On October 30, 2023, the SEC (Securities and Exchange Commission) filed an action against SolarWinds and its CISO, Timothy Brown. This was hardly a surprising move.
According to public statements, the Russian intelligence service, the SVR, used a new and sophisticated technique to insert code into SolarWinds’s patch for its Orion software. The patch was downloaded by 18,000 Orion users. According to SolarWinds, the hack compromised about 100 organizations and a dozen government agencies including Microsoft; Intel; Cisco; the Treasury, Justice, and Energy departments; CISA (Cybersecurity and Infrastructure Security Agency); and the Department of Defense.
In its complaint, the SEC did two things that it had never done in previous actions: It specified an individual, and it alleged that an organization had failures in its internal controls. But that is not what makes this a special case.
The SEC adopted new rules in 17 CFR §229.106 for the 10-K. It also adopted item 1.05 for Form 8-K. However, the new rules were not mentioned in the complaint.
In fact, the basis of the lawsuit is very old: fraud. This means that SEC jurisdiction is not necessary. All organizations in the U.S. can be defendants in a lawsuit based on fraud.
SolarWinds had posted a security statement on its website declaring that it:
- Maintained an SDL (secure development lifecycle) program
- Enforced the use of strong passwords on all systems
- Was in compliance with the NIST Framework
- Maintained good access controls
The reality is that it did none of the above.
Making such false statements amounts to fraud. It is the type of fraud that would be possible for any U.S. organization, not just those subject to SEC jurisdiction. It would also make the organization liable under Rule 10b-5, which makes it unlawful for any person to employ any device, scheme, or artifice to defraud.
The evidence for the failure to comply with the provisions of the security statement comes mostly from internal documents, which stated that the SDL section of SolarWinds’s security statement was false.
The organization’s performance on NIST compliance was even worse. SolarWinds had selected the moderate-level controls catalogued in NIST SP 800-53 v4, containing 325 controls. Of those, SolarWinds had implemented a practice for only 21. There was evidence of 85 controls that may have had a program or practice in place, leaving 219 controls that had no programs or practice at all. More than 60% of the controls without any programs or practice can hardly be termed “compliance” with NIST, as stated in the security statement.
SolarWinds even failed to carry out simple practices such as enforcing a specific, complex password policy or changing default passwords. Instead, it allowed the continued use of obvious default passwords such as “SolarWinds1234” and “password.”
Finally, SolarWinds claimed in its security statement that employees had access on a “least privilege necessary basis.” This was untrue. SolarWinds frequently and pervasively granted employees unnecessary “admin” rights.
The most interesting point about this case is that it is based on fraud. Most cybersecurity cases in the U.S. are based on negligence or breach of contract and result in an administrative action by the FTC (Federal Trade Commission), SEC, or state attorney general. The difference here is that fraud can be brought by any attorney, in any court, in any state. It does not require a statute giving the right of private action.
Fraud cases can also be brought under unfair and deceptive trade statutes, which can award treble damages and attorney fees. SEC vs SolarWinds is a perfect example. Customers who bought the Orion software can get their money back and damages if they suffered a breach.
SEC vs SolarWinds provides a roadmap for software providers to be sued without appealing to statutes. This could prove as profitable as any product liability class action.
Organizations can safeguard their cybersecurity by adopting a framework such as ISO 27001. Such frameworks involve constant monitoring, which ensures that statements organizations make about their compliance remain up to date and accurate, avoiding highly damaging fraud-based lawsuits.
Free webinar: An Introduction to the SEC Cybersecurity Disclosure Rules
Join the author of this blog post, William Gamble, on Thursday, November 30 at 11:00 am (EST) for a free webinar about the new SEC rules.
- Get an overview of the SEC’s proposed rules and their significance
- Determine if your organization falls under the SEC’s jurisdiction
- Understand the compliance requirements for listed companies
- Get an in-depth examination of current laws, including:
- Disclosure requirements and materiality
- 10 B 5 implications
- Previous cyber incidents, hacks, and vulnerabilities
- Identify and address compliance challenges emerging from compliance issues