Recently, the SEC filed a lengthy civil complaint against Austin, Texas-based software company SolarWinds Corporation and its chief information security officer, Timothy Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. (See here).
As stated in the SEC’s release:
“The complaint alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”
In the SEC’s release, Gurbir Grewal (Director of the SEC’s Division of Enforcement) stated:
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company. Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. [This] enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
The SEC’s complaint, filed in the Southern District of New York, alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations.
The internal controls charges represent yet another non-FCPA, FCPA enforcement action in that they involve the same internal controls provisions implicated in a traditional FCPA enforcement action alleging foreign bribery.
The internal controls provisions require “issuers” to:
devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that
(i) transactions are executed in accordance with management’s general or specific authorization;
(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;
(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and
(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.
The internal controls allegations in the SolarWinds enforcement action are interesting – to say the least.
The complaint alleges:
“As an Exchange Act Section 13(a) reporting company, SolarWinds was required to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that…access to assets is permitted only in accordance with management’s general or specific authorization.” In that regard, SolarWinds was required to develop reasonable safeguards against unauthorized access to Company assets by designing and maintaining reasonable controls to prevent and detect unauthorized access to, or use of, its assets.
SolarWinds’ information technology network environment, source code, and products were among the Company’s most critical assets. As discussed above, Orion [a software platform] was among SolarWinds’ “crown jewel” assets. SolarWinds’ Code of Conduct also described the Company’s software code and information technology infrastructure among its most important assets and emphasized employees’ responsibility to protect such information. In its October 18, 2018 Form S-1, SolarWinds stressed the importance of its “technology infrastructure to sell [its] products and operate [its] business” as well as its customers’ reliance on SolarWinds’ technology to manage their own information technology infrastructure.
SolarWinds assessed the effectiveness of its internal controls using the framework in Internal Control – Integrated Framework issued in 2013 by the Committee of Sponsoring Organization of the Treadway Commission (“COSO Framework”). For cybersecurity controls, the COSO Framework requires an organization to select and develop internal control activities over technology that are designed and implemented to restrict technology access rights to authorized users and to protect the entity’s assets from external threats.
Under the COSO Framework, SolarWinds chose to use the NIST Framework [National Institute of Standards and Technology Cybersecurity Framework] … conduct assessments. As discussed above, SolarWinds admitted in internal documents that it had no program or practice in place for a majority of the controls in the NIST Framework, and had assessed itself to be performing poorly on multiple critical controls.
As a result of the above shortcomings to SolarWinds’ cybersecurity controls, the Company failed to devise and maintain a system of internal controls sufficient to provide reasonable assurance that access to the Company’s assets was only in accordance with management’s general or specific authorization.
SolarWinds did not follow its own certification control concerning cybersecurity, including failing to use and document a list of controls in connection with certifications by Company officials. Brown certified to the effectiveness of the Company’s information technology controls around financial reporting. But neither he nor the Company were able to identify the list of relevant controls to the SEC during the SEC’s investigation. Brown instead certified based on his general sense of the quality of those controls, while failing to identify the Company’s extensive shortcomings in areas such as access controls.
SolarWinds’ cybersecurity-related policies and procedures went largely unimplemented or were subject to extensive problems or violations. Internal assessments applying the NIST Framework, which the Security Statement said SolarWinds followed, showed that between 2019 and 2021, the Company had “no program/practice in place” for most of the controls. In particular, as discussed above, the Company had significant lapses around access controls, frequently violated its own internal password policy, and failed to apply SDL to at least some of its products, including the Orion Improvement Program portion of the Orion platform.”