New SEC enforcement action against Solar Winds and its CISO

Earlier this month, Crenshaw Ware & Martin authored a post about the new SEC rule on cybersecurity as a business risk for publicly traded companies, mandating certain disclosures to investors to permit accurate and representative risk evaluations.  Yesterday, the SEC doubled down on signaling the importance of factoring cybersecurity risk into general corporate risk profiles and the responsibilities of corporate executives, as the SEC sued SolarWinds and its CISO alleging that prior to the massive 2019-2020 cyberattack, both the corporation and the CISO had “concealed both the company’s poor cybersecurity practices and its heightened and increasing cybersecurity risks.” 

SolarWinds is an Austin, Texas software company that provides system management tools and other technical services to hundreds of thousands of organizations globally, including tech companies, corporations, and government bodies.  “Orion” is a SolarWinds IT performance monitoring system which has privileged access to IT systems to obtain log and system performance data.  Orion’s reach into systems and wide deployment made it an attractive target for hackers.  The attack on Orion is the largest and most consequential cyberattack in history.

Microsoft named the group of hackers – most likely sourced from a nation-state as opposed to private hackers – “Nobelium.”  The hackers – almost certainly Russian – gained unauthorized access to the data, networks and systems of thousands of public and private organizations – and, equally or more importantly – the data and networks of their customers and partners.  This allowed the attack to metastasize into epic proportions, via a “supply chain attack” to introduce malicious code into Orion.  Orion then created a backdoor through which hackers were able to access and impersonate users and accounts of target organizations.  The malware was so advanced, it blended in with legitimate SolarWinds activity without detection.  SolarWinds tools’ ubiquity permitted unprecedented breadth of access.  More than 18,000 SolarWinds customers installed malicious updates, which then propagated.

The breach was first detected by cybersecurity company FireEye, which worked with Microsoft and GoDaddy to block and isolate infected version of Orion by installing a kill switch.  The hack’s “dwell time” – the time between the hack and its discovery – was over a year, when the average in 2019 was 95 days.  The depth and breadth of the SolarWinds attack was so significant the attack may serve as the catalyst for broad change in the cybersecurity industry.  SolarWinds represents a flashing red light with regard to conventional approaches to cybersecurity, particularly focusing on supply chain security, which also presented vulnerabilities in the Colonial Pipeline attack in May 2021 and the Kaseya ransomware attack in July 2021.  The first major action by the federal government was prescription of a “software bill of materials” by Executive Order on May 12, 2021. 

In June 2023, SolarWinds revealed in an SEC Form 8-K filing (a regularly scheduled “current report” publicly traded companies must file with the SEC to announce major events that shareholders should know about) the company had received “Wells Notices” – a colloquial term for notifications issued by the SEC to inform companies of “completed investigations where infractions have been discovered”.  The notices are named after 1972 independent “Wells Committee”, a commission formed to review the enforcement practices and policies of the SEC.  SolarWinds also settled a lawsuit in October 2022 to settle claims by shareholders that SolarWinds neglected internal security preceding the breach and misled the public about its digital security.

Yesterday, October 30, 2023, the SEC filed a civil action against SolarWinds and its CISO alleging prior to the attack the company and the CISO “concealed both the company’s poor cybersecurity practices and its heighted – and increasing – cybersecurity risks.”  The SEC action alleges SolarWinds’ “public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities and cyberattacks.”  SolarWinds’ attorney immediately protested, “The SEC is improperly trying to appoint itself the cybersecurity police for public companies [which] should alarm all public companies and cybersecurity professionals across the country.”

Properly or improperly, herein lies the point:  the SEC may or may not be successful in their civil action, but public companies are on notice – again – this federal administration, and the SEC in particular, are serious about businesses accurately and realistically assessing and reporting cybersecurity risk, which should drive increased investment and professionalization of corporate cybersecurity practices.  This trend with public companies will eventually bleed over to privately held companies, particularly as bankers assess cybersecurity risk with regard to creditworthiness and private and institutional investors consider where to capitalize.  Another key point is the SEC is not only seeking enforcement against the company, but also against the CISO personally.  Finally, a factor to watch is whether state regulators, particularly Attorneys General, follow this trend.

Crenshaw, Ware & Martin PLC is ready to help your business conduct training, perform cybersecurity risk assessments, and formulate a compliance plan to manage cybersecurity threats for Virginia or Virginia-facing businesses, including publicly traded companies. The firm can also assist with integrating cybersecurity risk management into corporate ESG/CSR programs in response to customer, investor, and supplier demands and expectations. Contact Darius Davenport, Managing Partner, or Butch Bracknell, Attorney, at 757.623.3000, or by email at DDavenport@cwm-law.com or RBracknell@cwm-law.com.