Editor’s Note: PCCE has been watching the developments in the SEC’s enforcement action against SolarWinds and its CISO over allegedly misleading disclosures and controls failures related to the compromise of its Orion product by putative Russian hackers. In this post, cybersecurity experts and lawyers discuss the recent decision by U.S. District Judge Paul Engelmayer to dismiss most of the SEC’s claims in the case.
Reverberations from the SEC’s Enforcement Action in the CISO Community
by Randal Milch
The SEC’s fraud complaint against SolarWinds and Tim Brown reverberated throughout the CISO community. Some commenters suggested significant changes to the CISO’s corporate position – mandatory D&O insurance, access to the Board of Directors, enhanced severance provisions – as an antidote to being “scapegoated” for security failures. Experts like Ed Amoroso with a broad reach in the CISO community cataloged what CISOs see as the negative security effects of the SEC’s decision to go after Brown personally: decreased information flow as the entire security apparatus seeks to avoid liability over a “poorly worded email,” increased meetings with lawyers and regulators which distract from the CISOs real work, and warnings to younger security practitioners to “stay away from the CISO position.”
It is too early to tell if the dismissal of nearly all the SEC’ charges will be received as a real measure of relief to CISOs. I think there is positive news for the CISO community even as to the SEC’s much-reduced theory of liability that remains after the motion to dismiss.
SolarWinds’ and Browns’ alleged frauds now rest solely on the “Security Statement” that SolarWinds published on the “Trust Center” of its public-facing website in late 2017. Judge Englemayer allowed these claims to go forward because SEC plausibly plead that (i) Brown was principally responsible for the content of the Statement; (ii) the Statement informed the investing public that SolarWinds was effectively mitigating the risk of cyber-attack; (iii) there were large and negative discrepancies between the published security policies and the true state of security at SolarWinds of which Brown and SolarWinds were aware and would be material to investors; and (iv) the Statement remained on the SolarWinds public website, unchanged, for years despite these discrepancies.
Why is this good news? Unlike the rest of the dismissed allegations pertaining to SEC filings, and policies and controls outside the CISO’s authority, the remaining alleged CISO liability is of a sort that could be addressed by the CISO herself. A CISO could, for instance, follow this rule: don’t publish statements to the public touting your company’s cybersecurity policies unless you are sure they are accurate, and you are willing to adjust these public statements to keep them accurate. Of course this is a burden, but not an unfair one. There is no reason CISOs should be shielded – unlike other senior executives – from the consequences of making material misstatements to the investing public.
The SEC’s remaining allegations against SolarWinds and Brown remain just that – allegations. We don’t know how the litigation will unfold in the coming months. We can hope, however, that CISOs will now feel like they can safely turn their full attention to their critical jobs.
Randal Milch is Co-Chair of the NYU Center for Cybersecurity, a Distinguished Fellow at the Reiss Center on Law and Security, a Professor of Practice at NYU School of Law, and the Faculty Co-Director of the MS in Cybersecurity Risk and Strategy Program. Formerly, he was the General Counsel of Verizon.
The CISO’s Dilemma
by Judy Titera
The dilemma of the CISO continues to evolve and advance. The impossible task of balancing a cyber security program with evolving security risks, a need for speed to market, talent challenges, supply chain management and rapidly changing regulatory environment (just to name a few) is a daunting task. To top it off let’s add in the potential for personal liability of the CISO when the balancing act is not achieved to perfection. With this a key lesson is that it is essential for the CISO to communicate often to executives and the board, with extreme clarity, to seek alignment on the company’s security program, challenges, and a risk-based approach as well as to escalation of tensions that arise for critical funding and resources.
This case also reminds us of the age-old mantra “say what you do and do what you say” that cannot be underestimated. With an easy query, publicly facing statements are easy to access, review and critique therefore ensuring (yes ensuring) that these statements directly and accurately align to a company’s processes and controls. Next steps for security teams should include an exercise in reviewing all external security statements to confirm their accuracy. Additionally, is it prudent for the CISO to build a culture of trust to enable all security team members to feel safe to share concerns honestly, with evidence that action will be taken will help the CISO avoid blind spots and unexpected surprises.
Judy Titera is the former Chief Privacy Officer at USAA. Currently, she serves as Independent Director on the Mitsui Sumitomo Transverse Insurance board and audit committee, and is on the board, audit, finance & compliance, and nom/gov committees of Nemours Childrens Health.
Perspective and Context Are Critical
by James Haldin
A hopeful part of the court’s ruling was its dismissal of the SEC’s claims about post-breach disclosures. SolarWinds issued a Form 8-K two days after being alerted to the discovery of a vulnerability in its core Orion product which disclosed the SUNBURST attack. The SEC alleged that this disclosure was misleading because it omitted important details regarding the company’s understanding of the cyberattack. For instance, the SEC alleged that the company had already determined that the SUNBURST attack was linked to prior cyber vulnerabilities, yet the Form 8-K said that the company was still investigating the possible connections. Many commentators found the SEC’s theory to be troubling because it appeared that the SEC was second-guessing reasonable disclosure judgments made by SolarWinds in the aftermath of a fast-moving, complex cyber event.
The court rejected this after-the-fact criticism, emphasizing that the Form 8-K “captured the big picture.” In language that will be useful to companies in a range of disclosure contexts, the court said that “perspective and context are critical.” The disclosure was made when SolarWinds was in the “early stages of its investigation” and “when its understanding of [the] attack was evolving.” While the SEC was fixated on details that the company allegedly knew at the time, the court explained that SolarWinds “by any measure [had] bluntly reported brutally bad news for the company.”
The court’s decision is a reminder of first principles for companies evaluating post-attack disclosures—disclosures should include material information, and not every detail is material. Especially when events are fast-moving and facts are likely to change, the decision supports an emphasis on the big picture. The ruling is particularly timely as companies continue to adapt to the SEC’s new public company cybersecurity disclosure rules (effective December 2023), which require disclosure of material cybersecurity incidents. The decision will be a useful precedent for companies defending good-faith disclosure judgments in the aftermath of cyber incidents.
James Haldin is a Partner in the Cybersecurity & Privacy practice group at Davis Polk & Wardwell LLP. Rob Cohen and Fuad Rana, a Partner and Counsel at Davis Polk, respectively, also contributed to this post.
District Court Holds Cybersecurity Controls Are Not Internal Accounting Controls
by Alan Wilson and Matthew Beville
In a clear setback for the SEC, Judge Engelmayer’s SolarWinds decision held that a public company’s cybersecurity controls are not part of its “system of internal accounting controls” within the meaning of Section 13(b)(2)(B) of the Exchange Act. Rather, that provision is limited to controls designed to ensure the “accuracy and completeness of the financial information on which the issuer’s annual and quarterly reports rely.”[1] Accordingly, the court dismissed the SEC’s claim that SolarWinds’ allegedly defective cybersecurity controls violated Section 13(b)(2)(B).
Section 13(b)(2)(B) requires public companies to devise and maintain a system of internal accounting controls that provide reasonable assurances that transactions are executed in accordance with management authorization and appropriately recorded; that access to assets is permitted only in accordance with management authorization; and that asset records are reconciled against the company’s existing assets at reasonable intervals and appropriate action is taken with respect to any differences. Historically, this requirement was viewed as addressing a public company’s processes for preparing financial statements and other core accounting activities. However, over the last several years, the SEC has begun extending Section 13(b)(2)(B) beyond obvious financial accounting issues, such as to company’s cybersecurity protocols and stock buybacks.[2] The SolarWinds decision upends that initiative and could limit the SEC’s ability to police public companies’ substantive cybersecurity practices. The decision may also signal broader headwinds for expansive interpretations of the SEC’s enforcement authority as courts feel more empowered to overrule agency action after the Supreme Court’s recent decision in Loper Bright.[3]
This risk can be seen in the different approaches taken by Judge Engelmayer in SolarWinds and the dissenting Commissioners in the SEC’s recent settled action against R.R. Donnelley & Sons Company. As it alleged in SolarWinds, the SEC found R.R. Donnelley implemented inadequate cybersecurity controls, allowing hackers to gain access to certain customer data. The SEC also found that this violated Section 13(b)(2)(B), as the hackers gained access to company assets without “management’s general or specific authorization.” Commissioners Peirce and Uyeda dissented, arguing that a company’s cybersecurity controls were not within the scope of Section 13(b)(2)(B), based on a nuanced and technical analysis of how the term “assets” is used in the relevant accounting literature from which Section 13(b)(2)(B) was sourced.
While the SolarWinds court reached the same conclusion, it applied a different framework, focused on principles of statutory construction. Because the statute’s use of the term “system of internal accounting controls … cannot reasonably be interpreted to cover a company’s cybersecurity controls,” Section 13(b)(2)(B) cannot be extended to alleged deficiencies in a company’s cybersecurity program. The court only briefly cited the relevant accounting literature and did not expressly consider the SEC’s enforcement actions on the issue. This top-down, principles-based approach could give defendants stronger arguments to challenge novel applications of the securities laws, and could even create opportunities to attack existing theories of liability that are not firmly supported by the authorizing statute.
[1] SEC v. SolarWinds Corp., No. 23 Civ. 9518, 2024 WL 3461952 (S.D.N.Y. July 18, 2024).
[2] In the Matter of R.R. Donnelley & Sons Co., Exchange Act Release No. 100,365 (June 18, 2024), https://www.sec.gov/files/litigation/admin/2024/34-100365.pdf; In the Matter of Charter Communications Inc., Exchange Act Release No. 98,923 (Nov. 14, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98923.pdf; In the Matter of Andeavor LLC, Exchange Act Release No. 90,208 (Oct. 15, 2020), https://www.sec.gov/files/litigation/admin/2020/34-90208.pdf.
[3] Loper Bright Enterprises v. Raimondo, 143 S. Ct. 2429 (2024).
Alan Wilson is a Partner and Matthew Beville is Special Counsel at Wilmer Cutler Pickering Hale and Dorr LLP. WilmerHale attorneys Stephanie Avakian, Meredith Cross, Daniel Schubert, Jonathan Wolfman, and Joe Brenner also contributed to this post.
Will the SDNY’s Decision in SolarWinds Tee Up a Post-Chevron Challenge to the SEC’s Final Rule on Cybersecurity?
by Elizabeth Roper and Jerome Tomas
Over the past year, we have seen the Securities and Exchange Commission take an aggressive stance with regard to its authority to regulate cybersecurity controls and breach notifications. Its most sweeping regulation in this space, the Final Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (“Final Rule”), became effective late last year. The rule requires, among other things, that registrants disclose to the SEC within 4 days any cybersecurity incidents that have a material impact. Registrants also must submit specific filings to the SEC describing their processes for assessing, identifying, and managing material risks from cybersecurity threats. While the rule was criticized by some, including SEC Commissioner Hester Peirce, as an overly broad application of the SEC’s disclosure authority and not sufficiently tethered to financial materiality, it was generally viewed as falling within the broad scope of the SEC’s rulemaking authority.
In a closely-watched enforcement action predating the Final Rule, on July 18, 2024, Judge Paul Engelmayer of the Southern District of New York granted SolarWinds’s motion to dismiss the SEC’s complaint, which charged various violations of the Securities and Exchange Act based on alleged cybersecurity failings and misrepresentations, with regard to all but one of the charges. Notably, the court rejected the SEC’s argument that cybersecurity deficiencies can be charged as “internal accounting controls” violations under the Exchange Act, finding that the “system of internal accounting controls” referenced by the Exchange Act refers specifically to financial accounting, and that there is no evidence that Congress intended for the statute to reach cybersecurity controls. While Judge Engelmayer’s decision will certainly constrain the agency’s ability to allege that poor cybersecurity practices constitute insufficient internal accounting controls under Section 13(b)(2)(B) of the Securities Exchange Act of 1934, the SEC will likely contend that it does not affect actions brought under the now-effective Final Rule, including the requirement for issuers to describe their internal processes around cybersecurity risks.
The decision may, however, pave the way for a more significant challenge to the Final Rule in a post-Chevron world. The Supreme Court’s decision in Loper Bright Enterprises v. Raimondo ended decades of judicial deference to regulatory agencies’ determinations of their own authority, as well as their interpretations of the statutes they administer. Like many regulations, the Final Rule relies on authority bestowed on the SEC by old statutes that did not contemplate cybersecurity as a relevant factor for businesses. Interestingly, in promulgating the Final Rule, the SEC did not specifically cite Chevron as a basis for its authority and the regulatory deference it should receive (very few rules promulgated under the current administration have), which could provide the SEC and other agencies not relying on Chevron with a stronger case that their rulemaking authority should survive Loper. However, the SEC received comments to the proposed cybersecurity disclosure rule stating that the SEC did not have the statutory authority to promulgate cybersecurity disclosure rules, which the SEC roundly addressed in the Final Rule by stating that Congressional grants of authority are intentionally broad and designed to give the SEC the power to institute new disclosure rules as new challenges and issues (like cybersecurity) arise. Without the benefit of Chevron deference, the Final Rule (and specifically its provisions about internal cybersecurity processes, which are only indirectly connected to financial risks) may be vulnerable to a more significant challenge than the SEC faced in SolarWinds.
Elizabeth Roper and Jerome Tomas are Partners at Baker & McKenzie. Roper is a former Bureau Chief of the Cybercrime and Identity Theft Bureau at the Manhattan District Attorney’s Office. Tomas is co-chair of the North America Government Enforcement Practice.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).