SolarWinds shareholders have appealed to the Delaware Supreme Court after a lower Chancery Court dismissed their lawsuit against the software company’s directors last year, arguing that the board “did absolutely nothing” for years to address cybersecurity flaws that were exposed in a massive 2020 hack of their flagship Orion IT management software.
In an opening brief filed Wednesday and obtained by SC Media, the shareholders told the state high court that Delaware Vice Chancellor Sam Glasscock III’s September ruling ending their case was wrongly decided.
The shareholders sued current and former SolarWinds directors in 2021 for their “utter failure” to monitor the systems and deal with cybersecurity deficiencies, which led to a 2020 hack that is widely viewed as one of the most severe cybersecurity incidents in U.S. history.
However, Delaware Vice Chancellor Sam Glasscock III said last year that the company was the “victim of a major crime,” and its leadership shouldn’t carry the burden of responsibility under corporate law for “operational loss” and “simple negligence.”
“Historically, only utter failures by directors to impose a system for reporting risk, or failure to act in the face of ‘red flags’ disclosed to them so vibrant that lack of action implicates bad faith, in connection with the corporation’s violation of positive law, have led to viable claims under Caremark,” the vice chancellor noted in a Sep. 6, 2022 opinion obtained by SC Media.
In Sunburst’s case, there is no solid evidence indicating that the directors were operating in bad faith or ignore red flags to violate the law, the vice chancellor said, and the leadership seems to make efforts to minimize the impact of the incident.
In Wednesday’s opening brief, shareholders appealed to the vice chancellor’s ruling by presenting evidence of how the company’s directors were aware of the security flaws but neglected their duties to fix them over the years.
Most of the claims underpinning this argument are identical to those made in a consolidated lawsuit filed in Texas by a group of shareholders who purchased stock during the affected period of Sunburst. That case was settled last November with the company agreeing to pay $26 million.
In 2017, SolarWinds’ previous global cybersecurity strategist, who expressed his concern over SolarWinds’ security control, resigned in protest when senior executives were “unwilling to make the corrections” necessary.
Shareholders added that in 2019, SolarWinds management was notified by an external researcher that an important company’s password — “solarwinds123” — was leaked on the internet. SolarWinds executives have since said that a thorough investigation determined that the leaked password played no role in the eventual compromise.
In addition, shareholders said that they reviewed SolarWinds board of directors’ materials spanning the 26 months leading up to the revelation of Sunburst in 2020, and found an utter “dearth of any board-level effort at monitoring.”
“Indeed, the Board as a whole never received a single report or held a single discussion regarding cybersecurity,” the brief read. “The Board’s Audit Committee, specifically charged with overseeing cybersecurity issues, likewise never received a single report or held a single discussion regarding cybersecurity.”
SolarWinds, headquartered in Austin, Texas, is a company that develops software for businesses to help manage their networks and information technology infrastructure. The company owns nearly 300,000 clients, including most Fortune 500 companies and top U.S. government agencies, such as the FBI and the U.S. Department of Defense.
A SolarWinds spokesperson told SC Media that the company “disagree[s] strongly” with shareholders’ allegation and “look[s] forward to the truth coming to light.”