SEC Enforcement Action Against SolarWinds and its CISO

What Happened

On October 30, the U.S. Securities and Exchange Commission (SEC) filed a civil complaint (“the Complaint”) alleging that SolarWinds, a public company, and its Chief Information Security Officer (CISO) defrauded investors by misstating the company’s cybersecurity practices and concealing poor cybersecurity hygiene and its heightened cybersecurity risks, thereby violating Federal securities laws. The SEC inquiry resulted from the widely reported compromise of SolarWinds Orion software product, first disclosed in December 2020 and described in greater detail here, although the Complaint also stated that SolarWinds’ actions would have violated Federal securities laws even in the absence of the incident. The SEC is seeking unspecified monetary damages as well as a lifetime bar on the CISO acting as an officer or director of any public company.

The Complaint includes three categories of alleged violations:

False statements and omissions. According to the Complaint (para. 45), SolarWinds’ web-facing Security Statement contained “false statements and omissions [that] fall into four general categories: (1) compliance with the NIST Framework for evaluating cybersecurity practices; (2) using a secure development lifecycle when creating software for customers; (3) having strong password protection; and (4) maintaining good access controls.” The Complaint also alleges that the company’s SEC filings “did nothing to alert investors to the elevated risks that existed at SolarWinds,” (para. 132, 175) and that once SolarWinds learned of the cyber attack, it did not fully disclose its known impact (paras. 185-193).

Internal controls failures. The Complaint alleges that SolarWinds lacked reasonable safeguards against unauthorized access to its most critical assets.

Disclosure controls failures. Finally, the Complaint alleges that SolarWinds had deficient disclosure controls to ensure that information regarding potentially material cybersecurity risks, incidents and vulnerabilities was reported to executives with responsibility for disclosures.

Why It’s Important

This enforcement action is important for multiple reasons:

First, unlike many other major cyber incidents, the SolarWinds compromise has been attributed to the Russian Foreign Intelligence Service (SVR). The implication is that a company’s compromise by an advanced state adversary will not be a defense against enforcement action if the method of attack involved exploiting perceived hygiene gaps.

Second, not only was the Company charged, but its CISO was also personally included in the Complaint. While executives have  previously been charged as a result of regulatory inquiries into cybersecurity incidents, these earlier charges related to insider trading, as in the charges filed against an Equifax business unit CIO in the aftermath of that company’s 2017 data breach (which was also attributed by the U.S. Government to a foreign state actor, in that case China).

Third, this action comes against the backdrop of increased cyber disclosure requirements adopted by the SEC in July 2023. The final rule includes new expectations around timing and content of material cyber incident disclosures, as well as periodic reporting (i.e., in 10-Ks) on processes for identifying and managing material cyber risks; Board of Directors’ oversight role; and management’s role. Put another way, enforcement inquiries can now not only investigate the appropriateness of incident and risk disclosures, but the SEC will also be able to pursue actions for alleged deficiencies in disclosures of processes to address cyber risk. That said, the Commission’s final rule excluded a number of even more detailed requirements that were originally proposed in an earlier notice of proposed rulemaking. These exclusions were based on an acknowledgement by the Commission that more detailed disclosures could have the effect of “empowering threat actors” (Final Rule p. 28), “could be weaponized by threat actors” (Final Rule p. 61), or “provide a roadmap for threat actors” to compromise a filer. (Final Rule p. 112).

Fourth, the SEC is also, through its internal control failure allegation, highlighting that “assets” requiring authorization and access controls under the Exchange Act extends beyond accounting and payment-related systems to a broader class of “crown jewels” (Complaint paras. 194-197).

Fifth, the Complaint indicates multiple deficiencies in internal reporting and escalation processes. Pre-incident, SolarWinds allegedly lacked controls to ensure that information about potentially material cybersecurity issues was reported to executives with disclosure responsibilities. The Complaint also expressly cites deficiencies in the company’s Incident Response Plan, which the CISO helped implement and maintain, because “only incidents that impacted multiple customers were reported upward to management responsible for disclosure.” The SEC goes on to allege that, as a result “multiple cybersecurity issues that had the potential to materially impact SolarWinds, but which SolarWinds determined at the time did not yet impact multiple customers, went unreported” (Complaint paras. 201-202).

Finally, portions of the Complaint will likely lead to confusion and other unintended consequences.

• Confusion over “Omissions” and Disclosure Expectations. The Complaint repeatedly alleges that SolarWinds and its CISO made “misstatements and omissions” that concealed cybersecurity deficiencies which investors would have considered material. Putting aside whether SolarWinds’ alleged misstatements were materially misleading, holding a company and its CISO to account for “omissions” that fail to disclose vulnerabilities seemingly runs at cross-purposes with imperatives not to provide roadmaps to threat actors, as acknowledged by the Commission in its Final Rule.
  
• Confusion over NIST Guidance. The Complaint conflates the NIST Framework for Improving Critical Infrastructure Cybersecurity, a voluntary framework intended to provide a “flexible, risk-based approach to help organizations … to inform and prioritize cybersecurity decisions” and NIST Special Publication (SP) 800-53, which is “an extensive catalog of security controls that also defined a baseline set of controls for federal information systems based on their security categorization: low, moderate, or high” (while NIST SP 800-53 was designed for use by Federal agencies, numerous private sector organizations have used it as an authoritative reference for their own cybersecurity programs). According to NIST, the Framework provides a series of outcomes to address cybersecurity risks; it does not specify the actions to take to meet the outcomes. NIST SP 800-53 specifies those actions in the form of “controls.” This distinction is important because an organization can conform its program to the NIST Cybersecurity Framework in good faith notwithstanding that it may be at a low level of maturity. The Complaint cites public SolarWinds statements that the company followed the NIST Cybersecurity Framework, and then points to the fact the Company only met a small number of NIST SP 800-53 controls as evidence of fraud.  The problem with the SEC’s allegation is that both statements can be true.
  
• Perverse Incentives. Confusion about the above two points, if left unaddressed, could lead to perverse incentives for cybersecurity executives in public companies, including (1) an unwillingness to adopt an identified risk mitigation framework without the ability to comply fully at inception, (2) a reticence to share information (for fear of after-the-fact accusations of misstatements or omissions) and (3) job flight. At a time of worldwide shortage of cyber talent, this dynamic has the potential to distract defenders, disincentivize cyber framework adoption and weaken the nation’s cybersecurity.

Despite its defects, the Complaint alleges multiple deficiencies at SolarWinds that are serious if true.  Company officials allegedly admitted misstatements about the maturity of its secure development lifecycle (SDL) (Complaint para. 62), that SDL was not enforced for its crown jewel Orion product (Complaint para. 66), that zero “Identification and Authentication” controls were rated as in place (Complaint para. 82). Moreover, the Company is alleged to have repeatedly ignored a VPN “vulnerability” that was first reported in June 2018 (Complaint para. 102) – and again, multiple times in August 2018, and continuing into January 2020 (Complaint paras. 104-109) – and to have failed to implement compensating controls (Complaint paras. 103, 110). According to the SEC, Russian threat actors allegedly exploited this vulnerability and established a foothold that ultimately enabled them to insert malware into SolarWinds’ Orion product (Complaint para. 139). The corrupted update was downloaded by as many as 18,000 SolarWinds customers, spanning U.S. government agencies, critical infrastructure entities, and private sector organizations. Although arguably not directly related to alleged public disclosure deficiencies, the Complaint also alleges that, when contacted in October 2020 by a cybersecurity firm reporting Orion-related irregularities, SolarWinds personnel falsely denied having seen such irregularities before (Complaint para. 162).

What Should Companies Do About It

As Michael Chertoff noted in Harvard Business Review (HBR) in April 2023, because of the increasing complexity of most companies’ technology environments, it is “becoming practically impossible to ensure that everything is properly patched.” This is true for government agencies and private companies alike – the SEC’s own Crown Jewel EDGAR system was itself breached in 2016. The following approaches can help ensure compliance with SEC requirements and build strong cybersecurity performance:

Implement processes to review any public statements about cybersecurity. If not already in place, companies should implement processes to validate the accuracy of any public-facing statements about cybersecurity.

• Scope. The Complaint extends beyond SEC filings and also references SolarWinds’ “Security Statement” posted on its public website (e.g., Complaint para. 39), interviews with the CISO (e.g., Complaint para. 71) and blogs (e.g., Complaint para. 72). Processes should cover all public statements that could be viewed by investors, in addition to SEC filings.
  
• Proactive and retroactive. These processes should apply to any pending or future public statements, and conducting a retroactive review is also advisable.
  
• Factors of special concern. The Complaint referenced the fact that the nature of SolarWinds’ software product made cybersecurity performance of special concern: “Cybersecurity practices are important to every publicly traded company. But they are especially important for a company like SolarWinds whose primary product is not only software, but software that other organizations install to manage their own computer networks” (Complaint para. 54).  After the SolarWinds incident, the Biden Administration released a Cybersecurity Executive Order – explained further here – directing NIST to define “critical software” and requiring enhanced cybersecurity controls for any such software used by Federal agencies. Producers of “critical software,” as defined by NIST, and other companies for whom cybersecurity is a differentiator, should be mindful of any public statements on cybersecurity performance.
  
• New disclosure requirements. As described above, the SEC Final Cybersecurity Disclosure Rule adopted in July 2023 imposes additional disclosure requirements around cybersecurity practices. Companies should validate for effective implementation any practices cited in future 10-K disclosures.

Review cybersecurity reporting processes. The Complaint alleges multiple disclosure control failures, and companies should thus review and exercise internal processes to ensure that:

• Potentially material risks and risk issues are escalated to executives with SEC reporting responsibilities.
  
• Incident response and crisis management plans (a) reflect a comprehensive view of incidents potentially requiring disclosure and (b) include appropriate escalation mechanisms.

Validate control coverage on high-value assets. The terms “crown jewel” and “critical asset” together appear more than 20 times in the Complaint, and an impact to “crown jewels” is also referenced in the SEC Final Rule (p. 38) as a factor in determining incident materiality. As noted above, in interpreting Exchange Act internal controls requirements, the SEC also repeatedly refers to “critical assets” and “crown jewels.”  As the April HBR article notes, measuring security performance on high value assets is particularly important.

Implement risk-based cybersecurity program. More broadly, companies can ensure robust internal controls by measuring cybersecurity performance with transparency, accuracy, and precision, including on how they perform against likely threats and whether they do so consistently across the attack surface. The most authoritative, transparent knowledgebase of threat behavior available today is the MITRE Corporation’s ATT&CK framework.  How can this help? The Complaint devotes significant attention to a vulnerability on SolarWinds VPN system that was exploited by Russian state actors for initial access (see, e.g., Complaint para. 139). Password policy and access control system deficiencies also figure prominently in the Complaint. ATT&CK tells us that there are nine ways threat actors can get inside a target organization — including but not limited to the techniques cited by the SEC. Companies can use ATT&CK to consider all nine of these potential access points and also help prioritize internal defenses if a threat actor achieves initial access. This companion May 2023 HBR article explains how companies build strong risk-based programs by focusing on initial access, defense-in-depth, resiliency, testing and automation.

If a company develops software, it should follow secure software development practices and validate related representations. SolarWinds is a software producer, and the Complaint focused significant attention around alleged misrepresentations and omissions on SolarWinds’ use of a secure software development lifecycle. The above-referenced Executive Order also directed NIST to finalize a Secure Software Development Framework, and OMB has since required Federal agencies to obtain attestations to conformance with this framework from all Federal software vendors (other industries are considering adopting the Federal approach as a “north star” for vendor software security risk management). Requirements are explained further here. Software producers should validate that any representations made in such attestations are supported by strong evidence and are potentially independently validated.

Work through government affairs offices and industry associations to ask the SEC and the Biden Administration to address the potential confusion created by the SEC’s enforcement action by:

• Clarifying expectations on disclosures regarding cybersecurity vulnerabilities consistent with commission’s final rule statements around not providing a roadmap for threat actors.
  
• Clarifying the nature of the alleged NIST misstatement, either by citing specific misrepresentations on SolarWinds conformance with 800-53 low/moderate/high impact control families or explaining connection between the two NIST publications with greater precision.
  
• Considering a “safe harbor” policy – i.e., that independently validated implementation of particularly impactful cybersecurity controls along with periodic testing or control assurance will shield CISOs from personal liability.
  

The Chertoff Group is a global leader in security. Our team of recognized experts helps organizations to manage cyber, physical, regulatory and geopolitical risks. Through our business development practice, we enable our clients to gain competitive advantage and accelerate growth.  Chertoff Capital, the Firm’s investment banking subsidiary, provides M&A advice to companies in the defense technology, government services and cybersecurity markets. Contact us at info@chertoffgroup.com.