On October 30, 2023, the Securities and Exchange Commission (SEC) announced a civil suit against SolarWinds and their chief information security officer (CISO) for fraudulent cybersecurity information. The SEC claims that even though SolarWinds and the CISO knew about specific risks and vulnerabilities, SolarWinds’ cybersecurity risk disclosures did not disclose them in violation of federal securities laws.
Allegedly, SolarWinds had a known VPN vulnerability through unmanaged devices such as cell phones and laptops that were neither owned nor operated by SolarWinds. The bad actors had broad and undetected access to SolarWinds’ systems, in what became known as the SunBurst supply chain cyberattack, and compromised products with malicious malware. As a result of cybersecurity failings, SolarWinds allegedly delivered compromised products to more than 18,000 customers across the world and the malware in the compromised products allowed the bad actors to access the systems of these customers. One of the most concerning allegations by the SEC is that SolarWinds’ employees lied to cybersecurity firms that were in the middle of fighting the Sunburst cyberattack. The SEC alleges that SolarWinds filed a Form 8-K that was materially misleading in several respects, including its failure to disclose that the vulnerability at issue had been actively exploited against SolarWinds’ customers multiple times over at least a six-month period in incidents involving an agency for the United States government and two cybersecurity firms. The SEC alleges that SolarWinds and the CISO falsely promoted cybersecurity practices in public statements that were material to investors in SolarWinds. Most importantly, the SEC alleges that SolarWinds and the CISO misleadingly claimed to follow the NIST Framework for evaluating cybersecurity practices. The SEC alleges that “[i]n truth, SolarWinds had no policy or practice in place for most of the NIST Framework.”
This action against SolarWinds is just the latest in a series of steps the U.S. has taken this year to focus enforcement resources on cybersecurity. In March 2023, the White House announced the National Cybersecurity Strategy with a focus on increasing cybersecurity for every company and individual within our great country. The strategy involves using a mix of existing legislation and rules to increase cybersecurity nationally — including the False Claims Act, the National Institute of Standards and Technology (NIST) Cybersecurity Framework-approved requirements for personal data security, the FTC Safeguards Rule, future legislation and agency rulemaking, and market forces, including leveraging government spending. Ultimately, the strategy is intended to increase the responsibility for cybersecurity on private companies because “protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.”
In order to enter federal government contracts, contractors and vendors must agree to language that binds them to follow cybersecurity best practices. To ensure accountability for these practices, and as mentioned in our previous blog, the Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative (CCFI) will use the False Claims Act to pursue civil actions against any company that fails to meet cybersecurity obligations within government contracts. The strategy explicitly calls for legislation to “set national requirements to secure personal data consistent with standards and guidelines developed by NIST.” To shape the standard of care for secure software development, the strategy calls for a safe harbor framework to be drawn from best practices for secure software development, “such as the NIST Secure Software Development Framework.”
In 2023, between this announcement of the SEC lawsuit, the National Cybersecurity Strategy, DOJ’s previously announced CCFI, the FTC Safeguards Rule, and the numerous announcements by various other federal and state agencies regarding cybersecurity, companies — from government contractors to technology providers — are advised to develop a plan to meet the relevant NIST Framework requirements. A checklist for any organization is often a good document to begin the conversation. The government is clearly pushing for everyone in the country to comply with the cybersecurity standard enumerated in NIST.