SEC Urges Denial of SolarWinds’ Motion to Dismiss Amended Fraud Complaint
Public companies and their officers can’t make public statements “claiming to follow practices that are important to investors while knowing that they pervasively fail to do so.” That is the “essence” of the SEC’s securities fraud case against SolarWinds, according to the SEC’s opposition Friday (docket 1:23-cv-09518) in U.S. District Court for Southern New York in Manhattan to SolarWinds’ March 22 motion to dismiss the SEC’s Feb. 16 amended complaint (see 2403250039).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The SEC is seeking to hold SolarWinds and chief information security officer Timothy Brown accountable for not properly disclosing the Russian government’s massive December 2020 Sunburst cyberattack on the company and the security vulnerabilities that led to it.
SolarWinds and Brown claimed in “multiple public forums” that it employed cybersecurity practices such as granting access to computer systems on a “least privilege necessary basis,” said the SEC’s opposition. However, internally they admitted SolarWinds did not follow the “least privilege necessary” practice because of “widespread access control problems,” it said.
The most “egregious” examples of “affirmative false statements” were in the security statement publicly posted on SolarWinds’ website. The numerous, material, false representations in the security statement “could alone support the SEC’s fraud claims,” but there’s “much more,” it said.
Despite professing to accept the SEC’s amended complaint’s factual allegations as true, SolarWinds and Brown “mainly seek to dismiss this case by disputing the factual allegations or re-casting the allegations” in the light most favorable to them, said the SEC’s opposition. But the court shouldn’t “indulge” their attempts “to argue facts and inferences on a motion to dismiss,” it said.
As described in the amended complaint, from at least October 2018 through at least Jan. 12, 2021, SolarWinds and Brown “recognized and documented” the company’s “long-standing, pervasive, and material cybersecurity deficiencies,” the SEC’s opposition said. Nevertheless, they made public statements “that directly contradicted the internal assessments and omitted the risks those deficiencies posed,” it said. Through those statements, and an “overall scheme” to portray SolarWinds as having a stronger cybersecurity posture than it did, SolarWinds and Brown “misled the investing public.”
The true state of SolarWinds’ cybersecurity practices, controls and risks “ultimately came to light only following a massive cyberattack -- which exploited some of the very cybersecurity deficiencies that Brown had been warned about -- and which impacted thousands of SolarWinds’ customers,” said the opposition. The Sunburst attack compromised SolarWinds’ flagship product, the Orion software platform, it said.
Contrary to the defendants’ claims, the SEC isn’t “re-victimizing” SolarWinds, said the opposition. Instead, the Sunburst attack “is just one part of a broader case involving fraud, control, and disclosure violations” that began with SolarWinds’ October 2018 initial public offering, well before the Sunburst attack, it said.
The amended complaint contains detailed allegations about SolarWinds and Brown’s “materially misleading statements, omissions, and actions,” said the SEC’s opposition. That conduct violated the antifraud and reporting provisions of the Securities Act and the Securities Exchange, it said. The same poor cybersecurity practices that SolarWinds and Brown “schemed to conceal” also constituted violations of the Exchange Act’s internal controls provisions, it said.
Though the defendants claim that those provisions involve only controls relating to financial statements, “case law and longstanding interpretive guidance make clear it relates to controls designed to ensure management is protecting a company’s assets,” said the opposition. SolarWinds also failed to maintain effective processes for elevating information, including information about cyberattacks, to its disclosure committee, in violation of Exchange Act Rule 13a-15(a), it said.
Through his actions and misstatements, Brown “not only committed securities fraud, but also aided and abetted SolarWinds in violating all these provisions,” said the opposition. The court should deny the defendants’ motion to dismiss, it said.