Cybersecurity Professionals Call SEC’s SolarWinds Case Flawed

Cooley reports that a coalition of cybersecurity leaders and organizations are calling for dismissal of the SEC’s amended securities violations complaint against SolarWinds and its Chief Information Security Officer, Tim Brown. The original SolarWinds case, filed in October 2023, marked the first time that a CISO faced indictment for alleged misrepresentations in a company’s SEC filings.

In February 2024 the SEC withdrew its original allegations and filed an amended complaint, in response to some of the arguments made in amicus briefs. The defendants filed a renewed motion to dismiss on March 22. Their motion calls the SEC’s amended allegations “an attempt to find some theory to hold its case together” that is contradicted by the same documents the amended complaint relies on.

The latest amicus filings, including one signed by more than 50 heads of cybersecurity, outline several areas of dispute. 

Some examples: 

• They take exception to comments from investors stating that SolarWinds’s representations about cybersecurity were material in their investment decisions
• The complaint incorporates statements made by SolarWinds outside the company’s SEC filings
• It references internal communications concerning cybersecurity risks that are at odds with statements to customers and the public, which the amici curiae argue could chill both “candid internal deliberations” and “voluntary disclosure by companies or CISOs, who may become more cautious when considering how their communications … might increase future liability.” 

According to one brief, “cybersecurity professionals should not have to consult lawyers before sending an email.”

Cooley cautions companies and cybersecurity professionals to be cautious about statements they make concerning cybersecurity. They should consider how their internal and external communications may be interpreted by the SEC, customers, investors, and the public.