SolarWinds Blasts SEC’s Fraud Allegations as ‘Skewed by Hindsight Bias’

In December 2020, when SolarWinds learned it was the victim of the Russian government’s “extraordinarily sophisticated” Sunburst attack, the company “promptly and transparently” informed investors, said SolarWinds’ portion of a joint case management letter that it and the SEC sent Monday (docket 1:23-cv-09518) to U.S. District Judge Paul Engelmayer for Southern New York in Manhattan.

Engelmayer will convene an initial pretrial conference in the case Thursday (see 2312070035). Monday’s letter in advance of the conference was SolarWinds’ first formal opportunity to assert its defense in the case since the SEC filed its securities fraud complaint against the company Oct. 30 (see 2310310041).

Nearly three years after Sunburst, in a complaint “skewed by hindsight bias,” the SEC now seeks to use the attack “to advance a misguided regulatory agenda," by bringing “unfounded” securities fraud and controls charges against SolarWinds and Tim Brown, its chief information security officer, the letter said. “There is no securities fraud or any other misconduct here,” it added.

Instead, the case “is born from administrative overreach,” said the letter. The SEC is “inappropriately” seeking “to position itself as a cybersecurity regulator for public companies,” it said. But the SEC "lacks congressional authority or substantive expertise,” it said.

The SEC’s fraud charges “are flawed for many reasons,” said the letter. The most fundamental flaw is that SolarWinds “has long disclosed in its public filings that it is at risk of cyberattack,” it said. Well before Sunburst, its SEC filings warned that its systems were vulnerable to compromise, including by sophisticated nation-state actors in security breaches that may remain undetected for an extended period, it said.

The SEC now complains that those disclosures “were insufficient,” said the letter. It suggests that companies “must disclose detailed vulnerability information to investors, such as weaknesses in specific controls,” it said. “But that has never been the law or industry practice, and for good reason,” it said. “It would be dangerous to do so, as it would transform investor disclosures into roadmaps for hackers.”

The SEC previously recognized this concern, including in promulgating new rules earlier this year, “which it dialed back in response to industry pushback,” said the letter. The SEC “seems intent here on imposing a higher standard that it was unable to impose through regulation,” it said.

The SEC also alleges that SolarWinds misled investors via an online statement addressed to customers, which the SEC claims misrepresented the company’s security measures, said the letter. SolarWinds and CISO Brown “deny these allegations and stand by the accuracy of the security statement,” it said.

Regardless, the allegations don’t support a fraud theory because SolarWinds disclosed in investor filings that its systems were vulnerable to attack despite security measures, its letter said. Alleged misstatements in the security statement can’t be “deemed material,” it said.

The SEC also alleges that SolarWinds’ initial disclosures about the Sunburst attack, made soon after the company learned of it, misrepresented that it was still investigating whether customers were exposed, said the letter: “That representation was accurate, and the SEC alleges no facts that would render it false.”

The idea that SolarWinds “sought to minimize" the seriousness of the attack “ignores the overall thrust” of the disclosure, said the letter. That disclosure “acknowledged that up to 18,000 customers were potentially affected by the attack, which vastly exceeded the attack’s actual impact,” it said.

For these and other reasons, the SEC “has failed to sufficiently allege, and will be unable to prove, any materially misleading statement or omission, let alone scienter," said the letter. It stands by CISO Brown, “who at all times performed his duties in good faith,” it added.