United States: US SEC Moves Against Individual Directors Over SolarWinds Nation State Supply Chain Attack

The US Securities and Exchange Commission (SEC)'s issue of a Wells Notice to SolarWinds Corporation's former and current executives this summer is a sharp reminder that there can be serious consequences for individuals following cyber security incidents.

There is a global trend towards holding senior people within companies personally responsible for cyber security. Individuals can be sanctioned by regulators, find themselves facing action for breach of their fiduciary duties to their companies, and even the target of litigation, including in class actions by investors that name officers or directors as defendants in their individual capacity.

HSF has contributed to the International Bar Association's "Global perspectives on protecting against cyber risks: best governance practices for senior executives and boards of directors", a first of its kind Global Report.

The issuance of Wells Notices coincides with the SEC's recognition that cyber security incidents may be material to investors. On July 26, 2023, the SEC adopted rules requiring registrants to disclose not only material cyber security incidents they experience (generally within four business days of determining such breach is material, unless the US Attorney General determines that a delay in disclosure is warranted for reasons of national security or public safety), but also to disclose, on an annual basis, material information regarding their cyber security risk management, strategy, and governance.¹ A registrant's annual Form 10-K report will need to describe the board of directors' oversight of risks from cyber security threats and management's role and expertise in assessing and managing material risks posed by those threats.²

Wells Notice/SolarWinds

A Wells Notice formally advises the recipient that the SEC intends to bring an enforcement action against them, and informs the recipient of the basis for the enforcement action and the anticipated enforcement proceedings, as well as providing the recipient an opportunity to respond to the SEC's allegations.

In a public filing³ dated June 23, 2023, SolarWinds advised that the SEC sent Wells Notices to "certain current and former executives" of SolarWinds, including its Chief Financial Officer and Chief Information Security Officer, in connection with the cyber attack on the SolarWinds' Orion software platform and internal systems. This filing updated a November 3, 2022 SolarWinds filing which disclosed that the SEC had sent the company a Wells Notice relating to the regulator's investigation of the then-disclosed cyber attack on SolarWinds. According to SolarWinds, the Notices provided to the individuals state that the SEC staff has made a "preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the US federal securities laws."

As reflected in the filing, a Wells Notice is "neither a formal charge of wrongdoing nor a final determination that the recipient has violated any law." Remedies potentially available to the SEC if it chooses to pursue enforcement actions against the individuals include "an order enjoining such individuals from engaging in future violations of provisions of the federal securities laws subject to the action, imposing civil monetary penalties and/or a bar from serving as an officer or director of a public company and providing for other equitable relief within the SEC's authority."

SolarWinds also advised that the results of any investigation and any potential enforcement action against the company or the individual officers, along with costs, timing and other potential consequences of responding and complying therewith (as well as any indemnification obligations of SolarWinds, remain to be seen. In the meantime, SolarWinds maintains that "its disclosures, public statements, controls and procedures were appropriate, and it intends to continue to vigorously defend itself, including against any enforcement action or other charges."

The move in relation to the individuals follows the SEC's recommendation of enforcement action against SolarWinds as a company over its public statements on cyber security and procedures governing such disclosures.

The SolarWinds attack

The SolarWinds attack is one of the most prominent examples of a supply chain attack; the attack on the Colonial Pipeline is another.

The SolarWinds attack was the largest and most sophisticated cyber espionage operation the world has ever seen, requiring at least a thousand very skilled, capable engineers. The US government has attributed the attack to Russia.

The attackers compromised SolarWinds' Orion Software Platform and software updates, which were quickly installed by 18,000+ organisations. Through the updates, the threat actors were able to obtain access not only to private businesses but also to governmental organisations, including key departments in the US government.

The US has responded to the increased threat landscape with, among other initiatives, the Biden Administration's launch of the National Cybersecurity Strategy in March 2023, which sets forth high-level goals for strengthening the nation's cybersecurity.⁴

Shareholder derivative actions

SolarWinds shareholders filed two shareholder derivative actions against SolarWinds in US federal and state court, In re SolarWinds Corporation Securities Litigation (Case No. 1:21-CV-272-RP), in the US District Court for the Western District of Texas, and Construction Industry Laborers Pension Fund et al. v. Bingle et al. (C.A. No. 2021-0940) in the Delaware Court of Chancery. The federal action alleged violations of federal securities laws against SolarWinds and several of its executives, including SolarWinds' chief executive officer and its vice president of security architecture during the relevant period. The state court action in the Delaware Court of Chancery asserted claims against SolarWinds' directors for allegedly breaching their fiduciary duties by failing to implement adequate cyber security oversight mechanisms.

On September 6, 2022, the Delaware Court of Chancery issued a decision that dismissed the case in that court with prejudice, which decision was affirmed on appeal by the Supreme Court of Delaware on May 17, 2023. Then, on July 5, 2023, the Texas federal court dismissed the shareholder derivative action on the basis that a venue provision contained in SolarWinds' certificate of incorporation mandated that Delaware Chancery Court be the exclusive forum for such litigation.⁵

In the UK, it is possible that derivative claims might be brought for an on behalf of a company against directors for breach of their duties to the company. Compensation would, of course, flow back to the company rather than the shareholders bringing the claim, although the shareholder would be entitled to have the company indemnify them for their costs if the claim is successful (on the basis that the company should have brought the claim itself in the first place).

Footnotes

1. See US SEC Press Release, SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (available at https://www.sec.gov/news/press-release/2023-139).

2.See US SEC Fact Sheet, Public Company Cybersecurity Disclosures; Final Rules (available at https://www.sec.gov/files/33-11216-fact-sheet.pdf).

3. SolarWinds Corporation 8-K (dated June 24, 2023) (available at https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000173994223000079/swi-20230623.htm).

4. National Cybersecurity Strategy (March 2023) (available at https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf).

5. A separate consolidated securities class action lawsuit against SolarWinds, filed in the same Texas federal court and alleging SolarWinds made various misleading statements regarding its cyber security controls and its commitment to customers security, was settled for US$ 26 million, which settlement received court approval effective July 28, 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.