A Delaware state judge has rejected SolarWinds investors’ claims that the IT software provider’s board ignored cybersecurity red flags and should be held liable for a massive cyberattack discovered in 2020.
Delaware Court of Chancery Vice Chancellor Sam Glasscock on 6 September dismissed a November 2021 lawsuit filed by SolarWinds shareholders that sought damages following a drop in share prices allegedly caused by a 2020 Russian state-backed cyberattack.
The hackers allegedly penetrated SolarWinds’ systems and injected the company’s clients – which included numerous private companies and government agencies – with malicious code to gain entry into clients’ systems. The high-profile attack was discovered in December 2020 and has spurred multiple class action lawsuits and government investigations.
But Glasscock last week sided with SolarWinds’ motion to dismiss, finding that the investors didn’t prove SolarWinds’s board failed to implement, monitor or oversee cybersecurity controls, meaning there was no substantial likelihood of liability for the board.
The complaint had noted numerous cybersecurity “red flags” allegedly ignored by SolarWinds’s board that could have avoided the significant 2020 cyberattack. For example, the plaintiffs alleged the company received a description of a 2017 cybersecurity presentation given to management by the company’s former global cybersecurity strategist, as well as the expert’s resignation letter “complaining that changes he requested prior to his departure were not implement[ed]”.
However, Glasscock said the committee receiving the cybersecurity report was not in itself a red flag, and did not prove bad faith or knowledge of wrongdoing. Similarly, he noted there was no indication that the board was aware of its global cybersecurity strategist's presentation or his resignation letter highlighting cybersecurity issues.
The most serious claim was that SolarWinds used “solarwinds123” as a password for a programme’s software build environment, Glasscock wrote. However, while a third party had notified SolarWinds’ IT team about the “security deficiency”, the plaintiffs did not argue that the board committees were aware of the incident.
“Without such knowledge, the board again cannot have acted in bad faith relating to this incident. The stronger argument is that the facts above are not themselves ‘red flags’ but instead indicate the lack of an effective reporting system,” Glasscock wrote, ruling that the plaintiffs had not pleaded a sufficient connection between the “corporate trauma” and the board’s action or inaction.
The judge said derivative claims were once rare but have become more common, highlighting that such a claim against data breach victim Marriott recently found that directors’ oversight duties applied – at least hypothetically – to a failure to monitor cybersecurity risks.
However, the Marriott case ”ultimately suggests that even if lack of cybersecurity oversight might be an appropriate subject for a [derivative] claim, a violation of law or regulation is still likely a necessary underpinning to a successful pleading,” he wrote. Despite the growing regulatory push for corporate boardrooms to take cybersecurity seriously, the regulations cited in the SolarWinds complaint did not require specific board-level actions.
The investors’ “strongest fact” was the US Securities and Exchange Commission’s 2018 interpretive guidance requiring cybersecurity risk disclosures and establishing and maintaining cybersecurity disclosure controls and procedures, Glasscock wrote – but he said that guidance still did not establish “positive law” on cybersecurity procedures or risk management.
The claimants had also noted cybersecurity guidelines published by the New York Stock Exchange, on which SolarWinds is listed – but the guidance is not binding.
Glasscock did say that it could be difficult to find board members who should be liable for cyber incidents caused by third parties.
“While no case in this jurisdiction has imposed oversight liability based solely on failure to monitor business risk, it is possible, I think, to envision an extreme hypothetical involving liability for bad faith actions of directors leading to such liability,” the judge said. “What is not wholly clear to me is that cybersecurity incidents of the type suffered by SolarWinds … present a sufficient nexus between the corporate trauma suffered and the board for liability to attach,” he wrote.
Counsel to the plaintiffs and SolarWinds did not respond to requests for comment.
Counsel to Plaintiffs
Cohen Milstein Sellers & Toll
Partner Julie Goldsmith Reiser in Washington, DC, and of counsel Richard A. Speirs and Amy Miller in New York
Robbins Geller Rudman & Dowd
Managing partner Chad Johnson and partners Noam Mandel, Desiree Cummings and Jonathan Zweig in New York are assisted by Sarah Delaney
Grant & Eisenhofer
Principal Michael J. Barry in Wilmington, Delaware is assisted by Vivek Upadhya
Saxena White
Director Thomas Curry in Wilmington, Delaware is assisted by Tayler D. Bolton
Friedman Oster & Tejtel
Principal Jeremy S. Friedman in Bedford Hills, New York is assisted by David Tejtel
Kaskela Law
Attorney D. Seamus Kaskela in Newton Square, Pennsylvania
Counsel to SolarWinds
Kirkland & Ellis
Partners Sandra C. Goldstein, Stefan Atkinson and Byron Pacheco in New York
Morris Nichols Arsht & Tunnell
Partners William M. Lafferty and Ryan D. Stottmann in Wilmington, Delaware are assisted by Alexandra M. Cumings
Willkie Farr & Gallagher
Partners Sameer Advani and Wesley R. Powell in New York are assisted by Patricia O. Haynes
Ropes & Gray
Partners Peter L. Welsh and C. Thomas Brown in Boston and Edward McNicholas in Washington, DC are assisted by Patrick T. Roath
DLA Piper
Partners John L. Reed and Ronald N. Brown in Wilmington, Delaware are assisted by Peter H. Kyle and Kelly L. Freund
King & Spalding
Partners Paul R. Bessette and Michael J. Biles in Austin, Texas, and counsel Benjamin Lee in Atlanta are assisted by Daniel M. Wodnicki and Benjamin Watson
Abrams & Bayliss
Partner A. Thompson Bayliss in Wilmington, Delaware is assisted by Stephen C. Childs
Richards Layton & Finger
Directors Raymond J. Dicamillo and Kevin M. Gallagher in Wilmington, Delaware are assisted by Alexander M. Krischik