On October 30, 2023, the Securities and Exchange Commission filed claims against a software company (the “Company”) and its Chief Information Security Officer for alleged fraud and internal control failures relating to known cybersecurity risks and vulnerabilities.
SEC v. SolarWinds Corp., et al., No. 23-cv-9518 (S.D.N.Y. Oct. 30, 2023). The SEC’s complaint alleges that the Company made misleading omissions, in connection with its disclosure in December 2020, that it had suffered a cyberattack that compromised its customers’ information. Specifically, the SEC alleges that the Company failed to disclose that such cyberattacks had occurred for years and that the Company’s vulnerability to such attacks was well-known. Notably, this is the first time the SEC has alleged that a company intentionally deceived its investors regarding a data breach in violation of Rule 10b-5, which makes it unlawful to make a fraudulent statement or omission with scienter in connection with the purchase or sale of securities. In its previous data-breach actions, the SEC has generally alleged that a corporate entity acted negligently.
In its complaint, the SEC alleges that, since at least its initial public offering in October 2018, the Company was subject to a multi-year cyberattack and failed to disclose that fact in either its initial offering documents or in its subsequent disclosures to the SEC. Additionally, the SEC alleges that the Company was well aware of this cyberattack, and its vulnerability to cyberattacks, but decided to withhold such information from investors in order to protect its stock price. Specifically, the SEC alleges that multiple communications between the Company’s employees—including its Chief Information Security Officer—indicate that the Company’s technology was “not very secure” and that someone could “basically do whatever without [the Company] detecting it until it’s too late.”
The SEC further alleges that the Chief Information Security Officer gave multiple presentations to the Company’s Chief Executive Officer in which he expressed his concern that the Company was suffering from myriad security issues that “outstripped the capacity” of the Company’s engineers to fix. In December 2020, the Company filed a disclosure with the SEC on Form 8-K, explaining that it had suffered a cyberattack that placed customer data at risk, but the SEC alleges that the disclosure was incomplete because it did not disclose that the cyberattack had been ongoing for at least two years and that the Company was aware of its vulnerabilities. The SEC asserts that the Company’s and the Chief Information Security Officer’s conduct violate Section 17(a) of the Securities Act and Sections 10(b) and 13(a) of the Exchange Act because the Company issued materially misleading offering documents during its initial public offering and then continued to intentionally withhold critical information from investors and the SEC in the following years.
This groundbreaking use of Rule 10b-5, in connection with a cybersecurity breach, comes on the heels of the SEC’s adoption in July 2023 of
rules requiring public companies to disclose material cybersecurity incidents. When taken together, public companies should not only be prepared to comply with the new disclosure rules but should also assume the SEC will actively investigative reports of incidents made by companies under these new rules.
