Fraud Management & Cybercrime , Legislation & Litigation , Standards, Regulations & Compliance
Why SEC, SolarWinds Eye Settlement Talks in Cyber Fraud Case
SEC 'Proposed Specific Settlement Terms' But Defense Unlikely to Accept, Judge ToldFederal regulators and SolarWinds are considering a truce weeks after a judge dismissed most claims related to misleading investors about the company's cybersecurity practices and risks.
"Following the Court's July 18, 2024 ruling on Defendants' Motion to Dismiss the Amended Complaint, the parties have discussed pursuing settlement discussions," SolarWinds, CISO Tim Brown and the U.S. Securities and Exchange Commission said in an Aug. 5 letter to District Judge Paul Engelmayer.
The progress of settlement negotiations was discussed in more detail during a teleconference with Engelmayer on Monday. SEC lawyer Christopher Bruckmann said his team "proposed specific settlement terms," Law360 reported. But Sean Berkowitz - legal counsel for SolarWinds and Brown - said the defense is unlikely to accept the initial offer and suggested that a third-party mediator intervene.
"Based on the content of the offer, we think it may be useful to get somebody involved to help the process," Berkowitz told Engelmayer, according to Law360. Berkowitz said he's happy to refer the case to a magistrate judge to aid settlement negotiations, Law360 reported. The SEC declined an Information Security Media Group request for comment, and SolarWinds and Brown's lawyer didn't respond (see: Judge Dismisses Most SEC Fraud Claims Against SolarWinds).
How the Judge Sees Allegations Against SolarWinds, Brown
The stakes are high for Brown, as federal regulators seek to permanently ban him from serving as an officer or director of a publicly traded company and to impose civil monetary penalties and return of any ill-gotten gains. SEC staff last year recommended enforcement action against SolarWinds, Brown and CFO Bart Kalsu for violating federal securities laws, but Kalsu wasn't named in the complaint (see: SEC Alleges SolarWinds, CISO Tim Brown Defrauded Investors).
Engelmayer ruled July 18 that the SEC can proceed only with claims related to the security statement issued by SolarWinds before the Russian Foreign Intelligence Service hack became public in December 2020, determining that a jury could conceivably find the company's security statement materially false or misleading. The claim focused on inaccurate statements in SolarWinds' cybersecurity risk disclosure.
Specifically, SolarWinds' security statement claims strong access controls, but the SEC said widespread granting of administrative rights to employees was internally recognized but not publicly disclosed. Also, the security statement claims robust password practices, but the SEC found the company's weak practices around simple and unencrypted passwords were documented internally but not publicly.
Engelmayer said Brown - a named defendant in the SEC lawsuit - knew of the company's deficiencies in access controls and password policies and acknowledged them internally but nonetheless allowed the misleading security statement to remain on SolarWinds' website. Since Brown is a company employee, the judge said, SolarWinds can also be liable for the misrepresentations.
"Brown knew of the substantial body of data that impeached the Security Statement's content as false and misleading," Engelmayer said. "His conduct in allowing the statement to issue publicly, and to remain in place for years, in the face of company practices inconsistent with it, is plausibly plead as 'highly unreasonable or extreme misconduct.'"
Why a Settlement Could Benefit All Parties
The SEC's case against SolarWinds and Brown has established precedent as the first time financial regulators brought an accounting control claim based on an issuer's cybersecurity failings. Legal observers told ISMG the fact that Engelmayer has allowed the security statement claim to proceed would carry weight with a jury, who often defer to the expertise of government officials when issuing a verdict.
At the same time, the lack of precedent creates uncertainty about how a jury or Engelmayer will view the allegations and proposed SEC penalty against SolarWinds and Brown. A settlement offers some repercussions for the alleged wrongdoing of SolarWinds and Brown and spares the SEC the time and expense associated with seeing the case through trial and any potential appeals.
Did Engelmayer's ruling last month give all parties enough reason to think a settlement is in their best interest and introduce enough uncertainty to prompt SolarWinds and/or the SEC into making concessions?
The cybersecurity industry is watching closely to see if this history-making case ends in a verdict.