A recent ruling in the U.S. Securities and Exchange Commission’s (SEC) lawsuit against Austin, Texas-based software provider SolarWinds is a major blow to the commission’s aggressive cybersecurity enforcement stance, legal analysts say.
Judge Paul Engelmeyer of the U.S. District Court for the Southern District of New York last week dismissed much of the lawsuit, including the SEC’s argument that the cybersecurity failures could be punished as violations of “internal accounting controls” under Section 13(b)(2)(B) of the Securities Exchange Act.
“This decision significantly limits the SEC’s ability to challenge companies’ cybersecurity programs,” Mark Schonfeld, a litigation partner at the law firm Gibson, Dunn & Crutcher, said in an email. But the decision still allows the SEC to move forward with claims that a company’s statements about its cybersecurity programs are materially misleading, he added.
The case highlights a trend of aggressive cybersecurity enforcement by the SEC and other federal agencies since President Joe Biden took office, but the outlook is unclear following recent court decisions.
In the SolarWinds case, “the court rejected all of the SEC’s most aggressive arguments,” Walker Newell, vice president of corporate responsibility at insurance brokerage Woodruff Sawyer, said in an email. “The judge simply and persuasively determined that cybersecurity controls are not internal accounting controls.”
It is unclear whether the SEC plans to appeal the ruling. An SEC spokesman declined to comment.
Meanwhile, the U.S. Supreme Court last month struck down the so-called Chevron test, which allows government agencies to interpret vague statutes in a way that is likely to have far-reaching effects across the federal government, including on agencies like the SEC, which have asserted broad jurisdiction over cybersecurity-related matters without clear authority from Congress, as previously reported by CFO Dive.
The SEC’s current cybersecurity enforcement plans could also be upended in the upcoming presidential election in November, depending on which candidate wins.
“We won’t know until next year what the future holds for the SEC’s cyber enforcement program,” Newell said.
SolarWinds files lawsuit over infringement
The committee sued SolarWinds and its chief information security officer, Timothy Brown, in October for misleading investors by misrepresenting the company’s cybersecurity practices leading up to the massive data breach that was discovered in December 2020. SolarWinds was also accused of cybersecurity deficiencies amounting to a failure to “devise and maintain a system of internal accounting controls” under Section 13(b)(2)(B).
The U.S. Chamber of Commerce and the Business Roundtable subsequently jointly supported SolarWinds and Brown’s motion to dismiss the SEC’s lawsuit.
“This decision clearly favors defendants in many important respects, and CFOs in particular will take seriously the Court’s holding that the SEC’s internal control charges over financial reporting do not apply to cybersecurity controls as a matter of statutory construction,” Danette Edwards, a partner at Katten Muchin Rosenman and co-head of the firm’s securities enforcement defense practice, said in an email.
Under the terms of the law, Section 13(b)(2)(B) requires public companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that access to assets is permitted only pursuant to general or specific authorizations of management.”
Expanding the scope of legal tools
In recent years, the SEC has broadened its interpretation and application of this provision in worrying ways.
The SolarWinds case is one of two in which the SEC has applied Section 13(b)(2)(B) to address cybersecurity breaches. In the second example, the SEC announced last month that RR Donnelley & Sons Co., a global provider of business communications and marketing services, had agreed to pay fees of approximately $2.1 million for violating Section 13(b)(2)(B) in connection with its response to a 2021 ransomware attack.
In his decision, Judge Engelmeyer sided with SolarWinds on the issue of Section 13(b)(2)(B), arguing that cybersecurity controls are outside the scope of that provision.
“This ruling has significant implications beyond cybersecurity, as the SEC has increasingly brought charges against companies under this statute in recent years for deficiencies in legal, compliance and risk management controls unrelated to corporate accounting,” Nicole Friedlander, a partner in Sullivan & Cromwell’s criminal defense and investigations group and co-head of the firm’s cybersecurity practice, said in an email.
The SEC’s interpretation of the statute allows it to punish any company that becomes a victim of cybercrime, said Friedlander, whose firm filed an amicus brief in the case on behalf of the U.S. Chamber of Commerce and the Business Roundtable.
More broadly, the SEC’s theory that the law could be interpreted to apply to all systems used by public companies to safeguard valuable assets “would have far-reaching effects,” the judge wrote in his ruling. “This could give the SEC the power to regulate the background checks used to hire nighttime security guards, the selection of padlocks for warehouses, the security measures at water parks on which the reliability of an asset — customer goodwill — depends, and the length and composition of passwords needed to access a company’s computers,” the judge wrote.
The ruling “hopefully will help curb the SEC’s aggressive application of its liability regime against victim companies (and their agents) in cybersecurity litigation,” Scott Kimpel, a partner at law firm Hunton Andrews Kurth, said in an email. “In particular, the judge’s rejection of the SEC’s novel internal control theory may make it more difficult for the SEC to bring similar cases in the future.”
The judge also rejected the SEC’s theory that certain “risk factors” SolarWinds mentioned in its securities filings and post-breach disclosures were misleading.
“This should provide some relief to public company legal and finance departments,” Newell said. “It will still be difficult for governments and private plaintiffs to assert securities fraud claims based on good faith cybersecurity-related statements in SEC filings.”
SEC wins limited
The ruling wasn’t a complete defeat for the SEC, however: the judge allowed the SEC to move forward with a securities fraud lawsuit related to cybersecurity statements posted on SolarWinds’ website.
“Despite the company’s argument that these statements were directed to customers, not investors, the court held that allegedly false statements on a public website can provide the basis for a securities lawsuit,” Kara Peterman, a partner in Alston & Bird’s securities litigation group, said in an email. “The key lesson from this portion of the decision is that public companies and their officers and directors need to be cognizant of the fact that public statements about their company’s cyber controls may be subject to later scrutiny in SEC enforcement actions or shareholder litigation.”
Newell said the decision highlights the need for public companies to treat all public statements about cybersecurity, including in the context of blogs, interviews, conferences and other such matters, with “care and discretion.”
“Finance, legal and communications teams should already be working collaboratively with cybersecurity leaders to make meaningful public statements in this area,” he said.
In another win for the SEC, SolarWinds’ CISO remains named as a defendant on the remaining claims. While the cases against him and the company have been significantly scaled back, analysts say the ruling leaves open the possibility of personal liability for CISOs, CFOs and other public company executives more generally in SEC cybersecurity enforcement actions.
“Not only do the defendants still face the most serious fraud charges, but the court’s rulings regarding disclosure controls, as opposed to internal controls, are highly fact-specific,” Edwards said. “This ruling does not mean that disclosure control arguments will not hold up in other future cybersecurity litigation.”
Analysts said the case does not affect the SEC’s ability to enforce new cybersecurity rules it introduced last year that, among other things, require public companies to report “material” cybersecurity incidents to the SEC in Item 1.05 of their Form 8-K within four days after they determine the breach was material.
“The new rules don’t talk about accounting controls, only about disclosure,” Peterman said, “and the SolarWinds lawsuit was not brought under the new rules.”
Still, Newell said the court’s decision will have an indirect impact on whether the rule is enforced in the future. “This decision signals that the SEC needs to tread carefully when it comes to aggressive cybersecurity litigation,” he said.