The Next Wave of SolarWinds: Avaya Holdings Corp.
In 2020, a Texas-based company called SolarWinds made a software update available to its customers. Hackers directed by a Russian intelligence service used that routine software update to slip in malicious code and then used it as a vehicle for a massive cyberattack. Recently the SEC has developed a new practice area by suing its victims. It started by suing SolarWinds in 2023. We discussed that one in July. Last week it expanded the area by suing four SolarWinds customers who were themselves affected by the attack and who it says were negligent in disclosing its details to investors. Commissioners Peirce and Uyeda voted against the matters and issued a dissenting statement.
If your company is attacked by the Russians or anyone else, you will be sad and maybe mad and you won’t want to talk about it publicly. But you’ll probably have to, and it’s worth looking at these four cases to learn the parameters of what the SEC will expect you to say. We’ll start with Avaya Holdings Corp. and then cover the remaining three in later posts.
Facts[i]
In December 2020, Avaya identified that two servers segmented from Avaya’s corporate network had installations of SolarWinds’ Orion software. At that point Avaya knew that the software was infected with malicious code and that it had made initial connections to a server controlled by the hacker, but was not aware of any further activity. That month, Avaya started an investigation and learned that the intruders:
started as early as January 2020;
likely compromised Avaya’s cloud email and file sharing environment using means other than SolarWinds software;
accessed 145 shared files, some of which contained sensitive company information;
accessed and monitored a mailbox for one of Avaya’s cybersecurity incident response personnel; and
were likely associated with the Russian state.
A joint public statement by U.S. federal agencies confirmed the Russian government’s involvement on January 5, 2021.
What Avaya Said
Avaya said in its next 10-Q that it was investigating suspicious activity it “believed resulted in unauthorized access to our email system” with evidence of access to “a limited number of . . . email messages.” The SEC said Avaya was negligent in issuing this statement because it omitted material information, including:
the likely attribution of the activity to a nation-state threat actor,
the long-term unmonitored presence of the threat actor in Avaya’s systems,
the access to the 145 shared files, and
the fact that the mailbox the threat actor accessed belonged to one of Avaya’s cybersecurity personnel.
Dissent
Peirce and Uyeda think the attacker’s connection to the Russian government was immaterial for two reasons. Here’s what they say:
First, in its 2023 rulemaking on cybersecurity incident disclosure (the “2023 Cybersecurity Rule”), neither investors nor the Commission expressed a view that the identity of the threat actor is material information. . . . Not a single one of the 150-plus comment letters submitted on the proposal requested disclosure of the identity of the threat actor. Accordingly, it is highly unlikely that investors consider this information to be material. When adopting the 2023 Cybersecurity Rule, the Commission stated that disclosure of cybersecurity incidents should “focus…primarily on the impacts of…[the]…incident, rather than on…details regarding the incident itself.” The identity of the threat actor, while an obvious “detail…regarding the incident,” lacks a clear link to the “impact” of the incident.
Second, by the time Avaya disclosed information about the cyberattack in February 2021, there had already been widespread media reports and a joint statement by government agencies that Russia was the likely threat actor. Although Avaya’s disclosure did not tie its incident to the SolarWinds cyberattack, it is unlikely that attribution of the incident to Russia would have “significantly altered the ‘total mix’ of information” about Avaya to a reasonable investor in light of the existing public information about the cyberattack.
These reasons seem compelling, especially the first. What does it matter who’s hacking into your systems? Does anyone suggest that private hackers are more benevolent than ones associated with foreign governments? The dissent’s analysis of the 2023 cybersecurity incident disclosure rule seems sound and hard to argue with.
As for the other factors, the dissent goes on to say:
The Commission cites “the long-term unmonitored presence of the threat actor in Avaya’s systems, the access to at least 145 shared files some of which contained confidential and/or proprietary information, and the fact that the mailbox the threat actor accessed belong to one of Avaya’s cybersecurity personnel.” These are the “details regarding the incident itself” – as opposed to the “impact” of incident – that the Commission has said do not need to be disclosed.
Ehhh. I mean, yes, they’re details. But aren’t these also the impacts of the intrusion? What would be enough to count as an impact for the dissent? The hackers rummaged around in Avaya’s systems for a year, had access to confidential and proprietary company information, and monitored one of their cybersecurity staff’s email boxes the whole time. Those sound like impacts. Meanwhile, Avaya’s 10-Q said the attack “resulted in unauthorized access to our email system” with evidence of access to “a limited number of . . . email messages.” Is that enough? The SEC didn’t think it was enough.
Upshot
Avaya is agreeing to cease and desist from violating Sections 17(a)(2) and 17(a)(3) of the Securities Act, Section 13(a) of the Exchange Act, and Rules 12b-20 and 13a-13, and is paying a $1 million civil penalty.
In re Avaya Holdings Corp., Admin. Proc. File No. 3-22269 (Oct. 22, 2024)
SEC Charges Four Companies With Misleading Cyber Disclosures, SEC Press Release (Oct. 22, 2024)
[i] This is a settled matter, so these “facts” are really just the SEC’s allegations. Who knows if they’re true? We don’t.