On January 4, 2021, a putative securities class action complaint was filed in the United States District Court for the Western District of Texas against SolarWinds Corporation (“SolarWinds”), SolarWinds’ CEO and CFO. This is the first securities class action lawsuit to be brought in 2021, and it underscores the continued significance of cybersecurity issues for public companies, having been initiated shortly after SolarWinds disclosed it was the victim of a cyberattack. The SolarWinds complaint, and its implications, are discussed below.
Public companies that experience cybersecurity incidents are increasingly targeted for securities class action lawsuits. These cases face a high pleading threshold and most do not survive the motion to dismiss stage. Nonetheless, plaintiffs will continue to seek to hold companies accountable under the securities laws following a cybersecurity breach.
SolarWinds is a Delaware company that provides information technology (“IT”) infrastructure management software products in the United States and internationally. It offers products to monitor and manage network, system, desktop, application, storage, and database and website infrastructures, on premise, via cloud or in a hybrid IT infrastructure.
On December 13, 2020, Reuters reported that hackers alleged to be working for the Russian government had gained access to emails at the U.S. Treasury and Commerce departments by interfering with SolarWinds’ software updates. SolarWinds filed an 8-K with the SEC on December 14, 2020, disclosing a cyberattack that was “likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state.” SolarWinds’ shares then fell 17% on December 14, 2020. On December 15, 2020, Reuters further reported SolarWinds had knowledge that “anyone could access SolarWinds’ update server by using the password ‘solarwinds123’” and that the “malicious updates were still available for download” days after SolarWinds realized its software had been compromised. SolarWinds’ stock price then fell an additional 8%.
The complaint, filed on behalf of investors who acquired SolarWinds stock from February 24, 2020 through December 15, 2020, asserts claims under Section 10(b) and Rule 10b-5, as well as Section 20(a) of the Securities Exchange Act of 1934. It alleges that SolarWinds’ 2019 10-K and 2020 10-Q statements were false or misleading due to the failure to disclose the vulnerability of SolarWinds’ products and servers to hackers.
The SolarWinds putative class action complaint indicates plaintiff attorneys will continue to target public companies that experience cybersecurity incidents in 2021. If the SolarWinds complaint remains operative, it is unlikely to withstand a motion to dismiss because, among other deficiencies, the allegations as to scienter probably fall short of applicable federal pleading standards. Nonetheless, the complaint is emblematic of the type of securities lawsuits filed in response to cybersecurity incidents observed in recent years that are likely to endure in 2021.
 Bremer v. SolarWinds Corporation et al., No. 1:21-cv-00002 (W.D. Tex. Jan. 4, 2021).