-
Undeterred By Recent Court Loss, SEC Charges Four Companies With Inadequate Cyber Disclosures In The Aftermath Of SolarWinds Breach
10/29/2024On October 22, 2024, the SEC announced that it had entered into settlements with four separate companies for making allegedly misleading disclosures about how they were impacted by the SolarWinds data breach in 2019. The SEC’s approach to the SolarWinds data breach has already been recognized as very aggressive, and these actions, which elicited a pointed dissent from two Commissioners, will only further the debate. The companies at issue were each charged with violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Exchange Act, and certain rules thereunder, and, without admitting or denying liability, agreed to pay civil monetary penalties ranging from $990,000 to $4 million.
The SolarWinds Action
As a reminder, the SEC filed charges in 2023 against SolarWinds Corporation, claiming fraud and internal and disclosure control failures relating to a large-scale cyberattack to its software. The SEC alleged that SolarWinds had misled investors by overstating its cybersecurity practices and failing to disclose known deficiencies, and further alleged that SolarWinds’ weaknesses in cybersecurity amounted to internal control weaknesses. We discussed this case in November 2023, as it was notable that the SEC had alleged that a company intentionally deceived its investors regarding a data breach in violation of Rule 10b-5, and also that the SEC broadly interpreted its rules regarding internal accounting controls and disclosure controls and procedures.
In July 2024, Judge Paul Engelmayer of the United States District Court for the Southern District of New York dismissed much of the SEC case. The Court dismissed certain of the SEC’s claims that SolarWinds’ pre-attack disclosures regarding cybersecurity contained material misrepresentations, finding instead that the statements adequately warned of the risks or accurately portrayed facts that were available at the time of the company’s filings, and the Court also dismissed the internal controls charges under Section 13(b)(2)(B) of the Exchange Act, stating that while the SEC has the authority to regulate accounting controls, “that term, as a matter of statutory construction, cannot reasonably be interpreted to cover a company’s cybersecurity controls such as its password and VPN protocols.” Only SEC’s claims regarding certain pre-attack statements on the company’s website remained intact, as the Court found a basis for concluding that these statements inaccurately portrayed the company’s cybersecurity as robust despite both the CISO and the company knowing that SolarWinds faced critical cyber vulnerabilities.
The SEC’s Latest Actions
In the actions on October 22, the SEC demonstrated that it was undeterred by Judge Engelmayer’s ruling, and in many ways doubled-down on its aggressive approach to policing how companies disclose the impact of cyberattacks. The SEC’s allegations against the four companies were broadly similar and can be grouped into two categories. Two of the actions criticized risk factor disclosures where companies that had been impacted by the SolarWinds breach did not then update their risk factors to state that their networks had in fact been compromised (even if not in material ways); and two of the actions criticized companies’ disclosures regarding the degree to which they were impacted by the SolarWinds compromise, finding that their disclosures were incomplete and thus materially misleading. More detail on each is provided below. It is worth noting that all of the relevant disclosures predated the effectiveness of new Item 1.05 of Form 8-K, which requires companies to report cybersecurity incidents they determine to be material.
Failure To Update Risk Factor Disclosure
Company A
According to the SEC, in December 2020, Company A identified a computer in its network that had a version of SolarWinds’ software that had likely been infected with malicious code. Around this time, the same threat actor associated with the SolarWinds breach embedded on Company A’s network for a period of at least sixteen months, eventually impacting several parts of its corporate network and accessing cloud-based shared files and data. Company A investigated this compromise, but, according to the SEC, was “aware that its investigations of the compromise involved significant gaps in its ability to identify the full scope” of the breach.
The SEC criticized Company A by claiming that, notwithstanding this recognition of some degree of compromise to its systems, Company A’s 2020 and 2021 Form 10-Ks, each filed in February of the following year, included cybersecurity risk disclosures that did not specifically address it. According to the SEC, Company A described the risk of a hypothetical cybersecurity breach without noting that such breaches had actually occurred. The SEC pointed to examples in which Company A’s disclosures stated that the cyberattacks “could … result in the loss … or the unauthorized disclosure or misuse of information of the company” and “[i]f our systems are accessed without our authorization … we could … experience data loss and impediments to our ability to conduct our business, and damage the market’s perception of our services and products.” The SEC did not contend that these risk disclosures were false, but rather that they were materially misleading.
The SEC also claimed that Company A’s controls and procedures were deficient because, according to the SEC, its incident response policies failed to reasonably require that information about potential material cybersecurity incidents were properly reported outside Company A’s information security function to those individuals responsible for SEC reporting and disclosure matters.
Company B
The SEC similarly claimed that, in December 2020, Company B identified numerous instances of infected SolarWinds installations on two of its servers, impacting thousands of customers. According to the SEC, however, Company B described its cybersecurity risks generically in its 2021 and 2022 SEC filings—stating that the company regularly faces attempts to gain access to its systems, but that “none have resulted in any material adverse impact to our business or operations.” The SEC claimed that these disclosures were materially misleading because they failed to address how the unmonitored presence of a likely nation-state-supported threat actor in Company B’s network had materially changed its cybersecurity risk profile, and were thus not tailored to the company’s “particular cybersecurity risks and incidents.”
Improperly Downplaying The Impact Of A Cybersecurity Incident
Company C
With respect to Company C, the SEC alleged that, in December 2020, Company C found out that certain servers in its network had been infected by malicious code in SolarWinds’ software and received notifications from a third-party service provider that the same threat actor had compromised certain email and file sharing environments using means other than the SolarWinds software. Although Company C did disclose such findings, the SEC claimed that it did so in materially misleading ways, improperly downplaying the impact. Specifically, the SEC criticized statements in Company C’s Form 10-Q that the breach resulted in access to a “limited” number of email messages without identifying the long-term unmonitored presence of a likely nation-state threat actor in Company C’s systems or the fact that the email messages the threat actor accessed belonged to Company C’s cybersecurity personnel. The SEC also faulted Company C for claiming that the threat actor had not accessed its “other internal systems” despite knowing that the breach had resulted in access to 145 shared files, some containing confidential information, in Company C’s vendor-operated cloud file sharing environment.
Company D
Lastly, the SEC alleged that Company D learned in January 2021 that its platform and a company-issued certificate had been compromised by the same threat actor responsible for the SolarWinds software breach, but similarly improperly downplayed the magnitude. According to the SEC, it was misleading for Company D to announce that “the evidence showed that this certificate was used to target only [a] small number of customers” without also disclosing that “the threat actor had accessed a database containing encrypted credentials for approximately 31,000 customers and server and configuration information for approximately 17,000 customers.” Similarly, the SEC criticized Company D for stating that the source code downloaded by the threat actor was “incomplete and would be insufficient to build and run any aspect” of Company D’s service without mentioning that the functions the exfiltrated code served were important to the security of Company D’s overall service offering.
Dissent
As noted above, two Commissioners—Hester M. Peirce and Mark T. Uyeda—issued a strongly-worded dissent regarding the settlements. The dissent argued, among other things, that the SEC had failed to demonstrate the materiality of the omitted information to investors, likening the SEC’s decision to “playing Monday morning quarterback” by engaging in a hindsight review of the undisclosed details rather than the effect each representation had on investors. And the dissenting Commissioners emphasized that the four companies here were victims, not perpetrators, and that insisting, through these settlements, on the disclosure of immaterial information does nothing to further protect investors.
Takeaways
Notwithstanding the position of the dissents, these settlements, like the SolarWinds case itself, clearly stake out an aggressive position by the SEC as to how companies must respond to cybersecurity incidents, both in terms of how quickly and comprehensively they must update existing disclosures and in terms of how companies characterize the severity of the incident. The SEC has made it clear it will challenge risk factor disclosures that it believes ignore or obscure a history of materialized risks, despite its failure to prevail on that theory in the SolarWinds case. In addition, the SEC will scrutinize the comprehensiveness of incident disclosures for the potential omission of information. As the dissent cautioned, this may result in companies erring on the side of excess disclosure, as some companies may be tempted to “fill their [Form 8-K] disclosures with immaterial details about an incident, or worse, provide disclosure … about immaterial incidents.”
Although these enforcement actions did not involve the new Form 8-K cybersecurity incident disclosure requirement, they may affect how companies craft the incident disclosure called for by this requirement, and possibly even the corresponding determination whether the incident was material. Ultimately, companies will need to simply evaluate each incident as it arises, often while still in possession of incomplete information.