SEC Lawsuit Against SolarWinds Gutted

A federal judge has dismissed a high-profile lawsuit that the Securities and Exchange Commission filed last year against software firm SolarWinds and its chief information security officer, finding that SEC rules requiring companies to have strong internal accounting controls cannot be interpreted to include cybersecurity measures. 

The SEC filed its lawsuit against SolarWinds and the company’s CISO in November 2023, after a devastating cybersecurity attack the company suffered in 2020. Central to the SEC’s case was the premise that Exchange Act rules requiring all publicly traded companies to maintain “a system of internal accounting controls” extended to include cybersecurity measures, since IT systems are a corporate asset like any other. 

If attackers could gain access to those IT systems without permission, the argument went, then the company had failed to maintain effective internal control, since one requirement thereof is that assets are used “only in accordance with management’s general or specific authorization.”

Well, U.S. District Judge Paul Engelmayer (Obama appointee) shot down that argument on Thursday afternoon, along with most of the SEC’s lawsuit against SolarWinds. The precise text of the Exchange Act calls for companies to maintain a “system of internal accounting controls,” he noted, which means the controls were only expected to apply to, well, accounting. 

“That term, as a matter of statutory construction, cannot reasonably be interpreted to cover a company’s cybersecurity controls such as its password and VPN protocols,” Engelmayer wrote in his 107-page ruling. “SolarWinds is clearly correct.” 

Engelmayer’s ruling will be soothing music to other companies that have suffered cybersecurity breaches recently. For example, last month R.R. Donnelley paid $2.1 million to settle civil charges the SEC had filed over a breach the company suffered in 2021, and that case raised the same internal accounting control issues seen in the SolarWinds case. (One wonders if Donnelley will now fire its outside counsel.) 

Just this week UnitedHealth reported staggering costs for a cybersecurity breach it suffered in February, and I had a post exploring whether UnitedHealth might face the same sort of SEC scrutiny that SolarWinds and Donnelley did. Presumably that’s now much less likely, although UnitedHealth will still face plenty of pressure from other regulators. 

Not Home Free Yet

All that said, Engelmayer did allow one portion of the lawsuit to proceed: the SEC’s claims that SolarWinds and its CISO, Timothy Brown, made misleading statements about the strength of the company’s cybersecurity program. 

Those declarations were made in a “Security Statement” the company posted on its website for all to see, and in a range of other public statements that either the company or Brown personally made over the years. For example, they said that SolarWinds embraced secure software development, and maintained robust compliance with NIST standards for cybersecurity.

The SEC, however, dug up internal company communications showing that plenty of employees thought those statements were bunk. For example, one employee described the Security Statement “aspirational,” with no clear sense of when the company would achieve those goals. Other inconsistencies related to the company’s secure software development processes, its password policies, and more.

For a company whose business is cybersecurity, Engelmayer wrote, such discrepancies are both material and misleading: 

In light of these detailed pleadings, which chronicle diverse findings contradicting SolarWinds’ public representations, the [SEC] plausibly alleges that Solar Winds and Brown made sustained public misrepresentations, indeed many amounting to flat falsehoods, in the Security Statement about the adequacy of its access controls. Given the centrality of cybersecurity to SolarWinds’ business model as a company pitching sophisticated software products to customers for whom computer security was paramount, these misrepresentations were undeniably material.

Neither SolarWinds nor the SEC had any immediate statement about the dismissals today. Nevertheless, this is a big win for SolarWinds, and a rebuke of the SEC’s attempt to use internal accounting controls as a vehicle to sanction companies’ poor cybersecurity practices.