SEC’s SolarWinds Case Could ‘Chill’ Cybersecurity Reporting Practices: Trade Group
‘This case is not only novel, but also threatens to undermine cybersecurity by making it more difficult for companies to respond to increasingly sophisticated and highly-resourced cyber-threats,’ the Software Alliance wrote in an amicus filing with the U.S. District Court Southern District of New York Friday.
A software trade group says a case pursued by the U.S. Securities and Exchange Commission against SolarWinds should be dismissed because it could “chill an important source of public information about cybersecurity, to the detriment of the global information technology ecosystem.”
In an amicus brief filed Friday with the U.S. District Court Southern District of New York, the Software Alliance, a group also known as BSA that advocates for tech companies globally, outlined the reasons to toss the SEC’s pursuit of charges against SolarWinds and its chief information security officer after a major cyberattack in 2019.
That incident became one of the most significant cyberattacks in history, resulting in nearly 18,000 of its customers receiving a compromised software update, including the U.S. government. However, the company now says fewer than 100 customers were actually hacked through the attack known as Sunburst.
The SEC last October had charged SolarWinds with fraud and internal control failures after the observability and IT management platform developer allegedly concealed poor security practices and increased cybersecurity risks that led to the SolarWinds Orion cyberattack.
[RELATED STORY: SolarWinds CEO: Attack Was ‘One Of The Most Complex And Sophisticated’ In History]
“Three years later, the U.S. SEC now accuses SolarWinds—the victim of that nation-state attack—and its CISCO of securities fraud. The SEC acknowledges that SolarWinds warned investors that it was vulnerable to cyber-threats and, within two days of learning about the intrusion, filed a Form 8-K in which it publicly disclosed that it had been the victim of a potentially massive cyberattack. Nonetheless, the SEC accuses SolarWinds of defrauding investors by not publicly disclosing details about its cybersecurity vulnerabilities or exactly how many customers were infiltrated through the Sunburst attack,” according to the filing from The Software Alliance.
“This case is unprecedented,” the filing continued. “Never before has the SEC sued the victim of a nation-state cyberattack; sued a company for securities fraud based on the company’s cybersecurity disclosures; or sought to hold an individual personally liable for those disclosures. This case is not only novel, but also threatens to undermine cybersecurity by making it more difficult for companies to respond to increasingly sophisticated and highly-resourced cyber-threats.”
The Software Alliance also said that "if public companies must now fear the SEC will comb through their communications for evidence purporting to show that some of their employees were aware of undisclosed vulnerabilities, as the SEC has sought to do in this case, candid internal deliberations will be chilled and communications with law enforcement and national security authorities, other companies, and the public will be stifled, even though those communications are essential to effective cyberdefense.”
The SEC contends in its case against SolarWinds that the company “made an incomplete disclosure about the Sunburst attack in a December 14, 2020, Form 8-K filing, following which its stock price dropped approximately 25 percent over the next two days and approximately 35 percent by the end of the month.”
The agency alleges that SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, claiming that SolarWinds during its October 2018 IPO provided only generic and hypothetical cybersecurity risk disclosures, even as CISO Timothy Brown in an internal presentation said the company was in a “vulnerable state” for critical assets because of the current state of security.
Last week, SolarWinds asked the court to dismiss the case entirely, claiming that the SEC’s charges were an attempt to “revictimize the victim.”
An SEC spokesperson declined to comment “beyond the public filings or our recent statement on this matter.”
In response to an inquiry from CRN, Serrin Turner, an attorney at Latham & Watkins who is representing SolarWinds, said in a statement that “we are grateful for the thoughtful amicus briefs filed by a wide range of stakeholders, which highlight that the SEC’s positions in this case are not only unsupported by the law but raise serious security concerns for companies, CISOs, and the public at large. We remain confident that SolarWinds’ disclosures at all times were appropriate, and the SEC’s assertions otherwise are fundamentally flawed.”