Communications Litigation Today was a Warren News publication.
‘Candid’ Deliberations ‘Chilled’

SEC’s Case vs. SolarWinds Is ‘Unprecedented,’ Should Be Dismissed, Says BSA

February 5, 2024 by Paul Gluckman|Top News

The Russian government’s Sunburst cyberattack on SolarWinds in 2020 was “of previously unseen scope and sophistication.” Yet three years later, the SEC now accuses SolarWinds -- the victim of that nation-state attack -- of securities fraud, said BSA | The Software Alliance in an amicus brief Friday (docket 1:23-cv-09518) in U.S. District Court for Southern New York in Manhattan. The brief is in support of SolarWinds’ Jan. 26 motion to dismiss the SEC’s complaint against the company and Tim Brown, its chief information security officer (see 2401290033).

The SEC acknowledges that SolarWinds warned investors it was vulnerable to cyberthreats, said the brief. Within two days of learning about the intrusion, SolarWinds filed an 8-K “in which it publicly disclosed that it had been the victim of a potentially massive cyberattack,” it said.

The SEC nonetheless accuses SolarWinds “of defrauding investors by not publicly disclosing details about its cybersecurity vulnerabilities or exactly how many customers were infiltrated” through the Sunburst attack, said the brief. In support of its claims, the SEC “points mostly to excerpts of communications among SolarWinds engineers and other employees who were working on cybersecurity issues,” it said.

The SEC’s case against SolarWinds is “unprecedented,” said the brief. Never before has the SEC sued “the victim of a nation-state cyberattack,” it said. Nor has it ever sued a company for securities fraud based on the company’s cybersecurity disclosures, or “sought to hold an individual personally liable for those disclosures,” it said.

The case “is not only novel,” but it also “threatens to undermine cybersecurity” by making it more difficult for companies to respond to increasingly sophisticated and highly “resourced” cyberthreats, said the brief. To effectively manage cyber risks and respond to attacks, companies “must encourage employees to flag potential vulnerabilities,” even if they might be wrong, it said.

Companies and employees must “sift through” cyberthreats, actual and potential, “and quickly decide how to respond, often without the benefit of full information,” said the brief. If their systems are infiltrated, “they must work closely with the government and oftentimes other companies to identify, contain, and remediate the threat,” it said.

Public companies must now fear that the SEC “will comb through their communications for evidence purporting to show that some of their employees were aware of undisclosed vulnerabilities, as the SEC has sought to do in this case,” said the brief. “Candid internal deliberations will be chilled,” and communications with law enforcement and national security authorities, other companies and the public will be “stifled,” even though those communications are “essential” to effective cyber defenses, it said.

Requiring companies to publicly disclose details about cybersecurity weaknesses and incidents, as the SEC seeks to do here, “will serve only to give threat actors more information about how better to attack American companies,” said the brief. Even the SEC “has explicitly acknowledged this risk,” it said.

The theories of liability pursued in the SEC’s case against a nation-state victim and individual CISO “will undermine companies’ ability to defend against cyber threats,” said the brief. It also will threaten U.S. national security, “leaving us all less safe,” it said. The court should grant SolarWinds’ motion to dismiss, it said.