Security firm SolarWinds had good news and bad news this week, as most of the charges in the US Securities and Exchange Commission (SEC) lawsuit, filed in the wake of the 2020 Sunburst cyberattack, were dismissed. However, the charges against both the company and its CISO around securities fraud will go to trial.
The securities fraud accusation is based on the SEC argument that shareholders and potential shareholders could be fraudulently misled by incorrect claims about a company’s defenses.
In a stinging rebuke, a federal court judge on Thursday wrote in a 107 page decision that the company’s security statement was “materially false and misleading” and that the company’s security posture “fell way short of even basic requirements of corporate cyber health.” He said many of SolarWinds security claims were “flat falsehood.”
“Given the centrality of cybersecurity to SolarWinds’ business model as a company pitching sophisticated software products to customers for whom computer security was paramount, these misrepresentations were undeniably material,” wrote United States District Judge Paul Engelmayer. “The Security Statement’s statements about the muscularity of the company’s password practices are … misleading if not outright false. These misrepresentations, too, are material.”
The judge also made various direct comments about SolarWinds CISO Timothy Brown.
“Brown approved, disseminated, and promoted the Security Statement despite knowing of the ample evidence contradicting the Statement’s rosy account of SolarWinds’ cybersecurity practices,” the judge wrote. “Thus, his dissemination and promotion of the Security Statement as an accurate depiction of SolarWinds’ cybersecurity practice was reckless and an extreme departure from standards of ordinary care.”
Dismissed charges
Although the judge ordered that the securities fraud charge proceed to trial, he dismissed all of the other charges. Those charges included the SEC’s argument that security misrepresentations amount to accounting errors, and that statements made in news releases and blogs also fooled investors.
Engelmayer also dismissed public statements by Brown, including those in company-approved press releases, blog posts, and podcasts, “because each qualifies as non-actionable corporate puffery, too general to cause a reasonable investor to rely upon them.”
The judge said that when the SEC faulted the public disclosures, it “means to fault SolarWinds for not spelling out these risks in greater detail.” But, the judge wrote, “the case law does not require more” and specifically does not require “that the company set out in substantially more specific terms scenarios under which its cybersecurity measures could prove inadequate. As decisions in this District have recognized, the anti-fraud laws do not require cautions to be articulated with maximum specificity.”
He also dismissed the accounting claims. “As a matter of statutory construction, that reading is not tenable. In various respects, the text of the statute strongly supports that the term ‘system of internal accounting controls’ instead refers to a company’s financial accounting. The term ‘accounting’ is widely defined in this manner. The SEC has not identified any dictionary definition favoring its construction.”
Security deficiencies
The decision also cited many of the company’s security deficiencies.
“SolarWinds did not enforce strong password requirements and repeatedly failed to abide by its own password policy,” it read. “One product had the default password ‘password.’ In November 2019, an outside security researcher notified the company that the password to the company’s Akamai server, used to distribute software updates to customers, was publicly available. The leaked password to the server, ‘solarwinds 123’, was formulated in a blatant violation of the company’s password policy.”
CISOs should be cautious
Three former government prosecutors, including one former senior counsel for the SEC itself, said the decision does not meaningfully change the rules for CISOs and other enterprise executives.
Former Justice Department prosecutor Mark Rasch, who today is in private practice focusing on security issues, said that security executives should not celebrate very much that so many counts were dismissed. Still, he argued that, for SolarWinds, dismissed charges are certainly a good thing.
“When you are charged with multiple counts, any remaining counts can still kill you,” he said. “There isn’t a lot of difference between being shot in the head ten times and being shot in the head twice. That said, It’s still better to only be shot twice.”
“The biggest message for CISOs is that they need to make sure that not only must the board and senior management know about all risks, but they need to reflect that in whatever they tell third-parties and investors.”
Brian Levine, a former federal prosecutor who today serves as the managing director at Ernst & Young overseeing cybersecurity strategies, agreed, saying “for SolarWinds, this was not a good result. The court found that they engaged in the most serious conduct, which is securities fraud.”
But Levine said the bulk of the decision was more bad news for the SEC than it was good news for SolarWinds.
“Agencies like the SEC are not used to bringing charges and losing on most of them,” Levine said. “For the court to find so many of the SEC theories were overreaches or incorrect is unusual. It will make some at the SEC think about how aggressive they want to be in using untested theories going forward.”
Levine said he saw the ruling delivering a small message to enterprise security leaders: “Smart CISOs may be more careful about what they say in public statements. And also, whether they make public statements about their security at all. You don’t get much credit for making them,” and there is a potential downside.
Walker Newell, who was senior counsel for the SEC for five years, leaving in 2020, and today is the VP for litigation and enforcement at consultant and insurer Woodruff Sawyer, sees this as a message to companies about their security claims.
“The ruling represents a strong endorsement of the government’s (securities fraud) claim and it will be an uphill battle for defendants to get the claim thrown out at summary judgment,” Newell said. “The ruling confirms that public companies should treat cybersecurity-related public statements – no matter how, in what medium, or to whom they are made – as they would a carefully-crafted SEC filing.
“Security leaders need to work closely with legal and communications teams to consider whether there is any daylight between sunny public descriptions of the company’s posture and any dark spots in the corporate security environment. It will be important to weigh any benefits gained by making non-mandated public statements about cybersecurity controls against the risk that those statements will be weaponized if a breach materializes in the future.”