Featured Expert Contributor, White Collar Crime and Corporate Compliance

Gregory A. Brower is Chief Global Compliance Officer for Wynn Resorts. He also serves on WLF’s Legal Policy Advisory Board and is a former U.S. Attorney. Emily R. Garnett is a Shareholder practicing in the Denver, CO office of Brownstein Hyatt Farber Schreck, LLP and a former enforcement attorney at the U.S. Securities and Exchange Commission. Jack L. Hobaugh Jr.  is a Shareholder of the firm in its Denver, CO office with a practice focused on technology transactions, cybersecurity issues, and privacy law. 

* * * *

Ever since the U.S. Securities and Exchange Commission (“SEC”) filed the agency’s first-of-its-kind cyber disclosure case against SolarWinds, public companies have taken note of the unprecedented enforcement action. This case seeks to hold a public company and its Chief Information Security Officer (“CISO”) responsible for failing to warn the public about the chances of a cyber attack.

Notably, on February 2, 2024, the U.S. Chamber of Commerce along with the Business Roundtable filed an amicus brief in support of SolarWinds’s recently filed motion to dismiss in the Southern District of New York. The brief argues that perhaps what is most concerning about the SEC’s action is its expanded use of the internal control provisions to hold the defendants liable.

Readers will recall that the case involves a 2019 Russian cyberattack against SolarWinds, a software service provider with over 300,000 customers including financial institutions, government agencies, and critical service providers. The attack, known as “Sunburst,” was linked to official state actors, and was described at the time by federal law enforcement authorities as highly sophisticated.

Following three years of investigation, the SEC filed an enforcement action against SolarWinds and its CISO alleging that insiders knew but failed to disclose known security weakness. The SEC pointed to internal communications by the company’s security team recognizing risk areas and vulnerabilities but failing to disclose those risks, even if such disclosures would have externally exposed the company’s vulnerabilities. The SEC’s action followed the company’s decision to settle a private securities suit with shareholders in exchange for a payment of $26 million.

On January 30, 2024, SolarWinds moved to dismiss the case arguing that the SEC failed to adequately plead materiality, since the company’s own filings previously disclosed it was vulnerable to an attack. The company further argued that SEC’s failure to allege any evidence that the company and its CISO acted with scienter—or an intent to mislead—is grounds for dismissal.

In addition to pleading the typical fraud-based disclosure violations under Section 17 of the Securities Act and Section 10 of the Securities and Exchange Act, the SEC also alleged that SolarWinds violated the internal control provisions of the Sarbanes-Oxley Act, specifically Section 13(b)(2)(B) of the Foreign Corrupt Practices Act (“FCPA”). This is the provision that drew the attention of the amici, who argue that the SEC’s expansion of the internal control provision is “far beyond what Congress intended.” 

The brief makes several strong arguments. First, it argues that the SEC’s interpretation would create “profound uncertainty” for public companies given that the SEC’s longstanding interpretation of internal controls has been in the context of financial reporting and has previously rejected broader interpretations. The brief further argues that the SEC has now grafted onto “accounting controls” any potential federal securities misrepresentation or violation, even when a company is the victim of a crime. “[The SEC’s] power grab has left companies in constant peril and uncertainty about how to design their internal control systems, because once ‘accounting controls’ are no longer about accounting, virtually everything is fair game.”

Second, the brief further points to the plaint text and legislative history underlying the FCPA, which was focused on prohibiting foreign bribes, and aimed at prohibiting conduct like “overpayment to vendors or employees,” “understatement of sales,” and “physical loss of assets such as cash, securities, or inventory,” but nothing beyond financial reporting.   

Third, the brief notes the SEC’s itself has stated that internal controls relate to material financial reporting risks, and not the sort of enterprise risks at issue in the SolarWinds case. The brief cites the SEC’s own guidance, rejecting consideration of internal controls testing as it relates to cyber vulnerabilities: “Specifically, it is unnecessary to evaluate IT general controls that primarily pertain to efficiency or effectiveness of a company’s operations, but which are not relevant to addressing financial reporting risks.”

The brief concludes with a warning that if the SEC’s interpretation holds, then the action will turn the SEC into a cybersecurity enforcement agency and risk converting every internal policy breach into a securities violation: “Put simply, if the SEC can charge a violation of Section 13(b)(2)(B) simply because a company has gaps in its cybersecurity controls or because it wants to second-guess the company’s response, then the SEC can charge any company at any time.”

Looking ahead, the court has tentatively set oral arguments on SolarWinds’ motion to dismiss for May 9, 2024. The SEC has to decide whether it will file an amended complaint by Feb. 16, 2024, and in the event it chooses not to amend, the court indicated it will move up oral arguments to April. For public companies of all types, this will be a case to watch.