On November 4, 2021, Cohen Milstein and co-counsel filed a Verified Shareholder Derivative Complaint in the Court of Chancery of the State of Delaware on behalf of Plaintiffs Construction Industry Laborers Pension Fund, Central Laborers’ Pension Fund, Lawrence Miles, and Brian Seavitt and other shareholders of and the nominal defendant against the current and former directors of SolarWinds Corporation for their utter failure to implement or oversee any reasonable monitoring system concerning cybersecurity risks fundamental to SolarWinds’ only line of business.
As detailed in the complaint, these failures led to one of the most devastating cyberattacks against the United States in history. In December 2020, SolarWinds announced that it had learned of a massive cybersecurity incident – dubbed “SUNBURST” – whereby Russian hackers used SolarWinds’ Orion Platform software as “Trojan horse” to gain access to and install a malware in SolarWinds’ client systems, impacting up to 18,000 of its clients, including numerous U.S. national security agencies and leading technology companies.
Case Background
SolarWinds is a monoline provider of information technology (“IT”) infrastructure management software. The Company derives all of its revenues from sales of its proprietary software to government agencies, businesses, and other entities that use SolarWinds’ products to manage, monitor, and control their IT environments. SolarWinds’ software – particularly its flagship “Orion Platform” (“Orion”) – is virtually ubiquitous in business and government in the United States and globally, with the Company’s approximately 300,000 clients including almost all of the Fortune 500 companies and multiple government agencies, including the U.S. Departments of Defense, State, Treasury, Justice, Energy, and Homeland Security.
SolarWinds’ software depends on trusted access to its clients’ IT systems. This access makes SolarWinds a uniquely valuable target for hackers and subjects the Company to a profound and heightened risk of a so-called software “supply chain” cyberattack – i.e., a common technique in which hackers gain access to their intended targets through trusted third-party software.
As Plaintiffs detail in their allegations, that is exactly what happened in this case. In December 2020, SolarWinds announced that it had learned of a massive cybersecurity incident – dubbed “SUNBURST” – impacting up to 18,000 of its clients, including numerous U.S. national security agencies and leading technology companies. In simple terms, Russian hackers used SolarWinds’ software as a “Trojan horse” to attack the Company’s clients by hiding malicious code in SolarWinds’ Orion software and exploiting its trusted access to gain entry to the Company’s clients’ systems. When SolarWinds’ clients conducted routine software updates, they unknowingly brought this malware into their IT systems.
Plaintiffs further allege that despite numerous expert cybersecurity reports from the private sector and government agencies, including from the Office of Director of National Intelligence (“ODNI”), Cybersecurity and Infrastructure Security Agency (“CISA”), an operational arm of the Department of Homeland Security (“DHS”), including an October 2018 report issued, just weeks before SolarWinds went public, and a Symantec Corporation’s February 2019 report titled “Internet Security Threat Report, Volume 24” (“ISTR 24”), finding that “supply chain attacks” had “increas[ed] by 78% in 2018” and warned that attackers were “increasingly arriving through trusted channels” and “hijacking software updates and injecting malicious code into legitimate software,” SolarWinds executives and board of directors did not heed these warnings and that these oversight failures ultimately had grave consequences for SolarWinds.
As is now known, SolarWinds suffered from internal cybersecurity deficiencies that defied elementary cybersecurity standards for any modern company, let alone one with a heightened risk of a cyberattack due to its trusted access to thousands of sensitive networks, including multiple critical agencies of the U.S. government.
Indeed, since the 2020 SUNBURST attack, SolarWinds has acknowledged that password vulnerabilities were among the “most likely candidates for initial entry.” CISA has likewise concluded that the SUNBURST hackers’ principal techniques involved “password guessing[,] password spraying[,] and [using] inappropriately secured administrative credentials [] accessible via external remote access services.”
Plaintiffs assert that SolarWinds’ directors had a fiduciary duty to monitor and oversee the Company’s known mission critical cybersecurity risks and therefore (at the very least) should have known about and addressed these and other fundamental security deficiencies before SolarWinds became a channel for hackers to invade its clients’ IT systems. SolarWinds’ directors breached their fiduciary duties by utterly failing to monitor or oversee any aspect of the Company’s known mission critical cybersecurity risks.
Case name: Construction Industry Laborers Pension Fund, et al. v. Mike Bingle, et al., Case No. 2021-0940-SG, Court of Chancery, Delaware