SEC Cybersecurity Lawsuit is Overreach, Court Rules

Can a company’s cybersecurity weakness equate to “ineffective accounting controls?” The Securities & Exchange Commission (SEC) says yes …

… but for now, the courts say no. The SEC charged SolarWinds and its chief information security officer (CISO) Timothy Brown with fraud and internal control failures under section 13(b)(2)(B) of the Securities Exchange Act. SolarWinds is a high-end cybersecurity vendor that sells the Orion platform to government agencies and private companies.

The SEC alleged SolarWinds “hid the fact that its products and practices had porous cybersecurity,” wrote Judge Paul Englemayer for the U.S. District Court of the Southern District of New York. The SEC alleged “the company’s hype misled the investing public to believe that SolarWinds’ central software product had minimal vulnerability to cyberattacks … and ineffective ‘disclosure controls and procedures.’

“[The SolarWinds] case is the first in which [the SEC] has brought an accounting control claim based on an issuer’s cybersecurity failings,” the judge wrote. SolarWinds refused to settle any of the charges and asked the court to dismiss all of the claims.

Cybersecurity Charges Nixed — Will SEC Appeal?

Englemayer dismissed several of the SEC’s charges against SolarWinds and all involving the CISO. The judge characterized the SEC equating cybersecurity flaws to an accounting control violation as not tenable. Reason: The section of the Exchange Act that the SEC cited speaks to companies’ internal financial accounting only. Congress didn’t give the SEC to pursue enforcement cases against companies on areas beyond the financial realm.

Allowing the SEC to pursue section 13(b)(2)(B) enforcement for cybersecurity flaws “could empower the agency to regulate background checks used in hiring nighttime security guards, the selection of padlocks for storage sheds, safety measures at water parks on whose reliability the asset of customer goodwill depended, and the lengths and configurations of passwords required to access company computers,” the judge ruled.

The SEC could pursue an appeal on the dismissed charges, but a victory higher up in the courts tree isn’t a strong bet. The Supreme Court (SCOTUS) recently reversed the Chevron doctrine that gave agencies leeway in how they interpreted statutes like the Exchange Act as the SEC did in this case. Also: SCOTUS ruled securities fraud claimants charged by the SEC (or other federal agencies) can insist on a trial by jury instead of being forced to hear cases decided by in-house administrative law judges.