Export Compliance Daily is a Warren News publication.
'Hindsight-Driven Allegation'

SolarWinds: SEC’s Amended Complaint Is a 'Case In Search of a Theory’

SolarWinds responded in December 2020 “just as a public company should” when it learned it had suffered an “extraordinarily sophisticated cyberattack” by the Russian government, said the company’s memorandum of law Friday (docket 1:23-cv-09518) in U.S. District Court for Southern New York in Manhattan in support of its motion to dismiss the SEC’s amended securities fraud complaint.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

SolarWinds responded to the cyberattack “by promptly and transparently disclosing the incident,” said the memorandum. Yet more than three years later, the SEC “seeks to invent a basis for an enforcement action where there is none,” bringing securities fraud and controls charges against the company and Tim Brown, its current chief information security officer, it said.

The charges “are as unfounded as they are unprecedented,” said the memorandum. The SEC is trying to expand cybersecurity disclosure obligations “well beyond what the law requires,” and, with the controls charges, “claim a mandate for substantively regulating cybersecurity that the agency does not have,” it said The case is “fundamentally flawed” and should be dismissed in its entirety, it said.

The SEC’s “long and rambling” amended complaint is “a case in search of a theory,” said the memorandum. The agency “has thrown everything it can think of against the wall, but nothing sticks,” it said. The SEC tries to allege fraud based on SolarWinds’ statements to investors, including its risk disclosures before the attack and the 8-K filed once the attack was discovered, it said.

But the SEC can’t “plausibly claim” that either statement was misleading, said the memorandum. The risk disclosures specifically warned that SolarWinds’ systems were vulnerable to sophisticated nation-state actors -- “the very risk that materialized,” it said.

The complaint contends the disclosures should have included detailed information about the company’s vulnerabilities, but that isn’t the law, and “for good reason,” said the memorandum. Publishing such details “would be unhelpful to investors, impractical for companies, and harmful to both, by providing roadmaps for attackers,” it said.

SolarWinds’ 8-K, published after the attack was discovered, “disclosed the key facts about the attack and the material risks it presented,” said the memorandum. The 8-K included mention that as many as 18,000 customers were “at risk of compromise,” it. In light of those “candid disclosures," the SEC’s contention that the company hid the seriousness of the attack is “baseless,” it said.

CISO Brown’s alleged scheme of hiding SolarWinds’ cybersecurity weaknesses from investors “is implausible on its face and is unsupported by any well-pled facts” suggesting that Brown “ever acted with any intent to deceive or conscious disregard for the truth,” said the memorandum. Despite collecting “countless” documents, the SEC can’t point to a single one “discussing the purported years-long scheme,” it said.

Despite taking the testimony of numerous witnesses, the SEC also can’t point to a single one who ever accused Brown, or anyone at the company, of such misconduct, said the memorandum. The complaint instead simply alleges SolarWinds had various security deficiencies, and then speculates that Brown “perpetrated some sort of cover-up,” it said. That’s hardly enough “to satisfy its pleading burden,” it said.

Beyond its fraud claims, the SEC’s disclosure controls and internal accounting controls charges also don’t “pass muster,” said the memorandum. Even with a second bite at the apple, the SEC “fails to identify any disclosure controls that were unreasonably designed,” it said.

The SEC instead “merely criticizes the application of those controls,” by alleging that SolarWinds and Brown should have recognized the attack on the company earlier than they did, said the memorandum. But that’s a “hindsight-driven allegation” that couldn’t “ground a disclosure controls violation even if it were adequately supported, which it is not,” it said.

The SEC’s theory of internal accounting controls violations “amounts to a wholesale rewriting of the law,” said the memorandum. The agency is trying to “twist” the concept of accounting controls “into a sweeping mandate for it to regulate public companies’ cybersecurity controls,” it said. But that’s a role for which the SEC “lacks congressional authorization or substantive expertise,” it said.

The case against SolarWinds and Brown should be dismissed,” said the memorandum: “Given that the SEC has already had a chance to amend, and used it liberally, dismissal should be with prejudice.”