: https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-227.pdf

Let’s touch on the SolarWinds background, examine the SEC’s complaint, and offer some perspective on cybersecurity oversight that may be helpful to companies and anyone acting as a CISO.

Background:

Between January 2019 and December 2020, SolarWinds’ software Orion platform was hacked in one of the worst cybersecurity incidents in history.  The hack was especially insidious because SolarWinds had sold that platform to many other companies and government agencies for the purpose of managing their networks; so the Orion hack opened the door to the compromise of thousands of client networks downstream.

We have written extensively about SolarWinds and the related risk of executive liability.  Now, that risk has manifested itself in the form of the SEC’s suit against SolarWinds and its CISO Brown.

The following are links to two previous posts providing more background:

• A Huge Software Supply Chain Attack: https://www.hoschmorris.com/privacy-plus-news/solarwinds-supply-chain-hack

• SolarWinds Executives May Face Personal Liability as SEC Issues Wells Notices: https://www.hoschmorris.com/privacy-plus-news/solarwinds-executives-may-face-personal-liability

The Complaint:

The SEC makes many charges against both SolarWinds and CISO Brown for Securities Act violations, and asserts additional aiding and abetting claims against CISO Brown.  Generally, the Complaint accuses SolarWinds, along with CISO Brown, of deceiving investors by misrepresenting the robustness of the company’s cybersecurity measures and either minimizing existing cybersecurity risks or not disclosing them at all.  

The Complaint focuses not just on SolarWinds’ SEC filings but also relies on company-approved press releases, blog posts, and podcast statements on the importance of cybersecurity protocols.  It contrasts these public statements with internal emails from SolarWinds’ cybersecurity personnel regarding the company’s deficiencies in that area, as well as audit results reflecting those deficiencies.

According to the SEC, SolarWinds and CISO Brown falsely promoted SolarWinds’ cybersecurity practices in the company’s public statements.  The SEC complains that SolarWinds’ filings disclosed only “generic and hypothetical cybersecurity risks that most companies face,” citing the following language from SolarWinds’ registration statement:

“If we sustain system failures, cyberattacks against our systems or against our products, or other data security incidents or breaches, we could suffer a loss of revenue and increased costs, exposure to significant liability, reputational harm and other serious negative consequences.”

The SEC further alleges that such misstatements and omissions about SolarWinds’ cybersecurity practice were material because reasonable investors considering the purchase or sale of SolarWinds stock would have found that its poor cybersecurity practices would negatively impact sales and revenue, and, therefore, stock valuations.  The SEC explains:

“Cybersecurity practices are important to every publicly traded company. But they are especially important for a company like SolarWinds whose primary product is not only software, but software that other organizations install to manage their own computer networks. As a result, cybersecurity disclosures are particularly material for SolarWinds.”

In particular, the SEC alleges that SolarWinds and CISO Brown misleadingly claimed to follow:

• ·       the NIST Framework for evaluating cybersecurity practices, when, in fact, SolarWinds had no policy or practice in place for most of the NIST Framework; 

• ·       A secure development lifecycle (“SDL”) when creating software for customers, when, in fact, SolarWinds did not always develop software in an SDL;

• ·       A strong password policy, when, in fact, SolarWinds did not universally enforce such policy on all of its information systems, applications and databases (and Brown and SolarWinds knew or were reckless or negligent in not knowing, as Sarbanes-Oxley (“SOX”) audits documented instances in which password requirements were not met); and

• ·       Strong access controls, when, in fact, SolarWinds had persistent “access problems” of which CISO Brown ignored warnings.

According to the SEC, these issues were part of a “pervasive cybersecurity problem” throughout the company and indicative of “a culture that did not take cybersecurity issues with sufficient seriousness” as well as a “scheme to conceal these issues from investors and customers.”

In notable paragraphs of the Complaint (see e.g. Paragraph 120), the SEC references presentations and other communications sent by CISO Brown to SolarWinds’ Chief Information Officer (“CIO”).  These communications allegedly included, among other things, “multiple red text warnings” about the company’s cybersecurity posture. 

According to the SEC, CISO Brown’s communications exhibit his knowledge, recklessness, and/or negligence, and therefore, he is liable “by virtue of his role as an officer of SolarWinds, head of its InfoSec group, chief spokesperson on cybersecurity issues, and the literal ‘face’ of cybersecurity at the Company.” (His picture was prominently displayed on the “Trust Center” of SolarWinds’ website where the Company posted the Security Statement.) The SEC also alleges that CISO Brown signed sub-certifications relied on by senior executives confirming that all material incidents had been disclosed to the executives responsible for the company’s security filings. 

Perhaps sensing an issue with holding a relatively junior executive personally in this instance, the SEC alleges in the alternative (Paragraph 181) that “SolarWinds employees involved in and responsible for these issues, including those described above, collectively knew, or were recklessness or negligent in not knowing, that the SEC filings listed above were false for the reasons described above.”

The Complaint also details alleged internal control failures related to accounting controls.

Our Thoughts:

Confronting Complex Dynamics: As time goes on, we’ll aim to delve into what seems to have become a gap in understanding and expectations among various stakeholders in the realm of cybersecurity.  On one end, we see regulators setting idealistic, sometimes impractical standards; on the other, courts are showing a wary eye towards these agencies, adding pressure on businesses that struggle to keep pace with sophisticated state-sponsored cyber threats.

Caught in the middle are CISOs who are now being treated as scapegoats in a world that clamors for immediate answers and accountability.  These cybersecurity leaders must navigate a minefield where every step is scrutinized, and every misstep could lead to disproportionate blame. In future posts, we’ll aim to highlight the tensions CISOs face and the urgent need for a realistic alignment between regulatory ideals and the actual capacities and challenges within the cybersecurity landscape.

The Imperative of Cybersecurity in Leadership: The SEC's action serves as a potent reminder that cybersecurity cannot be an afterthought for any organization—particularly for those providing network management software. The SEC has now acknowledged the cybersecurity of network management software as a material concern, elevating it to a top-tier priority. Company leaders must recognize the immense responsibility they shoulder in relation to cybersecurity.  Ignoring this duty can have dire consequences.

The Risk of Penalizing CISOs: Despite the clear importance of cybersecurity, there is, understandably, a growing apprehension among CISOs about their potential liability.  If you are a CISO, you may be interested in this link to our previous post, "Top 5 Questions Every CISO Should Ask":

https://www.hoschmorris.com/privacy-plus-news/top-5-questions-every-ciso-should-ask

Here, however, we are reminded of Winston Churchill’s adage: Success is not only about doing our best but also about accomplishing what is necessary.  We think the weight of achieving success should not be so heavy as to deter talented professionals from assuming critical roles out of fear of punitive outcomes.  We can understand the recent criminal conviction of Uber’s CISO, but we have a harder time seeing how CISO Brown should be held accountable under the facts pleaded in the Complaint.

Further, no one wants to take on a job whose unwritten description includes “guarantor of success,” at the pain of becoming a scapegoat, at best. How much would you have to pay for someone to take that on?  How desperate would you have to be to take it on yourself?

Advocating for Balanced Cybersecurity Management: In the current environment, CIOs and CISOs are inundated with a deluge of new security products and daily threat warnings. Excessive regulatory demands could exacerbate this flood, leading to counterproductive behaviors. Staff might underplay or conceal security gaps to avoid repercussions, or, conversely, they might over-report issues, creating an overwhelming tide of alerts that obfuscate genuine threats. In short, the added risk of SEC enforcement against individuals charged with cybersecurity can strain already-limited resources, discouraging qualified people from entering or remaining in these critical positions.

A prudent approach to cybersecurity reporting would involve careful attention to human and communicative aspects. Among other steps, the following seem sensible to us:

• ·       Board-Level Priority: Cybersecurity must remain a board-level priority, particularly where failure could result in significant harm to the company, its clients, or national security.

• ·       Realistic Expectations: The objectives for cybersecurity personnel should be practical, and responsibilities should be distributed adequately across teams.

• ·       Transparent Disclosures: Public companies must carefully follow the SEC’s new Cybersecurity Disclosure Rules. But all companies, when called upon, should accurately disclose their actual cybersecurity practices, avoiding aspirational or presumptive statements that could mislead investors or the public.

• ·       Collaboration in Reporting: Cybersecurity experts and those responsible for drafting SEC disclosures must actually communicate and work closely with each other, ensuring all claims are factual and verifiable.

• ·       Watch Out for Marketing: Overly boastful advertising claims can undermine SEC disclosures.

• ·       Specialized Oversight: Companies should consider the establishment of dedicated teams for quality assurance and whistleblower evaluations, as well as for managing technology procurement within financial constraints.

• ·       Guidance for Disclosure Writers: Those writing SEC disclosures should heed not only specific SEC rules but also draw lessons from product labeling and fair advertising practices. Disclosures should be clear and concise, and ensure that disclaimers do not undermine the integrity of the claims made.

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.