SolarWinds is a major software company that sells high-end software to governmental and private entities and provides system management tools for network and infrastructure monitoring to hundreds of thousands of organizations around the world. In December 2020, SolarWinds and its customers had been the target of a large-scale cyberattack, known as Sunburst, likely perpetrated by state-sponsored hackers in Russia. The SolarWinds hack was considered one of the biggest cybersecurity breaches of the 21st century because it affected thousands of organizations and their clients and customers, including the United States government.
Following the incident, the U.S. Securities and Exchange Commission (the “SEC”) brought charges against SolarWinds and its chief information security officer, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. See SEC v. SolarWinds et al., No. 23 Civ. 9518, 2024 WL 3461952 (S.D.N.Y. July 18, 2024). The SEC alleged that SolarWinds misleadingly touted its cybersecurity practices and products including its “Orion” flagship software platform and understated its cybersecurity risks, and that SolarWinds misled the investing public about a series of cyberattacks. Id. at *1. The SEC further alleged that SolarWinds disseminated numerous misstatements in the “Security Statement” on its website, the cybersecurity risk disclosure in the company’s SEC filings, and other publications posted immediately after revelation of the Sunburst cyberattack, in violation of Section 10(b) and Rule 10b-5 of the Securities and Exchange Act of 1934 (“Exchange Act”) which prohibits false and misleading statements and omissions in connection with the sale of security.
The court denied in part and granted in part SolarWinds’ motion to dismiss. The court denied defendants’ motion to dismiss with respect to securities fraud claims premised on representations regarding SolarWinds’ access controls contained in the company’s Security Statement posted on its website, in which SolarWinds represented that it maintained a role-based access controls set on a need-to-know and least privilege necessary basis, and that access to additional employees was only given following a formal process that involved approval of system owner or other executive. Id. at *27. The SEC alleged that contrary to these statements, SolarWinds was routinely “promiscuous” in freely granting administrative rights to employees without regard to their job functions and that the access control deficiencies were “long-standing, well-recognized within the company, and unrectified over time.” Id. at *27. Despite internally acknowledging these deficiencies and being confronted with presentations that informed Brown of many individuals having access to sensitive data and systems, and the best practices not being followed by the company, Brown approved the Security Statement for public consumption. Id. at *27. The court found these and other allegations documenting diverse findings contradicting SolarWinds’ public representations—many of which amounted to “flat falsehoods”—constituted material misrepresentations. Id. at *28.
The SEC also successfully alleged that the Security Statement materially misrepresented to the public that SolarWinds enforced a strong password policy, by claiming that the company required the use of complex passwords that included alpha numeric characters and that passwords were individually salted and hashed.[1] Id. at *10. In fact, however, SolarWinds’ employees routinely used simple, unencrypted passwords, compounding the company’s vulnerability to intrusion by threat actors. Id. at *29. Brown and SolarWinds other top executives were well aware of the ongoing password practices, including receiving an email in which an employee reported that passwords have “no specific parameters,” “are able to be reused,” and “are not changed at a set number of days.” Id. at *10. Additionally, in November 2019, the company was notified that a password to one of its servers was publicly available; in April 2018, an audit revealed that database passwords were “not encrypted,” “login credentials [were] stored in plan text in configuration file and in the system registry”; and in 2019 and 2020 the company was notified of failures to meet “password requirements.” Id. at *10, 11. The court found that a reasonable person contemplating investing in SolarWinds would have viewed these statements as “significant in making investment decisions.” Id. at *30.
The court found that allegations against both SolarWinds and Brown satisfied the scienter requirement. Id. at *33. Brown and SolarWinds misleadingly posted the Security Statement on the Company’s website and sent it to customers claiming that it accurately described the practices SolarWinds followed at the time. The court found that the SEC’s allegations that Brown promoted and actively disseminated the misleading and false Security Statement adequately pled scheme liability under Section 10 (b) of the Exchange Act. Id. at *33. Brown acted with the required scienter in publishing the Security Statement and maintaining it on SolarWinds’ public-facing website. Given Brown’s lead role at SolarWinds in cybersecurity matters, his state of mind and his actions are properly imputed to SolarWinds. Id. at *32.
This holding aligns with a decision denying a motion to dismiss a private securities fraud lawsuit brought in the Western District of Texas against SolarWinds, Brown and others. In re SolarWinds Corp. Sec. Litig., 595 F. Supp. 3d 573 (W.D. Tex. Mar. 30, 2022), opinion clarified, No. 21 Civ. 138 (RP), 2022 WL 3699429 (W.D. Tex. Aug. 19, 2022). There, investors who purchased SolarWinds securities suffered losses resulting from the share price decline following the revelation of the Sunburst cybersecurity breach. The district court denied a motion by SolarWinds and Brown to dismiss the claim brought against them under Section 10(b) of the Exchange Act and Rule 10b-5. The court found that SolarWinds and Brown had falsely and misleadingly publicized in the company’s Security Statement, the company’s cybersecurity system and its adherence to its best cybersecurity practices. Id. at *584, 586, 587, 588.
[1] A salt is a random string of characters that is added to a password before it is hashed. Password hashing is a mathematical algorithm that converts a password into a different, fixed-length string. The combination of the two is a common way to strengthen password security. See Authgear, Password Hashing and Salting Explained, https://www.authgear.com/post/password-hashing-salting#:~:text=Whenever%20a%20user%20creates%20a,algorithm%20is%20called%20hashing%20algorithm.