The SEC’s Enforcement Action Against SolarWinds Underscores Growing Scrutiny Over Cybersecurity Internal Controls, Reporting and Disclosures

by John F. Savarese, Wayne M. Carlin, and Carmen X. W. Lu 

From left to right: John F. Savarese, Wayne M. Carlin, and Carmen X. W. Lu. (Photos courtesy of Wachtell, Lipton, Rosen & Katz).

Recently, the SEC filed a complaint against SolarWinds and its chief information security officer for fraud and internal control failures relating to the company’s cybersecurity risk and incident disclosures. The complaint alleges, among other things, that SolarWinds repeatedly overstated the strength of its cybersecurity risk management practices in its public documents and knowingly concealed critical vulnerabilities affecting its key product and business. We see four important takeaways from the allegations set forth in the SEC complaint, which are being contested by the defendants:

First, statements that overstate the strength of cybersecurity practices may constitute material misstatements in violation of federal securities laws even in the absence of a material cybersecurity incident. Materially false statements may include those relating to (1) compliance with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, (2) the use of a secure development lifecycle when creating software for customers, (3) the strength of password protections, and (4) access controls. This is particularly the case for companies whose primary line of business is cybersecurity products and where key products are installed on the networks of other companies. 

Second, “generic and hypothetical” disclosures that fail to address known risks and otherwise conceal poor cybersecurity practices may also constitute material misstatements, particularly if such disclosures are made in the face of known ongoing problems and where internal risk assessments had identified specific risks and vulnerabilities. In its complaint, the SEC alleged that “[e]ven if some of the individual risks and incidents . . . did not rise to the level of requiring disclosure on their own, at least collectively they created such an increased risk to SolarWinds that failure to disclose their collective impact . . . rendered the risk disclosures that SolarWinds made materially misleading.”

Third, a company may have an obligation to disclose “red flags” and warning signs of a potential cyberattack, including discovery of serious vulnerabilities, evidence of threat actors accessing the company’s network or evidence that the company was facing increased cybersecurity issues, particularly if such attacks impact the company’s key businesses. The SEC complaint alleged that SolarWinds’ failure to disclose its changing risk profile in the several months leading up to the 2020 Sunburst attack (which impacted an estimated 18,000 SolarWinds customers, including several U.S. government agencies) rendered its periodic reports materially misleading. 

Finally, inadequate internal controls and key person reporting dependencies may in and of themselves be a key cybersecurity vulnerability. In particular, the SEC asserted that SolarWinds’ incident response plan escalated incidents only if they had an impact on multiple customers. As a result, several incidents that had the potential for broader significance, including vulnerabilities that facilitated the Sunburst attack, were not shared with executives responsible for disclosures. The SEC also alleged that the chief information security officer failed to elevate various security concerns to senior corporate management. This allegation highlights the importance of companies taking steps designed to assure that such reporting does occur. 

It of course remains to be seen whether the SEC will succeed in proving its claims. But, in the meantime, the complaint provides a timely reminder that companies should not only stay abreast of best practices on cybersecurity risk management processes but also actively seek to ensure that such practices and processes are being properly implemented throughout the organization and that known risks, vulnerabilities and incidents—including those that may have the potential to result in a material cyber incident—are reported to senior executives and the board. 

This need to ensure that systems, controls and policies are aligned with best practices is made more urgent by the fact that all companies are now also preparing to comply with the SEC’s new cybersecurity reporting requirements. 

John F. Savarese and Wayne M. Carlin are Partners and Carmen X. W. Lu is Counsel at Wachtell, Lipton, Rosen & Katz. The post was first distributed as a memo by the firm. 

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).