On July 18, 2024, Judge Paul Engelmayer of the United States District Court for the Southern District of New York dealt a significant blow to the Securities and Exchange Commission’s recent expansive use of accounting provisions enacted in the Foreign Corrupt Practices Act of 1977 to charge perceived control deficiencies far beyond accounting matters, including in the cyber and trading contexts. Calling these allegations “ill pled,” Judge Engelmayer granted a motion to dismiss claims grounded in those alleged control deficiencies and other, related claims against SolarWinds and its Chief Information Security Officer.[1] The decision did allow claims relating to historical cyber disclosures to go forward, at the deferential pleading stage where all of the SEC’s allegations were presumed to be true.[2] The dismissal of the accounting controls allegations builds on existing criticism, including from SEC Commissioners, that the Commission had transformed the accounting provisions into a veritable “Swiss Army knife” that was being crafted to apply to conduct that it was not intended to cover. As the SEC continues to pursue an aggressive enforcement agenda, including as to public companies, this decision will provide an important counterweight for companies facing scrutiny of their internal controls environment.
The SolarWinds Ruling
The ruling addressed three main claims alleged by the SEC in its complaint: (1) that the SolarWinds Security Statement, published on its website and repeated elsewhere, was false and misleading in light of allegedly serious internal cybersecurity deficiencies and related deficiencies in its software products; (2) that the company’s Form 8-K disclosures after it became aware of a widespread cyberattack were misleading; and (3) that SolarWinds (a software company), by allowing its allegedly most important cybersecurity assets to be at risk through allegedly poor security practices, failed to maintain adequate internal accounting controls under Exchange Act Section 13(a), and that its alleged failure to properly classify certain cybersecurity incidents under its Incident Response Plan was an Exchange Act Rule 13(b) disclosure controls violation. The court dismissed the claims in (2) and (3) above and allowed the claims in (1) to proceed to further litigation where Defendants are expected to contest the SEC’s allegations on the merits.
Much of Judge Engelmayer’s opinion focused on the traditional 10b-5 elements of falsity and scienter. He found that the complaint sufficiently pled that the Security Statements were materially false and misleading because they alleged that SolarWinds’ actual cybersecurity practices did not live up to the standards it proclaimed in its Security Statement. He also found that the complaint adequately alleged scienter as Mr. Brown, Vice President of Security and Architecture, was aware of various internal cybersecurity failings, but allegedly allowed the Security Statement to remain published, and even promoted it in various blogs and presentations.
However, the court ruled that the allegations of falsity were insufficient as to the Form 8-K disclosures in the wake of SolarWinds learning that its software product had experienced a cyberattack. It ruled that the 8-K’s adequately disclosed both that the company had learned about the cybersecurity vulnerability in the software, and that there were news reports of cyberattacks against customers using that software. Further, because the duty to disclose more specific information was not clear, it ruled that the complaint did not adequately plead scienter. Accordingly, the court dismissed the 10b-5 claims as to the Form 8-K’s.
The SEC’s Expansive Use of Accounting and Disclosure Controls
Over the past few years, the SEC has taken an increasingly expansive view of the scope of internal accounting control provisions to capture arguably peripheral violations of internal corporate policies and recast them as securities law violations, resulting in several actions and settlements against public companies and executives.
For example, in October 2020 the SEC settled charges against Andeavor LLC for alleged violations of the internal accounting provisions.[3] There, the SEC alleged that the company’s decision to enter into a Rule 10b5-1 trading plan to repurchase shares on the same day it resumed CEO-to-CEO merger discussions violated the company’s own securities trading policy. Two Commissioners dissented, arguing that the implied contention by the SEC that Congress intended the term “accounting controls” to include controls designed to ensure compliance with a company’s securities trading policy was a stretch, as it ignored that Section 13(b)(2)(B) required “not ‘internal controls’ but ‘internal accounting controls.’”[4] The dissenting Commissioners observed that this requirement was aimed at “the accounting for a public company’s assets and transactions to ensure that its financial statements are prepared in accordance with generally accepted accounting principles, thereby ensuring that financial statements are accurate and reliable when disclosed to investors.” They further noted that “[n]o court, however, has adopted the expansive view of Section 13(b)(2)(B) that such actions seem to require.”
Similarly, in November 2023 the SEC settled charges against Charter Communications, Inc. for failure to implement a reasonable process to ensure that its trading plans were adequately reviewed for conformity with the requirements of Rule 10b5-1 before adoption.[5]
The SEC alleged that Charter’s multi-year, multi-billion dollar stock buyback was a violation of Section 13(b)(2)(B) because certain discretionary purchases were a violation of Rule 10b5-1. Two Commissioners again dissented, arguing that the “fundamental flaw in the Order is its failure to distinguish between internal accounting controls and other types of internal controls,” in this case controls designed “to answer a legal question—compliance with the regulatory conditions necessary to qualify for an affirmative defense.”[6] They warned that the case was “simply the latest application of the unsupportable and ill-considered interpretation of Section 13(b)(2)(B)” and the “Commission’s attempts to convert an internal accounting controls provision into an ever-unfolding utility tool that magically converts every corporate activity into something the Commission regulates are inappropriate extensions of the agency’s authority.”
And just last month the SEC settled an action against R.R. Donnelly & Sons for failing to create an adequate prioritization scheme which would escalate evidence of a cyber-intrusion, and trigger investigation and remedial measures.[7]
The SEC alleged that this failure enabled hackers to exploit a delay in responding and to steal client data. The dissenting Commissioners decried the case as yet another instance of the SEC treating Section 13(b)(2)(B)’s internal accounting controls provision “as a Swiss Army Statute to compel issuers to adopt policies and procedures the Commission believes prudent.”[8] To the dissenting Commissioners, the SEC’s treatment of Section 13(b)(2)(B) means that “[i]dentifying a link between the Commission’s preferred policies and procedures and accounting controls seems a collateral concern, if it is a concern at all.” In their view, computer systems were clearly not within the purview of Section 13(b)(2)(B)’s internal accounting controls, which “are concerned with the use and disposition of the corporate assets themselves” while “[a]t most, computer systems process transactions in corporate assets.” (emphasis added). The dissenting Commissioners also expressed concern that an enforcement action could “amplif[y] a company’s harm from a cyberattack.”
Judge Engelmayer Rejects the SEC’s Interpretation of Internal Accounting Controls
In SolarWinds, the complaint alleged that SolarWinds’ cybersecurity deficiencies were actionable under Section 13(b)(2)(B) of the Exchange Act as a failure to devise and maintain appropriate internal accounting controls. Judge Engelmayer emphatically rejected that view, marshalling many of the same arguments of the dissenting Commissioners in Andeavor, Charter Communications, and R.R. Donnelley & Sons. He found that SolarWinds was “clearly correct” that 13(b)(2)(B)’s reference to “system of internal accounting controls” could not reasonably be interpreted to cover cybersecurity controls. Judge Engelmayer’s statutory interpretation exercise focused on the text of Section 13(b)(2)(B). He noted that the statute referred to a “system of internal accounting controls” (emphasis in original) which clearly referred to financial accounting. He pointed out that the term “accounting” is widely understood to refer to business and financial transactions, and references in the statute’s surrounding text to “transactions,” “preparation of financial statements,” “generally accepted accounting principles,” and “books and records” made clear Congress was using “accounting” in its ordinarily understood financial sense. He ruled that to find otherwise would give unwarranted breadth to the language Congress chose. While the Court stated that cybersecurity controls are vitally important, it noted they cannot be understood to fit naturally within a requirement to maintain “internal accounting controls” because they are unrelated to “accounting” in the financial sense. Nor was the SEC’s argument that it needed authority to regulate cybersecurity control to protect against the consequences of poor cybersecurity practices able to be “squared with the statutory text” and Judge Engelmayer noted that “Congress does not hide elephants in mouseholes.”
Judge Engelmayer also dismissed the allegations that SolarWinds had ineffective disclosure controls under Exchange Act Rule 13a-15(a). The complaint acknowledged that SolarWinds did have a system of controls to facilitate the disclosure of potentially material cybersecurity risks and incidents. Judge Engelmayer rejected the complaint’s argument that because a limited number of cybersecurity incidents were allegedly wrongly classified under SolarWinds’ Incident Response Plan, the controls were necessarily deficient. He found that “errors happen without systemic deficiencies” and without more, two misclassified incidents “is an inadequate basis on which to plead deficient disclosure controls.” Further, he found that the fact that limited alleged lapses were “not elevated to the company’s top rung does not, without more, plausibly impugn the company’s disclosure controls system.”
Conclusion
While not binding on other courts, Judge Engelmayer’s opinion is a notable serious setback to the SEC’s efforts to expand the enforcement scope of the Section 13(b)(2)(B) accounting provisions to encompass cyber or other non-financial controls. While the SolarWinds decision references to SEC v. Cavco Industries Inc., where the court found Cavco’s failure to follow its insider trading policy constituted an internal accounting control failure, that decision presented a far more direct link between the alleged internal accounting control failure and financial transactions. The issue in Cavco was a failure to create a process sufficient to monitor and report improper corporate investments, a situation which arguably posed a more direct connection to corporate finances. The SolarWinds decision therefore leaves room for the SEC to continue using Section 13(b)(2)(B) outside the narrower books and records context if it is able to allege a more concrete nexus to a company’s financial transactions.
This case signals that the SEC’s recent expansive use of the internal controls provision of Section 13(b)(2)(B) will not be automatically accepted by courts and validates the increasingly sharp cautionary note sounded by certain SEC Commissioners in recent years as to that use. The decision to dismiss the Form 8-K claims may also demonstrate to companies that while they have disclosure obligations when they learn of cybersecurity incidents, they do not necessarily face liability for making disclosures that do not delve into overly granular details, potentially putting their security posture at further risk.
[1] SEC v. SolarWinds Corp., 2024 U.S. Dist. LEXIS 126640, at *6-7 (S.D.N.Y. July 18, 2024).
[2] Id.
[3] In the Matter of Andeavor LLC, Exchange Act Release No. 90208 (Oct. 15, 2020).
[4] Hester M. Peirce & Elad L. Roisman, Statement of Commissioners Hester M. Peirce and Elad L. Roisman - Andeavor LLC, U.S. Securities and Exchange Commission (Nov. 13, 2020).
[5] In the Matter of Charter Communications, Inc., Exchange Act Release No. 98923 (Nov. 14, 2023).
[6] Hester M. Peirce & Mark T. Uyeda, The SEC’s Swiss Army Statute: Statement on Charter Communications, Inc., U.S. Securities and Exchange Commission (Nov. 14, 2023).
[7] In the Matter of R.R. Donnelley & Sons Co., Exchange Act Release No. 100365 (June 18, 2024).
[8] Hester M. Peirce & Mark T. Uyeda, Hey, look, there’s a hoof cleaner! Statement on R.R. Donnelley & Sons, Co., U.S. Securities and Exchange Commission, (June 18, 2024).