SEC Urges Denial of SolarWinds’ Motion to Dismiss Amended Fraud Complaint

The SEC is seeking to hold SolarWinds and chief information security officer Timothy Brown accountable for not properly disclosing the Russian government’s massive December 2020 Sunburst cyberattack on the company and the security vulnerabilities that led to it.

SolarWinds and Brown claimed in “multiple public forums” that it employed cybersecurity practices such as granting access to computer systems on a “least privilege necessary basis,” said the SEC’s opposition. However, internally they admitted SolarWinds did not follow the “least privilege necessary” practice because of “widespread access control problems,” it said.

The most “egregious” examples of “affirmative false statements” were in the security statement publicly posted on SolarWinds’ website. The numerous, material, false representations in the security statement “could alone support the SEC’s fraud claims,” but there’s “much more,” it said.

Despite professing to accept the SEC’s amended complaint’s factual allegations as true, SolarWinds and Brown “mainly seek to dismiss this case by disputing the factual allegations or re-casting the allegations” in the light most favorable to them, said the SEC’s opposition. But the court shouldn’t “indulge” their attempts “to argue facts and inferences on a motion to dismiss,” it said.

As described in the amended complaint, from at least October 2018 through at least Jan. 12, 2021, SolarWinds and Brown “recognized and documented” the company’s “long-standing, pervasive, and material cybersecurity deficiencies,” the SEC’s opposition said. Nevertheless, they made public statements “that directly contradicted the internal assessments and omitted the risks those deficiencies posed,” it said. Through those statements, and an “overall scheme” to portray SolarWinds as having a stronger cybersecurity posture than it did, SolarWinds and Brown “misled the investing public.”

The true state of SolarWinds’ cybersecurity practices, controls and risks “ultimately came to light only following a massive cyberattack -- which exploited some of the very cybersecurity deficiencies that Brown had been warned about -- and which impacted thousands of SolarWinds’ customers,” said the opposition. The Sunburst attack compromised SolarWinds’ flagship product, the Orion software platform, it said.

Contrary to the defendants’ claims, the SEC isn’t “re-victimizing” SolarWinds, said the opposition. Instead, the Sunburst attack “is just one part of a broader case involving fraud, control, and disclosure violations” that began with SolarWinds’ October 2018 initial public offering, well before the Sunburst attack, it said.

The amended complaint contains detailed allegations about SolarWinds and Brown’s “materially misleading statements, omissions, and actions,” said the SEC’s opposition. That conduct violated the antifraud and reporting provisions of the Securities Act and the Securities Exchange, it said. The same poor cybersecurity practices that SolarWinds and Brown “schemed to conceal” also constituted violations of the Exchange Act’s internal controls provisions, it said.

Though the defendants claim that those provisions involve only controls relating to financial statements, “case law and longstanding interpretive guidance make clear it relates to controls designed to ensure management is protecting a company’s assets,” said the opposition. SolarWinds also failed to maintain effective processes for elevating information, including information about cyberattacks, to its disclosure committee, in violation of Exchange Act Rule 13a-15(a), it said.

Through his actions and misstatements, Brown “not only committed securities fraud, but also aided and abetted SolarWinds in violating all these provisions,” said the opposition. The court should deny the defendants’ motion to dismiss, it said.