Supply chain, Vulnerability Management

SolarWinds defendants bemoan trend where ‘any calamity that befalls a public company is framed as a violation of the securities law’

Solarwinds

Defendants in a class action lawsuit against SolarWinds following the hack of their Orion management software pressed a Texas judge to throw out the case, alleging the plaintiffs have not alleged or proven any malicious intent by the accused parties to mislead or deceive investors.

The lawsuit, brought by various SolarWinds investors, claims the company neglected cybersecurity in the years leading up to the hack, both due to the leadership of then-CEO Kevin Thompson and chief information security officer Tim Brown. Further, it claims that two private equity firms played a key role stripping down SolarWinds’ security budget for “short-term profit.”

In separate motions filed Aug. 2, lawyers for all four defendants asked the court to dismiss the case.

“No facts are pled suggesting that Russian Intelligence exploited any of the six security deficiencies alleged in the Complaint to perpetrate the Cyberattack,” lawyers for CISO Tim Brown wrote. “Moreover, the Cyberattack and the ensuing decline in SolarWinds’ stock price were materializations of risks about which the Company explicitly and repeatedly warned investors.”

Brown’s team claims the lawsuit is part of a “growing trend” where “any calamity that befalls a public company is framed as a violation of the securities law” regardless of the facts at hand or their application to the statute. They cite statements from cybersecurity experts and U.S. government officials to argue that the Orion hack was an exceedingly sophisticated operation from a highly advanced threat actor and there is no evidence that SolarWinds or its executives were intentionally misleading investors about the potential for being compromised.

“The Complaint does not contain a single factual allegation supporting any inference, much less a cogent and compelling inference, that the SolarWinds Defendants intended to deceive investors into believing that SolarWinds was immune to cyberattacks or otherwise spoke with severe recklessness such that investors would draw that conclusion,” Brown’s lawyers wrote.

A key witness cited in the complaint, former SolarWinds global security strategist Ian Thorton-Trump, reportedly warned SolarWinds executives in 2017 about a host of fundamental security deficiencies at the company, including concerns that the company had no security team, no policies around secure passwords or access controls. This made SolarWinds “an incredibly easy target to hack,” Thorton-Trump was quoted as saying in a news interview with Bloomberg.

But the motion casts Thorton-Trump as a disgruntled former employee who was bitter he was passed over for the vice president of security position that Brown was eventually hired to perform. Thorton-Trump had only started working for the company a few months prior to the described meeting with executives, resigned in May 2017 and never worked with the Orion software that was at the center of the hack. Brown’s lawyers said there is also no evidence that he specifically communicated these findings to then-CEO Kevin Thompson or Brown, who didn’t start working at SolarWinds until July 2017, two months after the presentation.

“Thus, he cannot credibly speak to the security measures in place at SolarWinds nearly a year and a half later, much less offer insight into any of the SolarWinds Defendants’ knowledge of such matters when the challenged statements were made,” Brown’s lawyers continued.

The motion also addresses a series of stock purchases by Thompson, other SolarWinds executives and their private equity owners in the weeks and months leading up to the hack’s public disclosure.

Thompson sold millions of dollars in stock in the weeks (or days in some cases) before the hack became public. When multiple different classes merged their lawsuits together earlier this year, they added two new defendants: Thoma Bravo and Silver Lake. Combined, the two private equity firms owned 80% of SolarWinds stock during the period where Orion was compromised and both sold hundreds of millions of dollars in shares, also just days before the hack became public and SolarWinds stock tumbled.

The defendants argue that the stock sales from Thoma Bravo and Silver Lake “have no bearing” on whether SolarWinds executives lied or deceived investors at the time they made statements to the SEC regarding their cybersecurity posture. Thompson sold the stock after announcing he was leaving the organization and the lawsuit doesn’t accuse Brown of profiting through stock sales at all.

SolarWinds never claimed it was “impervious to attack” from hackers, “repeatedly” warned in SEC filings that a successful cyber attack could lead to serious negative consequences and accused the plaintiffs of cherry picking statements on general security practices made by Brown that “no reasonable investor” would let influence their stock purchases.

“Moreover…no reasonable investor would consider bland and universally espoused statements that a company’s security team focuses on ‘heavy-duty hygiene’ or works to make ‘sure that there is good basic hygiene’ important to his investment decision,” the motion reads.

In a separate filing, lawyers for Silver Lake say they had only indirect control of SolarWinds stock and the lawsuits offer no evidence that the firm managed day to day responsibilities around SolarWinds security practices or that they controlled the manner in which the company disclosed the hack.

The consolidated complaint notes that multiple executives from both Thoma Bravo and Silver Lake sat on SolarWinds’ board of directors during the class period. It also alleged that both have a history of taking acquired public companies private, aggressively cutting costs to the detriment of the company, then going public again before being sold. But Silver Lake argues this, as well as the stock sales, are insufficient to legally prove that they were involved in the management or disclosure process.

Thoma Bravo made a nearly identical argument in its own filing.

“Nowhere in the two hundred and seventy paragraphs of the Complaint are there allegations that Thoma Bravo wrote, made, authored, disseminated, influenced, directed, or otherwise participated in the alleged securities violations, or even had the ability to control the alleged misconduct by SolarWinds,” the motion reads.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.