Judge deals major blow to SEC’s cybersecurity enforcement stance
A recent ruling in the Securities Exchange Commission’s lawsuit against Austin, Texas-based software provider SolarWinds has dealt a significant blow to the agency’s aggressive cybersecurity enforcement posture, legal analysts said.
Judge Paul Engelmayer of the U.S. District Court for the Southern District of New York last week dismissed much of the case, including the SEC’s claim that a cybersecurity failure can be punished as an “internal accounting controls” violation under Section 13(b)(2)(B) of the Securities Exchange Act.
“The decision substantially limits the SEC’s authority to challenge a company’s cybersecurity program,” Mark Schonfeld, a litigation partner at law firm Gibson, Dunn & Crutcher, said in an email. However, the ruling still permits the agency to proceed with an allegation that a company’s statements about its cybersecurity program are materially misleading, he added.
The litigation highlights a trend of aggressive cybersecurity actions by the SEC and other federal agencies since President Joe Biden took office. But the outlook is uncertain in the wake of recent court decisions.
In the SolarWinds case, “the court threw out all of the SEC’s most aggressive claims,” Walker Newell, vice president of management liability at insurance brokerage firm Woodruff Sawyer, said in an email. “This judge easily — and persuasively — decided that cybersecurity controls are not internal accounting controls.”
Whether the SEC intends to appeal the decision is unclear. An agency spokesperson declined to comment.
Meanwhile, the U.S. Supreme Court last month struck down its so-called Chevron test that gave deference to government agencies interpreting an ambiguous statute. That ruling is expected to have far-reaching effects across the federal government, including for agencies like the SEC that have claimed broad jurisdiction over cybersecurity-related matters without explicit authority from Congress, as previously reported by CFO Dive.
The SEC’s current cybersecurity enforcement agenda could also be upended by the upcoming presidential election in November, which could result in the appointment of new leadership at the agency.
“We won’t really know what the future of the SEC’s cyber enforcement program holds until next year,” Newell said.
SolarWinds sued over breach response
The commission sued SolarWinds and its chief information security officer, Timothy Brown, last October for allegedly defrauding investors by mischaracterizing cybersecurity practices that were in place at the company leading up to a major breach discovered in December 2020. SolarWinds was also accused of having cybersecurity deficiencies that amounted to a failure to "devise and maintain a system of internal accounting controls” under Section 13(b)(2)(B).
The U.S. Chamber of Commerce and the Business Roundtable jointly backed a motion by SolarWinds and Brown subsequently to dismiss the SEC’s case.
“The decision is obviously favorable to the defendants in many important respects, and CFOs especially will mark well the court’s finding that the SEC’s internal controls over financial reporting charge does not apply to cybersecurity controls as a matter of statutory construction,” Danette Edwards, a partner at Katten Muchin Rosenman and co-chair of the law firm’s Securities Enforcement Defense practice, said in an email.
Section 13(b)(2)(B) requires public companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that … access to assets is permitted only in accordance with management’s general or specific authorization,” according to the text of the statute.
Legal tool’s application expands
The SEC in recent years has expanded its interpretation and use of the provision in ways that have prompted concerns.
The SolarWinds lawsuit is one of two cases in which the SEC has used Section 13(b)(2)(B) to address a cybersecurity breach. In the second example, the agency announced last month that R.R. Donnelley & Sons Co., a global provider of business communication and marketing services, agreed to pay about $2.1 million to settle commission charges that it violated Section 13(b)(2)(B) in connection with the company’s response to a 2021 ransomware attack.
In his court ruling, Engelmayer sided with SolarWinds on the Section 13(b)(2)(B) issue, holding that cybersecurity controls are outside the scope of the provision.
“The ruling has significant implications beyond cybersecurity, because the SEC has increasingly charged companies in recent years under this statute based on alleged deficiencies in legal, compliance or risk-management controls unrelated to corporate accounting,” Nicole Friedlander, a partner at Sullivan & Cromwell’s Criminal Defense and Investigations Group and co-head of its cybersecurity practice, said in an email.
Based on the SEC’s reading of the statute, the agency would be able to punish any company that is the victim of a cybercrime, according to Friedlander, whose firm submitted an amicus brief in the case on behalf of the U.S. Chamber of Commerce and the Business Roundtable.
More broadly, the SEC's rationale that the statute may be interpreted to cover all systems public companies use to safeguard their valuable assets “would have sweeping ramifications,” the judge said in his decision. “It could empower the agency to regulate background checks used in hiring nighttime security guards, the selection of padlocks for storage sheds, safety measures at water parks on whose reliability the asset of customer goodwill depended, and the lengths and configurations of passwords required to access company computers,” he said.
The opinion “will hopefully help to curb the SEC’s aggressive application of its liability regime against victim companies (and their agents) in cybersecurity cases,” Scott Kimpel, a partner at law firm Hunton Andrews Kurth, said in an email. “In particular, the judge’s rejection of the SEC’s novel internal-controls theory may make it more difficult for the agency to bring similar claims in the future.”
The judge also rejected the SEC’s theory that certain “risk factors” stated by SolarWinds in a securities filing as well as post-breach disclosures were misleading.
“This should give comfort to public company legal and finance departments,” Newell said. “It will remain difficult for the government or private plaintiffs to allege securities fraud based on good faith cybersecurity-related statements in SEC filings.”
Limited victories for SEC
However, the ruling was not a total defeat for the SEC. The judge allowed the agency to proceed with securities fraud claims related to a cybersecurity statement that was posted on SolarWinds’ website.
“Despite the company’s argument that these statements were directed at customers — not investors — the court found that allegedly false statements on public websites can serve as the basis for securities claims,” Cara Peterman, a partner in Alston & Bird’s Securities Litigation Group, said via email. “The key takeaway from this portion of the ruling is that public companies and their officers and directors should be cognizant of the fact that any public statement regarding the company’s cyber controls may be scrutinized in later SEC enforcement actions and/or shareholder litigation.”
The decision highlights the need for public companies to treat all public statements about cybersecurity — including in the context of blogs, interviews, and conferences — “with care and caution,” according to Newell.
“Finance, legal, and communications teams should already be working hand-in-hand with cybersecurity leaders on any meaningful public statements in this area,” he said.
In another victory for the SEC, SolarWinds’ CISO remains a named defendant with respect to the surviving allegations. While the claims against him and the company were significantly narrowed, the ruling generally leaves the door open for CISOs, CFOs, and other public company executives to be held personally liable in SEC cybersecurity enforcement actions, according to analysts.
“Not only are the defendants still facing the most serious fraud charges here, the court’s ruling on disclosure controls, in contrast to internal controls, is very fact-specific,” Edwards said. “It does not foreclose the use of disclosure controls claims in other cybersecurity cases going forward.”
The case does not impact the SEC’s ability to enforce new cybersecurity rules that it adopted last year, analysts said. The rules, promulgated under federal securities laws, require public companies to report a “material” cybersecurity incident to the SEC in an Item 1.05 Form 8-K within four days of determining the breach is material, among other requirements.
“The new rules don’t speak to accounting controls; they speak to disclosures only,” Peterman said. “And the SolarWinds case was not brought under the new rules.”
Still, the court decision does have indirect implications for any enforcement of the rules in the future, according to Newell. “It does show the SEC that it needs to tread carefully when it comes to aggressive cybersecurity cases,” he said.