WMHW Alert: SEC Charges Four Companies Over SolarWinds Hack Cyber Disclosures
October 24, 2024
In The News
SEC Charges Four Companies Over SolarWinds Hack Cyber Disclosures
By Barry Rashkover, Paul Ryan, and Mary Diaz
On October 22, 2024, the Securities and Exchange Commission (“SEC”) charged four technology companies with making inadequate disclosures related to the December 2020 discovery that SolarWinds Corp. had been a victim of a largescale cyberattack believed to have been conducted by state-sponsored Russian hackers. According to the SEC’s October 22, 2024 press release, during 2020 and 2021, these four companies learned “that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.” [1] The SEC’s cases, charging violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act, Section 13(a) of the Exchange Act, and Rules 12b-20 and 13a-13 thereunder, are the first against users of the impacted SolarWinds product. They represent a somewhat controversial set of enforcement actions in the SEC’s rocky response to the SolarWinds hack.
The SEC’s Four Enforcement Actions
The SEC found that the four companies negligently minimized their serious cybersecurity incidents carried out by the threat actor behind the SolarWinds Orion hack in their public disclosures. In findings that the companies neither admitted nor denied, the SEC concluded that:
-One of the four respondents, a global provider of digital communications products and services, negligently made materially misleading statements to investors when it knew the threat actor accessed at least 145 files in its cloud file sharing environment, but understated the threat, stating that the actor accessed a “limited number of [the] Company’s email messages;”
-Another of the companies, a global provider of technical and enterprise information technology services and solutions to large commercial enterprises and public sector entities, described its risks from the cybersecurity events as hypothetical despite knowing that it had experienced two intrusions involving exfiltration of gigabytes of data;
-A third company, a provider of products and services for information technology security, knew of the SolarWinds cyber intrusion but described the intrusions and risks generically and omitted new and material cybersecurity risks arising out of the compromise; and
-The remaining respondent, a provider of cloud security and risk management services for email and corporate information, minimized the cyberattack by failing to disclose the nature of the source code the threat actor downloaded and the actual quantity of encrypted credentials the threat actor accessed.[2]
While implying that the four companies may have been cyberattack victims, Sanjay Wadhwa, the Acting Director of the SEC’s Division of Enforcement, placed the onus on the companies to curb additional victims, stating that “…while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.”[3] The SEC also warned against disclosure “half-truths.” Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, noted that “[i]n two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”[4]
Each company agreed to cease and desist from future violations of the charged provisions and to pay civil money penalties for downplaying the significance of their cyberattacks: One company will pay $4 million, another $1 million, a third $995,000, and the fourth $990,000.[5] The SEC noted that the companies voluntarily cooperated during the investigation, conducted their own internal investigation which they shared with the SEC, and enhanced their cybersecurity controls.[6]
Key Takeaways
The SEC Continues to Prioritize Cybersecurity. These settlements and recent SEC actions reflect the SEC’s priority and focus on public companies’ cybersecurity disclosures. On October 21, 2024, the SEC Division of Examinations announced that it would focus on cybersecurity in its 2025 examination program priorities for investment advisers, broker-dealers, and other SEC registrants.[7] In July 2023, the SEC adopted a rule that requires public companies to disclose material cybersecurity incidents on their Form 8-K within four business days of determining an incident is material.[8]
Continued Commission Divide. Marking continued division within the SEC over certain enforcement responses, Republican Commissioners Hester Peirce and Mark Uyeda issued a separate statement disagreeing with these four SolarWinds related enforcement actions. Commissioners Peirce and Uyeda disagreed with the severity of the charges and suggested that the Commission was playing “Monday morning quarterback.”[9] In their separate statement, Commissioners Peirce and Uyeda noted the SEC’s orders incorrectly emphasized the lack of details regarding the incident, when in fact the 2023 cybersecurity rule requires that disclosures focus primarily on the impacts of the incident, rather than on details regarding the incident, which do not need to be disclosed. Commissioners Peirce and Uyeda took issue with the Commission’s focus on “details” in the disclosures as opposed to “the larger picture of the effects of the incident,” finding that “[b]y calling for disclosure of specific percentages and types of source code, the Commission ignores the reasonable investor standard embedded within the materiality concept and the types of information that such investor would consider important in making an investment decision.”[10] Commissioners Peirce and Uyeda warned the enforcement actions may have the practical effect of immaterial disclosures, undermining the benefits and rationale behind the 2023 cybersecurity rule.[11]
These same Commissioners also recently objected to the penalties and undertakings in the SEC’s off-channel communication cases, urging their colleagues at the SEC to reconsider their current approach to the off-channel communications issue, as “even well-intentioned firms could find themselves in the Commission’s enforcement queue time and again.”[12]
SolarWinds Mixed Results. In litigation against SolarWinds itself, the SEC has had mixed results. Previously, on October 30, 2023, the SEC filed a complaint in the Southern District of New York against SolarWinds and its Chief Information Security Officer, Timothy Brown.[13] The SEC alleged that they violated the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934 as well as the reporting, internal accounting control, and disclosure controls provisions of the Exchange Act after SolarWinds overstated SolarWinds’ cybersecurity practices and understated or failed to disclose known cybersecurity risks from SolarWinds’ 2020 cyberattack, thereby defrauding investors and customers. The SEC also alleged that Brown aided and abetted the Company’s violations. On July 18, 2024, New York federal Judge Paul Engelmayer dismissed most of the SEC claims against SolarWinds, only allowing the SEC to move forward with its claim that SolarWinds committed securities fraud due to misrepresentations on the Company’s website (the security statement) regarding cybersecurity vulnerabilities, which the judge considered material against the users and investors of the SolarWinds products.[14] In their separate statement, Commissioners Peirce and Uyeda said that the enforcement actions against the four companies using the SolarWinds product “merit cautious consideration” in light of Judge Engelmayer’s ruling.
Disclaimer
These materials contain attorney advertising. Prior results do not guarantee a similar outcome and results depend upon a variety of factors unique to each circumstance. WMHW provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice, or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers.
[1]SEC Press Release No. 2024-174 (Oct. 22, 2024) (“October 22 Press Release”), at https://www.sec.gov/newsroom/press-releases/2024-174
[2] See In the Matter of Avaya Holdings Corp., Exchange Act Release No. 101398 (Oct. 22, 2024); In the Matter of Unisys Corp., Exchange Act Release No. 101401 (Oct. 22, 2024); In the Matter of Check Point Software Technologies Ltd., Exchange Act Release No. 101399 (Oct. 22, 2024); In the Matter of Mimecast Ltd., Exchange Act Release No. 101400 (Oct. 22, 2024).
[3] October 22 Press Release.
[4] Id.
[5] Id.
[6] See supra note 2.
[7] SEC Press Release No. 2024-172 (Oct. 21, 2024), at https://www.sec.gov/newsroom/press-releases/2024-172#:~:text=This%20year’s%20examinations%20will%20prioritize,said%20SEC%20Chair%20Gary%20Gensler.
[8] SEC Final Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, at https://www.sec.gov/files/rules/final/2023/33-11216.pdf
[9] Statement Regarding Administrative Proceedings Against SolarWinds Customers, U.S. Securities and Exchange Commission, at https://www.sec.gov/newsroom/speeches-statements/peirce-uyeda-statement-solarwinds-102224
[10] Id.
[11] Id.
[12] A Catalyst: Statement on Qatalyst Partners LP, U.S. Securities and Exchange Commission, at https://www.sec.gov/newsroom/speeches-statements/statement-peirce-uyeda-qatalyst-09242024
[13] Sec. & Exch. Comm’n v. SolarWinds Corp., No. 23 CIV. 9518 (PAE), 2024 WL 3461952 (S.D.N.Y. July 18, 2024).
[14] Id.