It seems we are adding to the things in life that are guaranteed.
Death. Taxes. And litigation after a cyberattack.
This week there was significant action in court as SolarWinds fired back against one of the lawsuits related to its Orion cyberattack saga.
However, this is not just another nameless, faceless piece of litigation; this one specifically names the company's Chief Information Security Officer.
A group of investors filed the suit which specifically calls out SolarWinds, its former CEO, and also Tim Brown, who is VP of Security and CISO.
This serves as a crucial reminder that security leaders can and sometimes are getting sued. According to Rebecca Rakoski, cyber attorney and managing partner at XPAN Law Partners:
"The C-Suite is not immune, and while lawsuits against the C-Suite are in some aspects more difficult to prove, those C-Suite members have a heightened obligation to the organization.
The takeaway message? The C-Suite needs to ensure that its actions are comprehensive and well supported. They need to consider the legal ramifications of both action and inaction."
And in this case, the lawsuit claims that inaction around cybersecurity led to deception for investors. Specifically, that SolarWinds embraced intentional or severely reckless deceit on investors.
Summary of investor lawsuit against SolarWinds
The original lawsuit is dozens of pages long, and so is this week's response from SolarWinds. With that in mind, here are a few of the highlights from court documents.
- The face of the case is a former SolarWinds employee who was hired nearly two years before the Orion cyberattack and only stayed with the company a few months. He allegedly raised concerns about poor security while in the role of "Global Cybersecurity Strategist."
- The case says that "solarwinds123" was the password on the company's update server and it had been previously warned about that fact.
- The lawsuit makes direct claims like this one: "There was no security team, there was no password policy, there was no documentation regarding data protection and controls, and the Company did not limit user access controls, exposing the Company's 'crown jewels' to a potential cyberattack."
- Many of these accusations were corroborated, the lawsuit says, by a group of 10 former, anonymous employees.
- SolarWinds made misleading claims about the quality of its cybersecurity, especially on the SolarWinds website, and this was deceiving for investors.
Summary of SolarWinds response to investor lawsuit
This week, SolarWinds fired back on the lawsuit's claims and accusations as it defended its CISO and its own cybersecurity actions in court.
This is being watched closely because SolarWinds is the world's leading provider of IT infrastructure management software to companies, governments, and organizations.
The company response to this particular lawsuit is 48 pages long, so here are some highlights:
• With regard to the former CEO and the company CISO named in the lawsuit:
"The Complaint does not contain a single factual allegation supporting any inference, much less a cogent and compelling
inference, that the SolarWinds Defendants intended to deceive investors into believing that SolarWinds was immune to cyberattacks or otherwise spoke with severe recklessness such that investors would draw that conclusion."
• With regard to the scope and sophistication of the attack, this could have been nearly impossible to stop:
"Investigators, government officials, and the press have uniformly characterized the Cyberattack as 'the largest and most sophisticated' cyber espionage operation the world has ever seen requiring 'at least a thousand very skilled, capable engineers.'
Plaintiff's Complaint attempts to convert this sophisticated cybercrime perpetuated against SolarWinds into a class action claim for securities fraud against the Company, its executives, and its largest shareholders."• SolarWinds response that it had unacceptable levels of cybersecurity:
"While the Company was private [prior to 2018], SolarWinds strengthened its security posture by hiring key personnel to build up its security team, implemented new security protocols, and strengthened its security infrastructure.
The Company dedicated more of its budget to security initiatives than any of its peers during this time period and invested in security at 'a level meaningfully higher than the industry average."
• With regard to the easy to guess password on the SolarWinds update server:
"...the allegations about this 'solarwinds123' password are simply a red herring—Plaintiff does not and cannot plead any facts suggesting that the 'solarwinds123' password or the Update Server was used in the Cyberattack. Indeed, a threat actor could not access SolarWinds' IT environment via the Update Server because that server is maintained by a third party and is used by SolarWinds' customers to download non-Orion software products. Having access to the Update Server would not have enabled the threat actor to access the Orion software build process and inject malicious code into Orion (the method by which the Cyberattack was perpetrated)."
• With regard to the group of former employees who remain anonymous:
"...none of them is alleged to have held a position where he or she
would have known anything about the Cyberattack or SolarWinds' security infrastructure. It is telling that Plaintiff could not find a single former employee who worked on the Orion Software Platform
or on security issues:
None of them is alleged to have had responsibilities for SolarWinds' internal cybersecurity nor any relevant personal knowledge of, or reliable basis on which to assess, SolarWinds' overall corporate cybersecurity posture."• SolarWinds' response to the idea that it somehow mislead investors about the cyber risk involved and how that was business risk? The company cited several warnings it publicly issued, included this one from the SEC documentation as it prepared to go public in 2018:
"For example, in its October 2018, IPO Offering Documents filed with the SEC, SolarWinds stated: Our systems and those of our third-party service providers are vulnerable to damage and disruption from... traditional computer 'hackers,' malicious code (such as viruses and worms), employee theft or misuse, and denial-of-service attacks, as well as sophisticated nation-state and nation-state-supported actors (including advanced persistent threat intrusions).
The risk of a security breach or disruption, particularly through cyberattacks or cyber intrusion, including by computer hacks, foreign governments, and cyber terrorists, has generally increased in number, intensity and sophistication of attempted attacks, and intrusions around the world have increased.… Despite our security measures, unauthorized access to, or security breaches of, our software or systems could result in the loss, compromise or corruption of data, loss of business, severe reputational damage adversely affecting customer or investor confidence, regulatory investigations and orders, litigation, indemnity obligations, damages for contract breach, penalties for violation of applicable laws or regulations, significant costs for remediation and other liabilities."
SolarWinds also cautioned that it "may be unable to anticipate [threat actors'] techniques or to implement adequate preventative measures' because 'the techniques used to obtain unauthorized
access or to sabotage systems change frequently and generally are not identified until they are launched against a target.'" In a prospectus, SolarWinds specifically explained that a breach could
"remain undetected for an extended period" due to the sophistication of some cyberattacks, which could have an even greater impact on its business.
SolarWinds also asked the judge in the case to dismiss it, claiming federal laws were never designed to be used the way investors are trying to use them:
"The Complaint follows a growing trend of 'event driven' securities litigation, where any calamity that befalls a public company is framed as a violation of the securities laws, whether it be an industrial accident, a defective product, or a cyberattack.
But the purpose of the federal securities laws is to promote the disclosure of material business information—not to provide investor insurance against losses resulting from business risks. Subjecting cyberattack victims, who never promised invulnerability to such crimes, to class action securities fraud claims would undermine the... intent and fuel securities litigation in the wake of every cyberattack.
For these reasons, the Court should dismiss the Complaint with prejudice."
Regardless of the outcome of this SolarWinds lawsuit, this is a case to be watched by CISOs and cybersecurity leadership.
Rebecca Rakoski of XPAN Law Partners sums it up like this:
"Creating a legally defensible position for the organization means (for the most part) creating a legally defensible position for security leadership. CISOs need to spend less time and money on technical gadgets and more time and effort on training, responsiveness, vendor auditing, and creating clear, concise contracts that protect the organization."