On October 30, 2023, the Securities and Exchange Commission (the “SEC”) filed a civil lawsuit charging SolarWinds Corporation (“SolarWinds” or the “Company”) and its chief information security officer, Timothy G. Brown (“Brown”), with securities fraud, internal controls failures, misleading investors about cyber risk, and disclosure controls failures, among other violations.  The SEC’s claims arise from allegedly known cybersecurity risks and vulnerabilities at SolarWinds associated with the SUNBURST cyberattack that occurred between 2018 and 2021.

Background

Founded in 1999, SolarWinds, a publicly traded company, provides software that thousands of companies and many government agencies use to manage their information technology infrastructure by, for example, monitoring activity on networked servers.  SolarWinds conducted its first initial public offering (“IPO”) in 2009 and remained a public company until February 2016, when it was acquired by several private equity firms in a take-private transaction. The Company conducted a second IPO in October 2018 and remains a public company.  The Company filed a Form S-1 registration statement with the SEC in connection with its October 2018 IPO, which became effective on October 18, 2018.  The Company conducted an additional public offering of shares through a Form S-1 registration statement filed on May 20, 2019.  The SEC alleges that SolarWinds falsely promoted its cybersecurity practices and, furthermore, deprived investors of key information when the Company went forward with its 2018 offering without disclosing known vulnerabilities.

The SUNBURST cyberattack on SolarWinds compromised “SolarWinds’ Orion software platform, a flagship product that the Company considered to be a ‘crown jewel’ asset and which accounted for 45% of [SolarWinds’] revenue in 2020.”  See Complaint at ¶ 1.  Orion, a monitoring and management software, is used by government agencies and organizations worldwide. Consequently, the SUNBURST cyberattack sparked significant concerns related to risk in the cybersecurity supply chain.

The Complaint

Filed in federal district court in the Southern District of New York, the SEC’s complaint alleges:

  • SolarWinds and Brown defrauded investors by misstating SolarWinds’ cybersecurity practices in a “Security Statement” on the SolarWinds’ website, and making disclosures that failed to convey known cybersecurity risks;
  • SolarWinds made materially misleading disclosures by disclosing hypothetical and generic cybersecurity risks, which were repeated verbatim in numerous securities filings, instead of disclosing specific, elevated risks faced by SolarWinds;
  • The Company knew of specific deficiencies in SolarWinds’ cybersecurity practices when it made statements about the strength of its cybersecurity practices, and which deficiencies the Company documented in internal assessments;
  • Internal SolarWinds communications questioned the Company’s ability to protect its critical assets from cyberattacks, which were inconsistent with regulatory frameworks that the Company adhered to and required protecting entity assets from external threats;
  • Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities and failed to resolve them or sufficiently raise the issues to the Company’s attention; and
  • After learning of the SUNBURST attack on SolarWinds, SolarWinds made incomplete disclosures about the SUNBURST attack in its December 14, 2020, Form 8-K filing, which Brown participated in drafting and also confirmed the accuracy of technical statements in that filing.

The SEC alleges that SolarWinds and Brown violated several laws, including:

  • Section 17(a) of the Securities Act (false statements in connection with the offer or sale of securities);
  • Section 10(b) of the Exchange Act and Rule 10b-5 (securities fraud);
  • Section 13(a) of the Exchange Act (false or misleading periodic securities filings);
  • Section 13(b)(2)(B) of the Exchange Act (failure to maintain sufficient internal accounting controls);
  • Exchange Act Rule 13a-15a (inadequate disclosure controls); and
  • As to Brown individually, aiding and abetting the Company’s violations.

Among other remedies sought, the SEC seeks an officer and director bar against Brown.

Takeaways

The SEC’s latest action highlights the importance of cybersecurity practices at publicly-traded companies, as well as considering cybersecurity practices and incidents as part of disclosure controls.  The SEC’s action comes just months before its recent final rules come into effect for public company disclosures about cybersecurity risk management and disclosures about material cybersecurity incidents.

***

Crowell & Moring attorneys are monitoring this SEC development and enforcement activity relating to cybersecurity, generally.  Please contact us if you have any questions about how the SolarWinds litigation or your current cybersecurity posture may impact your business.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Daniel Zelenko Daniel Zelenko

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S.

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S. Securities and Exchange Commission (SEC). He has been recognized as a leader in the white collar and regulatory enforcement bar by Chambers USA since 2016 and is held in high regard for his U.S. Department of Justice (DOJ) and SEC experience and his antitrust and securities enforcement experience. Chambers USA described Dan as a “tremendous talent” who “tries cases really impressively before the government,” noting that he “is a very effective advocate who sees the whole picture,” is “thoroughly knowledgeable about the legal and regulatory landscape,” and that “he knows his way around the street, and knows how to work with people in difficult situations.” Dan has been quoted as a leading authority on white collar defense and government investigations in numerous media outlets including The Wall Street Journal, The New York Times, Bloomberg and Reuters and has appeared on CNN.

Photo of Matthew B. Welling Matthew B. Welling

Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling…

Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling and regulatory matters. His experience includes cybersecurity and privacy incident response, compliance reviews, risk assessments, and the development of corporate policies and procedures, such as incident response plans. Matthew has a diverse background in M&A and other corporate transactional issues, with specific recent experience with technology transactions, cybersecurity issues, and critical infrastructure project development.

Photo of William J. Bruno William J. Bruno

William Bruno is a partner in the Washington, D.C. office of Crowell & Moring, where he is a member of the firm’s Corporate Group. William’s practice focuses on general corporate and securities matters for public and private companies, including mergers and acquisitions, initial…

William Bruno is a partner in the Washington, D.C. office of Crowell & Moring, where he is a member of the firm’s Corporate Group. William’s practice focuses on general corporate and securities matters for public and private companies, including mergers and acquisitions, initial and follow-on securities offerings, complex commercial transactions, and corporate governance. William advises clients seeking to grow, collaborate, and secure new capital.

Photo of Jennie Wang VonCannon Jennie Wang VonCannon

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory…

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory inquiries and subpoenas, and cybersecurity and privacy incidents. Her impeccable judgment has been honed over 11 years as a federal prosecutor, culminating in her selection to serve with distinction as the deputy chief of the Cyber and Intellectual Property Crimes Section of the National Security Division of the U.S. Attorney’s Office for the Central District of California.

Photo of Anand Sithian Anand Sithian

For high-stakes internal and government investigations and complex regulatory and compliance matters, companies and individuals look to Anand to provide strategic advice and counseling, particularly on issues relating to the Bank Secrecy Act and Anti-Money Laundering (“BSA/AML”), economic sanctions, and digital assets. Anand

For high-stakes internal and government investigations and complex regulatory and compliance matters, companies and individuals look to Anand to provide strategic advice and counseling, particularly on issues relating to the Bank Secrecy Act and Anti-Money Laundering (“BSA/AML”), economic sanctions, and digital assets. Anand is resident in the firm’s New York office and a member of the firm’s International Trade, White Collar and Regulatory Enforcement, and Financial Services groups.

A former federal prosecutor, Anand leverages his government experience to guide clients through complex white-collar matters, including grand jury and regulatory investigations, enforcement proceedings, and internal investigations. Anand has deep experience in parallel criminal and civil investigations and proceedings, and often represents clients in defending against civil lawsuits related to government investigations.

Representing some of the world’s largest banks and technology companies, Anand has addressed a wide range of issues, including economic sanctions, BSA/AML; economic sanctions and national security; payments and cryptocurrency; securities laws; and cybersecurity enforcement. In the regulatory space, Anand prides himself on providing commercial and actionable advice, including in the developing areas of digital assets, FinTech, and payments.

Photo of Garylene “Gage” Javier Garylene “Gage” Javier

Garylene “Gage” Javier, CIPP/US is a Privacy & Cybersecurity associate in the firm’s Washington, D.C. office. Gage practices focuses on privacy, data security, and consumer protection, assisting financial services clients overcome regulatory challenges and achieve their business goals. Gage assists clients concerns that…

Garylene “Gage” Javier, CIPP/US is a Privacy & Cybersecurity associate in the firm’s Washington, D.C. office. Gage practices focuses on privacy, data security, and consumer protection, assisting financial services clients overcome regulatory challenges and achieve their business goals. Gage assists clients concerns that arise from state and federal laws that apply to data privacy and information security, including: the Gramm-Leach-Bliley Act (GLBA); California Consumer Privacy Act (CCPA); California Privacy Rights Act (CPRA); California Financial Information Privacy Act (CFIPA); the Fair Credit Reporting Act (FCRA) and its Affiliate Marketing Rule; the Virginia Consumer Data Protection Act (CDPA); and the EU General Data Protection Regulation (GDPR).