SEC files a fraud complaint against SolarWinds and its CISO, but skips PwC, for now
How could the internal controls over information technology at SolarWinds be so obviously bad and, yet, PwC missed the holes? I'd scrutinize a clubby cluster of West Coast partners.
On October 30, 2023, the Securities and Exchange Commission announced charges in federal court against Austin, Texas-based software company SolarWinds Corporation and its chief information security officer, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. From the SEC’s press release:
The complaint alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks. In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.
Not long after that the SEC brought another internal controls-related enforcement action, this time against Royal Bank of Canada.
I noted that in both cases PwC was the auditor and, in both cases, PwC had NEVER flagged any material weaknesses in internal controls over financial reporting — in SolarWinds case for IT General Controls and at RBC for controls related to proper accounting under international accounting standards.
The SEC and PCAOB have not, as yet, brought any disciplinary actions against PwC or its partners for these obvious lapses.
I attended the Securities Enforcement Forum hosted by Bruce Carton in Washington DC on October 25, 2023 and it was non-stop talk about the boldness of the SEC to individually charge a CISO. Suddenly Chief Information Security Officers are worried about personal liability. They must have forgotten about the weird case of the Uber CISO, Joseph Sullivan, who was sentenced in May 2023 to serve a three-year term of probation and ordered to pay a fine of $50,000, after a jury found him guilty of two felonies in October 2022.
Uber was under investigation by the Federal Trade Commission as a result of a data breach Uber had suffered in 2014. The FTC’s Division of Privacy and Identity Protection investigated both the nature and circumstances of that 2014 data breach and Uber’s broader cybersecurity program. According to the DOJ press release:
Sullivan was hired soon after the FTC investigation launched, and he participated in Uber’s response to that investigation, including its efforts to comply with investigative demands issued by the FTC. Among other things, Sullivan participated in a presentation to the FTC in March 2016 regarding Uber’s cybersecurity program, and he testified under oath in November 2016.
As established at trial, ten days after his sworn FTC testimony, Sullivan learned that Uber had been hacked again. Furthermore, the hackers had exploited the same vulnerability that had led to the 2014 breach. Unlike the 2014 breach, however, the data stolen in 2016 was massive in scale and included records associated with approximately 57 million Uber users and drivers. Despite having testified regarding that same security vulnerability and related issues ten days prior, Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC.
For example, Sullivan told a subordinate that they “can’t let this get out” and stated that the breach would “play very badly based on previous assertions” to the FTC. He also arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone. Those contracts, drafted by Sullivan and a lawyer assigned to his team, falsely represented that the hackers did not take or store any data in their hack. Thereafter, Sullivan continued to work with the Uber lawyers handling or overseeing the FTC investigation, including the General Counsel of Uber, but he withheld information about the breach from all of them. Uber ultimately entered into a preliminary settlement with the FTC in summer 2016 without disclosing the 2016 data breach to the FTC. As part of the negotiations, Sullivan learned that the FTC was relying on false information previously provided by Uber, but he failed to alert any of Uber’s lawyers or the FTC.
In Fall 2017, Uber’s new management began investigating facts surrounding the 2016 data breach. When asked by Uber’s new CEO what had happened, Sullivan lied about the circumstances of the breach, including by telling the CEO that the hackers did not steal any data. Sullivan lied again to Uber’s outside lawyers who were conducting an investigation into the incident. Nonetheless, the truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly, and to the FTC, in November 2017.
Uber has been a PwC audit client since 2014, with its opinion signed out of San Francisco. (Uber’s competitor Lyft is also a PwC client with its opinion signed out of San Francisco.) Uber IPO’d in 2019 and, like SolarWinds, PwC has never cited a material weakness in internal controls related to Uber’s information technology control weaknesses.
You can watch SEC Director of Enforcement Gurbir Grewal talk about this action against SolarWinds starting at the 19:00 point and many others, including against auditors, here:
In the SolarWinds case the issues that would have, and should have, attracted PwC’s attention were seemingly egregious. The SEC detailed numerous emails, text messages, and other documentation that paints a damning picture for the company and its executives.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
As those of you familiar with SEC and DOJ enforcement know, if this is what they put in the press release and public court filing, they probably have many, many more pieces of incriminating evidence that were left out, since the point was well-made already.
Given the judicial scrutiny of the SEC’s administrative court process this case was brought directly to federal court — be careful what you wish for — so SolarWinds and Sullivan have taken a cue from Elon Musk’s and Marc Cuban’s playbook. They are fighting back.
From Bloomberg’s Skye Whitley:
The complaint against SolarWinds and Brown is the SEC’s first to name a security executive for cybersecurity controls violations. It’s a move SolarWinds criticized in the joint filing as an “unsound legal theory” that would expose public companies’ cybersecurity practices to “far-reaching oversight by an agency that lacks the expertise to regulate them.”
“The disclosures SolarWinds made were accurate both before and after the attack, and the suggestion in the SEC’s complaint that companies should provide detailed vulnerability information in their investor filings would essentially provide roadmaps to hackers,” a company spokesperson told Bloomberg Law.
The SEC’s Grewal argued that the agency focuses on whether a person knew about red flags and how they reacted according to the law, not an individual’s title.
“What we don’t do is second guess their decisions if they’re made in good faith and after reasonable inquiry and analysis,” he said. “CISOs have a challenging job and we need them in order to implement meaningful cybersecurity policies and procedures that protect investors and the markets.”