On October 30, 2023, the Securities and Exchange Commission (the “SEC”) filed a civil lawsuit charging SolarWinds Corporation (“SolarWinds” or the “Company”) and its chief information security officer, Timothy G. Brown (“Brown”), with securities fraud, internal controls failures, misleading investors about cyber risk, and disclosure controls failures, among other violations.  The SEC’s claims arise from allegedly known cybersecurity risks and vulnerabilities at SolarWinds associated with the SUNBURST cyberattack that occurred between 2018 and 2021.

Background

Founded in 1999, SolarWinds, a publicly traded company, provides software that thousands of companies and many government agencies use to manage their information technology infrastructure by, for example, monitoring activity on networked servers.  SolarWinds conducted its first initial public offering (“IPO”) in 2009 and remained a public company until February 2016, when it was acquired by several private equity firms in a take-private transaction. The Company conducted a second IPO in October 2018 and remains a public company.  The Company filed a Form S-1 registration statement with the SEC in connection with its October 2018 IPO, which became effective on October 18, 2018.  The Company conducted an additional public offering of shares through a Form S-1 registration statement filed on May 20, 2019.  The SEC alleges that SolarWinds falsely promoted its cybersecurity practices and, furthermore, deprived investors of key information when the Company went forward with its 2018 offering without disclosing known vulnerabilities.

The SUNBURST cyberattack on SolarWinds compromised “SolarWinds’ Orion software platform, a flagship product that the Company considered to be a ‘crown jewel’ asset and which accounted for 45% of [SolarWinds’] revenue in 2020.”  See Complaint at ¶ 1.  Orion, a monitoring and management software, is used by government agencies and organizations worldwide. Consequently, the SUNBURST cyberattack sparked significant concerns related to risk in the cybersecurity supply chain.

The Complaint

Filed in federal district court in the Southern District of New York, the SEC’s complaint alleges:

  • SolarWinds and Brown defrauded investors by misstating SolarWinds’ cybersecurity practices in a “Security Statement” on the SolarWinds’ website, and making disclosures that failed to convey known cybersecurity risks;
  • SolarWinds made materially misleading disclosures by disclosing hypothetical and generic cybersecurity risks, which were repeated verbatim in numerous securities filings, instead of disclosing specific, elevated risks faced by SolarWinds;
  • The Company knew of specific deficiencies in SolarWinds’ cybersecurity practices when it made statements about the strength of its cybersecurity practices, and which deficiencies the Company documented in internal assessments;
  • Internal SolarWinds communications questioned the Company’s ability to protect its critical assets from cyberattacks, which were inconsistent with regulatory frameworks that the Company adhered to and required protecting entity assets from external threats;
  • Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities and failed to resolve them or sufficiently raise the issues to the Company’s attention; and
  • After learning of the SUNBURST attack on SolarWinds, SolarWinds made incomplete disclosures about the SUNBURST attack in its December 14, 2020, Form 8-K filing, which Brown participated in drafting and also confirmed the accuracy of technical statements in that filing.

The SEC alleges that SolarWinds and Brown violated several laws, including:

  • Section 17(a) of the Securities Act (false statements in connection with the offer or sale of securities);
  • Section 10(b) of the Exchange Act and Rule 10b-5 (securities fraud);
  • Section 13(a) of the Exchange Act (false or misleading periodic securities filings);
  • Section 13(b)(2)(B) of the Exchange Act (failure to maintain sufficient internal accounting controls);
  • Exchange Act Rule 13a-15a (inadequate disclosure controls); and
  • As to Brown individually, aiding and abetting the Company’s violations.

Among other remedies sought, the SEC seeks an officer and director bar against Brown.

Takeaways

The SEC’s latest action highlights the importance of cybersecurity practices at publicly-traded companies, as well as considering cybersecurity practices and incidents as part of disclosure controls.  The SEC’s action comes just months before its recent final rules come into effect for public company disclosures about cybersecurity risk management and disclosures about material cybersecurity incidents.

***

Crowell & Moring attorneys are monitoring this SEC development and enforcement activity relating to cybersecurity, generally.  Please contact us if you have any questions about how the SolarWinds litigation or your current cybersecurity posture may impact your business.

Tags: Cybersecurity, Cybersecurity / Data Security, SEC
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Read more about Evan D. Wolff
Show more Show less
Photo of Daniel Zelenko Daniel Zelenko

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S.

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S. Securities and Exchange Commission (SEC). He has been recognized as a leader in the white collar and regulatory enforcement bar by Chambers USA since 2016 and is held in high regard for his U.S. Department of Justice (DOJ) and SEC experience and his antitrust and securities enforcement experience. Chambers USA described Dan as a “tremendous talent” who “tries cases really impressively before the government,” noting that he “is a very effective advocate who sees the whole picture,” is “thoroughly knowledgeable about the legal and regulatory landscape,” and that “he knows his way around the street, and knows how to work with people in difficult situations.” Dan has been quoted as a leading authority on white collar defense and government investigations in numerous media outlets including The Wall Street Journal, The New York Times, Bloomberg and Reuters and has appeared on CNN.

Read more about Daniel Zelenko
Show more Show less
Photo of Matthew B. Welling Matthew B. Welling

Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling…

Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling and regulatory matters. His experience includes cybersecurity and privacy incident response, compliance reviews, risk assessments, and the development of corporate policies and procedures, such as incident response plans. Matthew has a diverse background in M&A and other corporate transactional issues, with specific recent experience with technology transactions, cybersecurity issues, and critical infrastructure project development.

Read more about Matthew B. Welling
Show more Show less
Photo of William J. Bruno William J. Bruno

William Bruno is a partner in the Washington, D.C. office of Crowell & Moring, where he is a member of the firm’s Corporate Group. William’s practice focuses on general corporate and securities matters for public and private companies, including mergers and acquisitions, initial…

William Bruno is a partner in the Washington, D.C. office of Crowell & Moring, where he is a member of the firm’s Corporate Group. William’s practice focuses on general corporate and securities matters for public and private companies, including mergers and acquisitions, initial and follow-on securities offerings, complex commercial transactions, and corporate governance. William advises clients seeking to grow, collaborate, and secure new capital.

Read more about William J. Bruno
Show more Show less
Photo of Jennie Wang VonCannon Jennie Wang VonCannon

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory…

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory inquiries and subpoenas, and cybersecurity and privacy incidents. Her impeccable judgment has been honed over 11 years as a federal prosecutor, culminating in her selection to serve with distinction as the deputy chief of the Cyber and Intellectual Property Crimes Section of the National Security Division of the U.S. Attorney’s Office for the Central District of California.

Read more about Jennie Wang VonCannon
Show more Show less
Photo of Alexander Urbelis Alexander Urbelis

Alex Urbelis is a senior counsel in the New York office and a member of the Privacy & Cybersecurity Group. Alex has more than 20 years of experience in the information security community and has varied experience as a Chief Information Security Officer…

Alex Urbelis is a senior counsel in the New York office and a member of the Privacy & Cybersecurity Group. Alex has more than 20 years of experience in the information security community and has varied experience as a Chief Information Security Officer (CISO), Chief Compliance Officer, in-house counsel, and private practice litigator.

Alex has a unique skill set that has allowed him to create a bridge between the technical and legal side of cybersecurity. As a result, he is the primary architect of an exclusive DNS (Domain Name Search) monitoring and intelligence platform. Through this intel platform, Alex advises his clients on identified and early-stage indicators of cybersecurity threats and provides counsel on legal actions and technical defensive remedies to neutralize those threats. Alex tracks sophisticated cyber adversaries and advanced persistent threats (APTs) through his intel platform and, notably, detected a state-sponsored cyber intrusion attempt targeting the World Health Organization in March 2020. For combining legal and technical skill sets with public service, the Financial Times selected Alex as a finalist for its Innovative Lawyers awards for pandemic response in 2020.

Read more about Alexander Urbelis
Show more Show less
Photo of Anand Sithian Anand Sithian

Anand Sithian is a counsel in Crowell & Moring’s New York office. He is a member of the International Trade and the White Collar & Regulatory Enforcement groups. Anand advises clients on a variety of regulatory issues and investigations relating to anti-money laundering…

Anand Sithian is a counsel in Crowell & Moring’s New York office. He is a member of the International Trade and the White Collar & Regulatory Enforcement groups. Anand advises clients on a variety of regulatory issues and investigations relating to anti-money laundering (AML), the Bank Secrecy Act (BSA), U.S. economic sanctions, including those administered by the Office of Foreign Assets Control (OFAC), and asset forfeiture matters. Anand routinely counsels clients on the novel application of these laws and regulations to issues involving financial institutions, technology and social media, virtual currency and digital assets (including the seizure and forfeiture of virtual currencies), and the evolving cannabis industry.

Read more about Anand Sithian
Show more Show less
Photo of Garylene “Gage” Javier Garylene “Gage” Javier

Garylene “Gage” Javier, CIPP/US is a Privacy & Cybersecurity associate in the firm’s Washington, D.C. office. Gage practices focuses on privacy, data security, and consumer protection, assisting financial services clients overcome regulatory challenges and achieve their business goals. Gage assists clients concerns that…

Garylene “Gage” Javier, CIPP/US is a Privacy & Cybersecurity associate in the firm’s Washington, D.C. office. Gage practices focuses on privacy, data security, and consumer protection, assisting financial services clients overcome regulatory challenges and achieve their business goals. Gage assists clients concerns that arise from state and federal laws that apply to data privacy and information security, including: the Gramm-Leach-Bliley Act (GLBA); California Consumer Privacy Act (CCPA); California Privacy Rights Act (CPRA); California Financial Information Privacy Act (CFIPA); the Fair Credit Reporting Act (FCRA) and its Affiliate Marketing Rule; the Virginia Consumer Data Protection Act (CDPA); and the EU General Data Protection Regulation (GDPR).

Read more about Garylene “Gage” Javier
Show more Show less
Related Posts
Catch Up Fast: The "Data Days" of Summer in China
August 24, 2023
Five Key Takeaways from the SEC’s Final Cybersecurity Rules for Public Companies
July 31, 2023
Biden Admin Eyes IoT Cyber Practices
July 26, 2023