On October 22, 2024, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) issued a series of orders imposing almost $7 million in disclosure fines against four global digital service providers impacted by the 2020 SolarWinds compromise. The SEC accused each defendant of negligently making misleading cybersecurity statements to investors in light of the incident. None of the defendants admitted or denied the SEC’s allegations.
The orders state that, from October 2020 to January 2021, the companies discovered they were impacted to varying degrees by the SolarWinds breach, which involved a likely nation-state actor’s infecting SolarWinds’ Orion software with malicious code that could have enabled unauthorized access to affected systems and their networks.
In subsequent disclosures, two of the defendants referenced the incident in statements to investors, but, according to the SEC, downplayed the compromise or omitted material information known at the time, such as the scope of systems affected and data or customers impacted, likely nation-state attribution, and compromise duration.
The SEC claimed the remaining two defendants’ public filings made after the incident included cybersecurity risk factor disclosures substantially unchanged from the same disclosures made prior to discovering the breach. The Commission alleged these filings only described the existence of intrusions in generic, hypothetical terms that could apply to any similarly-situated company, and omitted new and material cybersecurity risks tailored to their particular circumstances, such as the SolarWinds compromise.
Three of the defendants settled with the SEC for around $1 million each, and the fourth, which the SEC accused of also having improper controls and procedures for disclosing cyber incidents, settled for $4 million. In reaching the settlements, the SEC considered each entity’s measures to conduct an internal breach investigation, steps taken to enhance its cybersecurity controls, and cooperation with the Commission’s investigation.
Notably, the SEC’s actions were against IT and software companies that the Commission regarded as having cybersecurity reputations important to customers and, consequently, investors. In each order, the SEC highlighted that, as a provider of digital services, the company’s ability to protect information and data stored on and transmitted over its systems was critically important to its reputation, ability to attract customers, and investors.
Our Take
Businesses, especially those offering digital goods and services and reliant on cybersecurity reputations, should note the Commission’s recent actions and evaluate disclosure practices against regulatory requirements and expectations. Remember that information that is accurate at the time the statement to investors is made can become inaccurate over time, especially with new facts, and disclosures should be updated. Moving forward, the SEC may be alert for the following:
- characterizing a known impact as hypothetical, particularly when exfiltration is observed;
- focusing on the lack of impact to internal environments when a breach occurs at a third party rather than impact to customers;
- failing to disclose an incident’s full scope, especially when there is significant impact;
- failing to update risk disclosures in light of network infiltration; and
- failing to maintain policies requiring employees to report security incidents to decisionmakers.