On July 18, the Securities and Exchange Commission’s efforts to use the internal accounting control requirement in the Securities Exchange Act of 1934 as a lever to regulate public company cybersecurity practices suffered a setback. In SEC v. SolarWinds Corp., a federal district court judge held that the provision in Section 13(b)(2)(B) of the Exchange Act requiring companies to devise and maintain "a system of internal accounting controls sufficient to provide reasonable assurances that * access to assets is permitted only in accordance with management's general or specific authorization" does not apply to cybersecurity controls. This decision is contrary to the position that the SEC took in its recent settlement with R.R. Donnelley & Sons. See Shoot the Wounded! SEC Charges that Inadequate Cybersecurity is an Internal Accounting Control Violation, July 2024 Update.
In 2023, the SEC brought an enforcement action against SolarWinds Corp. and its Chief Information Security Officer. SolarWinds markets Orion, an IT monitoring and management software platform. The case arises from a cyberattack, known as SUNBURST, in which Russian hackers surreptitiously inserted a vulnerability into Orion thereby making the IT systems of SolarWinds’ customers susceptible to exploitation by the hackers. The SEC’s case against SolarWinds includes four claims:
Prior to the SUNBURST attack, SolarWinds misled investors by overstating its cybersecurity practices and downplaying risks associated with Orion. This claim is based primarily on the content of a Security Statement, directed at customers, posted on the company’s website.
Following the SUNBURST attack, SolarWinds misled investors by minimizing the scope and impact of the breach, including by omitting to disclose that customers had previously reported malicious activity involving Orion.
Solar Winds violated the Exchange Act requirement to devise and maintain a system of internal accounting controls. This claim is based on the contention that the company's source code, databases, and products were its most vital assets, but that, because of poor access controls, weak internal password policies, and VPN security gaps, SolarWinds failed to limit access to those assets "only in accordance with management's general or specific authorization" as required by Section 13(b)(2).
SolarWinds violated Exchange Act Rule 13a-15(a) which requires companies to maintain disclosure controls and procedures designed to ensure that information required to be disclosed in SEC filings is “recorded, processed, summarized and reported, within the time periods specified in the Commission's rules and forms.” The SEC contends that senior management failed to evaluate the need to disclose two cyber incidents because the seriousness of those incidents was misclassified under the company’s disclosure procedures.
The court dismissed all the Commission’s claims except those related to the Security Statement. Concerning the internal accounting controls claim, the court stated:
“[T]he statutory requirement that a public issuer ‘devise and maintain a system of internal accounting controls’ is properly read to require that issuer to accurately report, record, and reconcile financial transactions and events. A cybersecurity control does not naturally fit within this term, as a failure to detect a cybersecurity deficiency (e.g., poorly chosen passwords) cannot reasonably be termed an accounting problem. Cybersecurity controls are undeniably vitally important, and their failures can have systemically damaging consequences. But these controls cannot fairly be said to be in place to ‘prevent and detect errors and irregularities that arise in the accounting systems of the company.’”
* * *
“[T]he the internal accounting controls identified in Section 13(b )(2)(B) thus are intended to provide extra assurance of the accuracy and completeness of the financial information on which the issuer's annual and quarterly reports rely. To state the obvious, cybersecurity controls are not--and could not have been expected to be--part of the apparatus necessary to the production of accurate such reports.” [emphasis added, citation omitted]
With respect to the disclosure controls claim, the Court held that the SEC’s complaint recognized that SolarWinds had a system of controls in place to facilitate the disclosure of potentially material cybersecurity risks and incidents. The fact that the system misclassified two cybersecurity incidents and therefore failed to trigger management consideration of the need to disclose them did not render the system insufficient. “[E]rrors happen without systemic deficiencies. Without more, the existence of two misclassified incidents is an inadequate basis on which to plead deficient disclosure controls.”
Audit Committee Takeaways
The SolarWinds decision should put the brakes on the SEC’s efforts to use the internal accounting control provisions of the Exchange Act to regulate cybersecurity (and other) corporate administrative and managerial practices that are not directly related to financial reporting. The Commission could either appeal the decision or continue to press its broad reading the internal accounting control provisions in other courts and in its in-house administrative proceedings. However, the reasoning of the opinion seems compelling and is likely to be persuasive to other judges.
Nonetheless, from an audit committee perspective, the SEC’s loss in SolarWinds may not have much practical impact. With or without internal accounting controls as one of its theories, the Commission is likely to remain aggressive in pursuing cybersecurity disclosure cases, especially where, after a breach has occurred, pre-breach disclosures appear in hindsight to have been overly optimistic about the company’s cybersecurity posture.
Audit committees might want to take this decision as a reminder that –
Disclosure concerning cybersecurity and cyber breaches is a top SEC enforcement priority.
The Commission is increasingly willing to use the disclosure controls requirement in Rule 13a-15 to bring enforcement actions and is likely to make liberal use of the rule in cases involving cybersecurity disclosure issues. While the two misclassifications in this case did not indicate a lack of controls and procedures, more pervasive failures to consider cyber incidents (or other events) for disclosure may result in SEC charges under Rule 13a-15. See The SEC is Zeroing in on Disclosure Controls, April 2023 Update.
The Commission will likely be aggressive in enforcing its new cybersecurity disclosure rules with respect to future cybersecurity incidents. See SEC Adopts Cybersecurity Disclosure Rules, August-September 2023 Update. The SolarWinds case arose prior to the adoption of those rules.
The SEC may scrutinize statements about cybersecurity practices that are outside of SEC filings and that aimed at audiences other than investors. Any company public statement that the SEC deems to be materially false or misleading can be the basis for SEC enforcement, regardless of where the company makes the statement or who it intends to influence. (The Security Statement in SolarWinds appeared on the company’s website and targeted customers, not investors.)
For these reasons, oversight of cybersecurity disclosures should be an audit committee priority.
Comments