by Nicole Friedlander, Anthony J. Lewis, Robert W. Reeder, John B. Sarlitto, Michael S. Drell, and Paulena B. Prager

Complaint Alleges Knowledge and Concealment of Poor Cybersecurity Practices and Heightened Cyber Risks

SUMMARY

On October 30, 2023, the Securities and Exchange Commission (“SEC”) filed a complaint against SolarWinds Corporation (“SolarWinds”) and its Chief Information Security Officer (“CISO”), alleging securities fraud and failures of reporting, internal control over financial reporting, and disclosure controls and procedures, in connection with a compromise of the company’s software product that was publicly revealed in December 2020.[1] The complaint (“Complaint”), filed in the Southern District of New York, alleges that SolarWinds and its CISO misled investors and customers about known, material cybersecurity weaknesses and risks, including several that allegedly enabled the compromise, through which U.S. government networks and corporations were infiltrated in a cyber espionage campaign by the Russian government. The SEC alleges that the defendants made materially false and misleading statements and omitted material facts on SolarWinds’ website and in its blog posts, press releases, initial registration statement (“Form S-1”), quarterly and annual SEC reports, and the current report on Form 8-K in which SolarWinds first disclosed the compromise. The SEC seeks declaratory and injunctive relief, disgorgement, a civil monetary penalty in an unspecified amount, and an order permanently prohibiting the CISO from acting as an officer or director of a public company.

The SEC’s action is novel in several respects. The SEC has never previously charged a company with scienter-based securities fraud in violation of Section 10(b) of the Exchange Act and Rule 10b-5 promulgated thereunder, or an internal accounting controls violation, in connection with alleged cybersecurity deficiencies or incidents. In doing so here, the SEC appears to advance the novel theory that the company’s information systems, source code, and products were assets for purposes of the internal accounting controls provisions of the securities laws. The SEC’s action is also the first in which it has charged a CISO individually in connection with a company’s alleged cybersecurity-related violations. The SEC’s claims, and certain of its allegations, have significant implications for companies’ cybersecurity governance, risk management, and control and disclosure frameworks, and for executives with cybersecurity oversight responsibilities.

BACKGROUND

As discussed in our earlier Memorandum to Clients, SolarWinds is a Texas-based company that produces software used for information technology management. Its signature product, Orion, was used throughout the U.S. public and private sectors, including (according to the Complaint) by 499 companies in the Fortune 500. On December 14, 2020, SolarWinds publicly disclosed that malicious code had been inserted into certain versions of Orion by threat actors. In April 2021, the U.S. government attributed the compromise to the Russian Foreign Intelligence Service, which exploited Orion as part of a “broad-scope cyber espionage campaign” that raised concerns for U.S. national security and public safety.[2]

Following the compromise, in March 2022, the SEC proposed new disclosure rules for public companies on cybersecurity risk management, strategy, governance, and incident exposure. In doing so, the SEC expressed heightened concern that cybersecurity incidents can have systemic effects on the U.S. economy and national security, and that the nature and quality of companies’ disclosure of cybersecurity risks and incidents varied widely. In July 2023, the SEC adopted the new rules, as discussed in our earlier Memorandum to Clients, requiring companies to disclose material cybersecurity incidents on Form 8-K and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

THE COMPLAINT

1. Securities Fraud

The Complaint alleges that SolarWinds and its CISO understood that cybersecurity was material to SolarWinds’ ability to obtain and retain business and that their public statements about the company’s cybersecurity practices and risks, including in SEC filings, “painted a starkly different picture” from their internal communications and assessments of those matters.[3]

a.  Website “Security Statement”

According to the SEC, SolarWinds’ website included a “Security Statement” in which the company touted its commitment to security and claimed to follow four “well-recognized cybersecurity practices”[4]:

1. Compliance with the National Institute of Standards and Technology Cybersecurity Framework Section 800.53 (“NIST Controls”). The NIST Controls are a catalog of security controls published by NIST and intended for use by companies in a flexible and customizable fashion to manage According to the SEC, contrary to the company’s claim to comply with the NIST Controls, assessments shared with the CISO showed in September 2019 that SolarWinds had a process in place for only 21 of the 325 NIST Controls, and in January 2021 that only approximately 40% of the controls were met or partially met.
2. Utilization of a “secure development lifecycle” (“SDL”). SDL is a software production methodology designed to create secure software using industry best practices. According to the SEC, contrary to the company’s claim and policy to follow an SDL, SolarWinds and the CISO knew the company did not follow the SDL for components of Orion; did not incorporate parts of the SDL in software development, including threat modeling and certain pre-release security testing; and did not routinely measure or enforce compliance with SDL requirements. The Complaint also highlights employee emails to the SolarWinds Chief Information Officer (“CIO”) in 2018 stating that the company did not adhere to the SDL as described in its Security Statement but would work to begin to do so.
3. Having strong password protection. According to the SEC, contrary to the company’s claim to require complex passwords across information systems, applications and databases, a 2018 internal audit found that critical systems did not comply with password policies and used and stored passwords in a highly insecure fashion, and a 2019 assessment found that zero of 27 NIST Controls for “identification and authentication” were in place.[5] In 2019, a third party alerted SolarWinds that a password to a critical server was publicly available and could be used to infect SolarWinds software updates, and in 2020, the CISO highlighted serious password deficiencies in a presentation to senior executives.[6]
4. Maintaining strong access controls. According to the SEC, contrary to the company’s claim to enforce a system of “least privilege” that minimized employees’ ability to access sensitive data, the SolarWinds CIO and (at times) CISO were informed repeatedly that the company did not follow a system of “least privilege”; of the 43 NIST Controls that are access controls, the company had only two in place;[7] and the CISO informed senior executives in presentations in 2019 and 2020 that access controls for critical systems and data were “inappropriate” and reflected significant deficiencies.[8] Significantly, the Complaint also asserts that in August 2018, a company engineer urgently alerted the CISO and others of a critical software vulnerability in SolarWinds’ virtual private network (“VPN”) by which an external party could log into the company’s network through an unmanaged device, access and upload malicious code, remove sensitive data, and remain on the network without detection.[9] According to the Complaint, the CISO did not address or escalate the problem, which the engineer raised again to him in 2020, by which time Russian hackers had already secretly exploited the vulnerability. Specifically, the Complaint alleges that in January 2019, these actors accessed SolarWinds’ network from an unmanaged device, elevated access privileges, disabled antivirus software, stole computer code and over 7 million emails from more than 70 employees over a period of months, monitored communications, spent months doing reconnaissance, conducted a trial run of the attack by successfully inserting non-malicious code into Orion, and then spent months inserting malicious code into Orion, all while remaining undetected.[10]

As to each of the four categories listed above, the Complaint alleges that a reasonable investor would have wanted to know the “true state” of SolarWinds’ security and that the company and CISO knew, or were reckless and negligent in not knowing, that the claims in the Security Statement were materially false and misleading and omitted material facts. The Complaint also alleges that the materiality of the company’s deficiencies in each of the four categories was heightened by the existence of the other deficiencies.

b.  Press Releases, Blog Posts, and Podcasts

The Complaint alleges that SolarWinds and its CISO made false and misleading statements about the company’s cybersecurity practices and commitment to cybersecurity in press releases, blog posts and podcasts. Among others, the Complaint cites a blog post in which the CISO stated that SolarWinds “places a premium on the security of its products and makes sure everything is backed by sound security processes, procedures and standards,” and press releases that quoted the CISO in asserting SolarWinds’ “commitment to high security standards” and “to helping [customers’] IT and security teams by equipping them with powerful, affordable solutions.” The Complaint alleges that the CISO was the maker of these statements.[11]

According to the SEC, contrary to these statements, and in addition to the deficiencies identified above, SolarWinds had “a pervasive cybersecurity problem” and “culture that did not take cybersecurity issues with sufficient seriousness.”[12] The Complaint notes that during the same month as the company’s 2018 IPO, the CISO expressed serious concern to the CIO about the company’s overall security, and that information security employees expressed disgust and joked in instant messages about the company’s poor cybersecurity posture.[13]

c.  Risk Factors Disclosure in the Company’s Form S-1 and Periodic Reports

The Complaint recounts the four-paragraph-long cybersecurity risk factor disclosure that SolarWinds included in its October 2018 Form S-1 and repeated thereafter in each of its quarterly and annual SEC reports leading up to its disclosure of the compromise in December 2020.[14] The Complaint alleges that while the disclosure recounted the “generic and hypothetical” cybersecurity risks and harms “that most companies face,” it “did nothing to alert investors to the elevated risks that existed at SolarWinds” as identified internally at the time.[15] For example, the Complaint notes that in the same month as the IPO, the CISO warned the CIO in a presentation that SolarWinds’ security was “in a very vulnerable state” with respect to “critical assets,” the compromise of which “could cause a major event.”[16] The Complaint alleges that a reasonable investor would have wanted to understand the “known significance” of the company’s vulnerabilities and risk of cyberattack, which had “particular significance” given the importance of cybersecurity to SolarWinds’ business.[17] In addition, the Complaint alleges that the false and misleading nature of the company’s risk factor disclosure became worse over time in light of “accumulating red flags” including:

• In the first half of 2020, nine managed service providers (“MSPs”) that used SolarWinds products to provide network management services to others suffered attacks through those products in a manner that suggested that SolarWinds may have been compromised. The CISO also expressed concern to the CIO and CTO that malicious actors appeared to have a high degree of familiarity with the products. The company investigated but was unable to draw any conclusions. According to the SEC, these attacks on the MSPs were material because SolarWinds identified the MSP products as part of its “crown jewels”.[18]
• In June 2020, a U.S. government agency (“Agency A”) notified SolarWinds of malicious activity by Orion, and asked SolarWinds to investigate. SolarWinds conducted an internal investigation, failing again to discover the root cause of the problem but identifying evidence that a threat actor had conducted reconnaissance on the Orion platform since at least mid-2019. The CISO described the incident internally as “very concerning,” including because SolarWinds’ systems “are not that resilient.”[19]
• SolarWinds’ internal investigation of the Agency A attack uncovered many longstanding vulnerabilities in Orion, and engineering personnel made clear to the CISO and others that they lacked the capacity to resolve them as a result of inadequate SolarWinds also subsequently learned through the company’s “bug bounty” program of at least eight other high-risk vulnerabilities affecting Orion, including some described by employees internally as “the most serious form” of vulnerability.[20]
• In October 2020, a cybersecurity firm notified SolarWinds about malicious activity by Orion. SolarWinds employees, including the CISO, recognized the similarity between the incident and the attack on Agency A. According to the Complaint, SolarWinds again failed to conduct a sufficient investigation. Further, when asked by the cybersecurity firm whether Orion had ever experienced a similar issue, an employee falsely claimed it had not; the employee then informed a colleague that he had just lied to the cybersecurity firm.[21]

The Complaint alleges that SolarWinds’ failure to disclose the attacks and vulnerabilities was part of “an overall scheme to conceal both the problems with Orion specifically, and the overall poor state of SolarWinds’ cybersecurity.”[22] The Complaint further alleges that based on the company’s cybersecurity failures, quarterly sub-certifications signed by the CISO were false in attesting that internal controls over financial reporting that pertained to security were adequately designed and performed to provide reasonable assurance that SolarWinds’ financial reporting was reliable and that its financial statements were prepared in accordance with generally accepted accounting principles.

d.  Form 8-K Disclosure of the 2020 Cyberattack

The Complaint notes that after a second cybersecurity firm was attacked, leading it to uncover and notify SolarWinds of the compromise, SolarWinds disclosed the compromise in a Form 8-K that stated, in part, that the company[23]:

1. had “been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.”[24]
2. hired third-party cybersecurity experts to assist in an investigation, including of “whether a vulnerability in the Orion monitoring products was exploited as a point of any infiltration of any customer systems.”[25]
3. was “still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited” in any reported attacks.[26]

The Complaint alleges that these statements were false and misleading in characterizing the impact of the compromise as theoretical or hypothetical, when in fact, according to the SEC, the company and CISO knew that the vulnerability “definitively allowed” the attacker to compromise servers running Orion, and had been successfully exploited as a point of exfiltration at Agency A and the two cybersecurity firms.[27] The Complaint alleges that the CISO participated in drafting the Form 8-K and (among other employees) either knew, or was reckless in not knowing, that it included materially false and misleading statements.[28] The Complaint notes that SolarWinds’ stock price declined more than 16% the day of the announcement, at least another 8% the following day, and a total of 35% below its pre-disclosure price as additional information about the attack and the company’s cybersecurity issues became public that month.[29]

Based on the allegedly materially false and misleading statements and material omissions set forth above, the SEC alleges that SolarWinds and its CISO committed securities fraud in violation of Section 17(a) of the Securities Act, Section 10(b) of the Exchange Act, and Rule 10b-5 promulgated thereunder, and failed to file accurate and complete information in the company’s annual, quarterly, and current reports in violation of Section 13(a) of the Exchange Act and Exchange Act Rules 12b-20 and 13a-1, 13a-11, and 13a-13 promulgated thereunder.

2. Internal Accounting Controls

The Complaint alleges that SolarWinds failed to maintain a system of internal accounting controls sufficient to provide reasonable assurances that access to company assets was permitted only in accordance with management’s general or specific authorization, in violation of Section 13(b)(2)(B) of the Exchange Act, and that the CISO aided and abetted the violation. The Complaint notes that to fulfill its responsibilities, the company was required to develop reasonable safeguards against unauthorized access to company assets by designing and maintaining reasonable controls to prevent and detect unauthorized access to, or use of, its assets. The Complaint alleges that “SolarWinds’ information technology network environment, source code, and products were among the Company’s most critical assets,” and that SolarWinds recognized the importance of these assets.[30] The Complaint also alleges that SolarWinds assessed the effectiveness of its internal controls over financial reporting using the widely accepted “COSO Framework”; that under the COSO Framework, SolarWinds chose to use the NIST Controls to conduct assessments; and that SolarWinds had no program in place for a majority of the NIST Controls and otherwise assessed itself to be performing poorly on multiple, critical NIST Controls, including with respect to password and access controls and the failure to apply the SDL to certain products.[31] The SEC also alleges that SolarWinds failed to use or document a list of controls in connection with certifications by company officials.

3. Disclosure Controls and Procedures

The Complaint alleges that SolarWinds’ disclosure controls and procedures were insufficient to ensure that information required to be disclosed was accumulated and communicated to management to allow for timely disclosure decisions, in violation of Exchange Act Rule 13a-15(a), and that the CISO aided and abetted the company’s violation. Specifically, the Complaint alleges that the company’s incident response plan classified risks based on impact to customers, and only incidents that impacted multiple customers were reported upward to management responsible for disclosure. As a result, the Complaint alleges, potentially material cybersecurity issues were not reported, including (a) the VPN vulnerability the company identified; (b) the attacks against Agency A and the first cybersecurity firm, which the company treated as separate even though information security personnel had linked them; and (c) following revelation of the compromise, the fact that the vulnerability had previously been exploited against Agency A and the two cybersecurity firms.

IMPLICATIONS

The SolarWinds action represents a significant expansion of the SEC’s enforcement efforts in cybersecurity. While the SEC has expressed heightened focus in recent years on disclosure controls and procedures and risk factor disclosures concerning cybersecurity, the SEC has not previously charged a company with scienter-based securities fraud in violation of Section 10(b) of the Exchange Act and Rule 10b-5 or a violation of the internal accounting controls provisions of the Exchange Act based on alleged cybersecurity failings, and it has never before charged a company’s CISO in connection with the company’s allegedly false statements and control failures concerning cybersecurity. These novel charging decisions, and other allegations in the Complaint, have important implications for public companies and their executives with oversight responsibility for cybersecurity.

1. RISK FACTORS AND DISCLOSURE CONTROLS AND PROCEDURES

The action reflects the SEC’s increasingly aggressive approach to assessing materiality and risk factor disclosures in the cybersecurity context. The SEC brought similar claims against Facebook in 2019 for describing the risk of misuse of user data as hypothetical when the company was aware that a third party had misused 30 million users’ data,[32] and against Pearson plc in 2021 for describing the risk of a material breach as hypothetical when the company had recently experienced a breach that compromised the personal information of 10 million children.[33] In those cases, however, the companies knew they had experienced serious cybersecurity incidents, making it relatively easier for the SEC to argue that they knew that cybersecurity risks they had described as hypothetical had actually materialized. By contrast, in the Complaint, the SEC alleges that many of the company’s risk factor disclosures and other public statements were materially false and misleading based solely on the company’s alleged knowledge of internal deficiencies that had not, as of the time the statements were made, resulted in any cybersecurity incident.

It is also significant that the SEC alleges that each of the company’s multiple alleged deficiencies in cybersecurity (including with respect to compliance with the NIST framework, SDL processes, and password and access controls policies and standards) rendered its public statements materially false and misleading. In this case, each of the deficiencies, standing alone, was serious and recognized as such by the company, as alleged by the SEC. But all companies have cybersecurity deficiencies to some degree, even if less serious than any of those alleged in the Complaint, including commonly with respect to passwords, access controls, and/or cybersecurity controls compared to NIST and other control frameworks. It can be challenging to assess the significance of more typical, less serious cybersecurity deficiencies, either individually or in their totality, and to determine which deficiencies may require escalation to management responsible for disclosure decisions. Companies should review their disclosure controls and procedures to ensure that they include mechanisms for the escalation of cybersecurity deficiencies (including as to weaknesses or risks, apart from incidents), including to disclosure committees, in appropriate circumstances.

Companies should also take note of the SEC’s position that the combination of allegedly serious cybersecurity weaknesses, as well as “accumulating red flags,” enhanced the alleged materiality of the company’s statements. Companies should be mindful in assessing their cybersecurity programs and disclosures that, as in the Complaint, regulators frequently emphasize the importance of considering cybersecurity risks and incidents holistically and not only in isolation.

2. INTERNAL CONTROL OVER FINANCIAL REPORTING

The Complaint asserts that SolarWinds’ information systems, source code and products were “critical assets,” and in doing so, appears to make the novel claim that these were “assets” for purposes of the internal accounting controls provisions of the Exchange Act. Relatedly, the Complaint also asserts that SolarWinds had ineffective internal control over financial reporting because the company did not adequately implement and comply with the NIST Controls; as an example, it notes that SolarWinds did not follow its SDL to develop software products securely. Both assertions are novel and have implications for companies as they consider their frameworks for internal control over financial reporting. While certain cybersecurity controls may currently be considered within those frameworks (for example, because they may affect the reliability of financial reporting), others may not. In support of its assertions, the SEC notes that the COSO Framework emphasizes internal controls over technology, and that under the COSO Framework, SolarWinds used the NIST Controls to conduct assessments, but the COSO Framework applies broadly to financial and non-financial controls, and not only to internal control over financial reporting. Furthermore, the SEC does not explain why controls to ensure the security of products sold by the company would be expected to be part of the company’s internal controls to ensure the reliability of its financial reporting. While it remains to be seen whether the SEC’s claim survives a legal challenge, companies should take note of the SEC’s expansive interpretation of the accounting control provision as they consider the scope of their internal control over financial reporting.

3. ACTION AGAINST CISO

The SEC’s unprecedented decision to charge the SolarWinds’ CISO represents a significant escalation in the SEC’s enforcement approach in cybersecurity. While the former CISO of Uber was charged criminally in connection with a data breach, the evidence presented at his trial in 2022 showed that he had changed company procedures, concealed facts from others internally, altered documents, drafted knowingly false statements, and lied to a federal agency to hide that the breach occurred shortly after he told the agency that measures he had instituted would prevent that type of breach from occurring. By contrast, the Complaint alleges little to suggest that the SolarWinds CISO lied to or misled anyone within the company, or that he had a motive to conceal cybersecurity concerns. In fact, the Complaint reflects that the CISO alerted the CIO and others to significant cybersecurity concerns, at least some of which these executives then escalated to the CEO.

While the SEC does not state directly why it has chosen to single out the CISO, it alleges that the CISO failed to escalate or address the critical VPN vulnerability that was brought to his attention on at least two occasions. But the SEC does not allege that the failure was deliberate and, as noted, it alleges that the CISO raised serious cybersecurity concerns more generally to other executives. With respect to his public statements, the SEC alleges that the CISO lied about the company’s security in blogs, podcasts, and company press releases, but many of the cited statements appear to be relatively generic commitments to security and improving security (e.g., “SolarWinds is committed to helping [customers]…by equipping them with powerful [products],” and “we always strive to improve upon [privacy and security] in all we do”). The Second Circuit has repeatedly found that general and aspirational statements by companies and their executives are inactionable under the securities laws, and it is unclear whether or to what extent the SEC’s allegations would survive a motion to dismiss. Nonetheless, the allegations are significant to consider as companies and their executives frame their public statements concerning the company’s information security.

The SEC also alleges the CISO signed sub-certifications attesting falsely to the adequacy of cybersecurity controls as part of the company’s internal controls over financial reporting, but as set forth above, the SEC does so based on a novel and expansive interpretation of “assets” under the internal accounting controls provisions of the Exchange Act.

Finally, the SEC appears to single out the CISO based in part on its allegation that it was the CISO who was responsible for the company’s cybersecurity. In practice, however, it is not uncommon for significant cybersecurity deficiencies to stem from insufficient attention and prioritization of cybersecurity by other areas of the company. Regulators regularly underscore this point by describing cybersecurity as a whole-of-company risk, not merely an information technology risk, and the SEC’s own new disclosure rules incorporate the concept by requiring enhanced disclosure on the role of management and the board in overseeing cybersecurity. Thus, apart from the question whether the facts justify the SEC singling out the SolarWinds CISO, companies should remain mindful of the role of senior management outside of information security in the company’s cybersecurity risk management.

As companies and executives consider the implications of the SEC’s claims against the SolarWinds CISO, several other observations may be useful:

• The Complaint notes repeated instances in which clearly serious cybersecurity incidents, including the attack against Agency A and a cybersecurity firm through Orion, were not escalated to personnel responsible for disclosure decisions because of the narrow scope of incidents to be escalated under the company’s incident response plan. Companies should consider whether their incident response plans ensure that potentially significant incidents are appropriately escalated, including by involving counsel early enough in the assessment of whether a matter may require escalation or raise legal issues.
• The Complaint describes multiple internal investigations conducted by the company into cybersecurity issues that went unresolved and thus enabled serious problems to remain The Complaint does not indicate whether external cybersecurity experts or external counsel were involved in these investigations, but involving these external parties may be important to the company’s ability to identify and escalate the relevant facts and issues.
• Companies should consider and review the procedures they have in place to log, address, and escalate serious vulnerabilities and weaknesses, and gaps or failings in plans to remediate those vulnerabilities and weaknesses.

4. SCIENTER-BASED FRAUD CHARGE

This is the first action in which the SEC has charged a company with scienter-based securities fraud under Rule 10b-5 of the Exchange Act stemming from alleged cybersecurity failings. The charge appears to signal a more aggressive posture by the SEC in cyber enforcement, although it is worth noting that unlike the charges in the Complaint, the prior charges were the result of negotiated resolutions that were reflected in agreed-upon consent orders, which generally may result in less aggressive charges than those asserted in a litigated action.

5. FORM 8–K FILINGS

The SEC’s allegations of deficiencies in SolarWinds’ Form 8-K come a few months after the SEC’s adoption of new rules requiring disclosure of material cybersecurity incidents on Form 8-K within four business days, as detailed in our earlier Memorandum to Clients. Determining the nature, scope, and material impact, or reasonably likely material impact, of an incident, and adequately and accurately disclosing those facts, within the SEC’s prescriptive four-day deadline may be challenging for companies depending on the circumstances. Companies should make sure their disclosure controls and procedures involve the right personnel, including legal personnel, in assessing potentially significant cybersecurity incidents on an accelerated timeline.

Footnotes

[1] The full complaint is available at https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023- 227.pdf.

[2] Press Release, White House, Background Press Call by Senior Administration Officials on Russia (Apr. 15, 2021), available at https://www.whitehouse.gov/briefing-room/press- briefings/2021/04/15/background-press-call-by-senior-administration-officials-on-russia/.

[3] Complaint at ¶ 1.

[4] Complaint at ¶ 45.

[5] Complaint at ¶ 82.

[6] Complaint at ¶¶ 83–84.

[7] Complaint at 26–30.

[8] Complaint at ¶ 97.

[9] Complaint at 30–33.

[10] Complaint at 42–44.

[11] Complaint at 34–35.

[12] Complaint at ¶ 119.

[13] Complaint at ¶¶ 120–124.

[14] Complaint at 38–39.

[15] Complaint at ¶ 132.

[16] Complaint at ¶ 120.

[17] Complaint at 40–41.

[18] Complaint at ¶ 152.

[19] Complaint at ¶¶ 154–156.

[20] Complaint at ¶ 171.

[21] Complaint at ¶¶ 160–163.

[22] Complaint at ¶ 165.

[23] SolarWinds Corp., Current Report (Form 8-K) (Dec. 14, 2020) (“Form 8-K”), available at https://www.sec.gov/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm (“Form 8-K”).

[24] Complaint at ¶ 187 (emphasis added).

[25] Complaint at ¶ 188 (emphasis added).

[26] Complaint at ¶ 189 (emphasis added).

[27] Complaint at ¶ 190.

[28] Complaint at ¶ 191.

[29] Complaint at ¶ 193.

[30] Complaint at ¶ 195.

[31] Complaint at ¶¶ 196–197.

[32] Press Release, Securities and Exchange Commission, Facebook to Pay $100 Million for Misleading Investors About the Risks It Faced From Misuse of User Data (July 24, 2019), available at https://www.sec.gov/news/press-release/2019-140.

[33] See our publication, dated August 18, 2021, available at https://www.sullcrom.com/SullivanCromwell/_Assets/PDFs/Memos/sc-publication-SEC-brings-cybersecurity-charges-against-issuer.pdf

Nicole Friedlander, Anthony J. Lewis, and Robert W. Reeder are Partners and John B. Sarlitto, Michael S. Drell, and Paulena B. Prager are Associates at Sullivan & Cromwell LLP. This post first appeared on the firm’s blog.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).