The U.S. Securities and Exchange Commission (SEC) continues to demonstrate its increased focus on cybersecurity issues with its litigation efforts in a groundbreaking cybersecurity case.
Last month the SEC filed an amended complaint in its case against SolarWinds Corp. and its Chief Information Security Officer Timothy Brown. The SEC alleges the defendants defrauded investors and customers by making material omissions and misrepresentations about the company’s vulnerability to cyberattacks and internal control failures related to cybersecurity risks. The lawsuit is said to be the SEC’s first-ever action to litigate cybersecurity disclosure issues and the first-ever lawsuit to name a chief information security officer as a legal target.
The lawsuit is part of a larger SEC focus on cybersecurity. Last year, the SEC adopted a new rule requiring public companies to disclose material information on their cybersecurity risks and management, and to report material cybersecurity incidents shortly after they are discovered. The SEC’s Division of Examinations also announced last year that cybersecurity would be an area of focus for the Division in the upcoming year.
The SEC’s complaint in the SolarWinds case alleges that between October 2018 and January 2021, the company made false and misleading statements about its cybersecurity risks to investors and the public in SEC filings and other public statements. For example, the SEC alleges that in 2018 during the company’s initial public offering, Brown and other employees of the company were allegedly told by an engineer that the remote access setup was susceptible to hackers and that could cause major “reputation and financial loss.” The SEC further contends that SolarWinds knew of the risks, as according to one company official the software it sold to the government was “not very secure.”
The SEC’s amended complaint provides additional detail for its allegations against SolarWinds Chief Security Officer Brown. It alleges that Brown knew within a month of being hired that SolarWinds had cybersecurity weaknesses. According to the complaint, rather than fix those vulnerabilities, Brown helped draft a security statement for customers that he knew was false, promising SolarWinds was committed to the security and privacy concerns of its customers.
Commenting on the allegations in the case, SEC Enforcement Director Gurbir Grewal said, “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
For example, although in December 2020, SolarWinds filed a Form 8-K disclosing for the first time that it was aware that its Orion software platform, the company’s flagship product, contained a cybersecurity vulnerability, the SEC alleges that the company’s disclosure was deficient. According to the SEC, the company failed to disclose that in the preceding six months, multiple government agency customers of the company had experienced attacks due to the vulnerability.
Later news articles reported that the attacks, known as the “SUNBURST” attack, was part of an espionage attack linked to the Russian government. The hackers breached the networks of approximately 100 major organizations and nine federal agencies, including the U.S. Department of Treasury, Commerce, and Homeland Security.
In 2022, SolarWinds reached a $26 million settlement in a class action lawsuit with investors allegedly harmed by the data breach, while two other shareholder lawsuits were dismissed.
In recent legal filings in the SEC case, SolarWinds has vowed to vigorously defend itself against the SEC’s charges. According to news reports, the company expressed concern that “this action will put our national security at risk.” The company argued that it acted appropriately in handling the 2020 data breach and stated that it plans to seek dismissal of the SEC’s case.
It is unknown whether the SEC’s case against SolarWinds was the result of a tip from a whistleblower. Individuals with knowledge about cybersecurity risks or breaches that are not accurately reported to investors can anonymously report their concerns to the SEC through their whistleblower program.
SEC whistleblowers are entitled to receive rewards of 10 percent to 30 percent based on the monetary sanctions the SEC collects as a result of enforcement actions based on the whistleblower’s information if more than $1 million in sanctions are ordered. If monetary sanctions exceed $1 million, recoveries in related cases by other agencies also may be included in the calculation of the whistleblower award.
The money paid to whistleblowers comes from the Investor Protection Fund created by Congress and financed through monetary sanctions the SEC collects from securities law violators. No money is taken or withheld from harmed investors to pay whistleblower rewards.
Our Expertise in SEC Whistleblower Awards
Phillips & Cohen is the most successful law firm representing whistleblowers, with recoveries from cases totaling over $13 billion and 21 awards for clients under Dodd-Frank whistleblower reward programs. The firm’s partners include the former first head of the SEC Office of the Whistleblower, the former director of the CFTC’s Whistleblower Office and numerous attorneys with decades of experience representing whistleblowers.
If you are aware of cybersecurity disclosure fraud and would like to talk to experienced whistleblower lawyers, please contact us for a free, confidential review of your matter.