Opinion by Matt Levine, Columnist

If you are a publicly traded software company, and your customers access your product through a server, and you provide them with a default password to log into the server, and the default password is “password,” is that securities fraud? You know the answer!

Yesterday the US Securities and Exchange Commission sued “software company SolarWinds Corporation and its chief information security officer, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” SolarWinds sells network management software to companies and governments, including “an information technology infrastructure and management platform” called Orion. In 2020, Orion was famously hacked by Russian state actors, who inserted hidden code into Orion software updates and were “then able to remotely exploit the networks and systems of SolarWinds’ customers,” which they used “for the primary purpose of espionage.”

That was bad for, among other things, SolarWinds’ stock price. The SEC’s complaintsays:

On December 14, 2020, the day it filed the Form 8-K first announcing the SUNBURST attack against the Orion platform, SolarWinds’ stock price dropped more than 16%. It dropped at least an additional 8% the next day. The stock price continued to drop and lost approximately 35% of its value by the end of the month as SolarWinds disclosed more details of the SUNBURST attack, and as news outlets reported that internal sources had warned SolarWinds for several years about the Company’s cybersecurity risks and vulnerabilities.

My non-technical theory is that “everything is securities fraud”: If a public company does a bad thing, or a bad thing happens to it, and the stock drops, then that is securities fraud. The stock was high, because investors did not know about the company’s vulnerability to the bad thing. Then the bad thing happened, investors found out, and the stock dropped. Before they found out, they were deceived about the true value of the company, so that was fraud. Here, that is all you really need to know: bad thing, stock down, securities fraud.

But that is not technically an accurate description of the law, so the SEC, in suing SolarWinds, needs to argue that SolarWinds made false statements about facts that were material to investors. Thus, for example, “password”:

SolarWinds’ Security Statement falsely claimed the Company not only had, but enforced, a strong password policy. Specifically, SolarWinds and Brown stated: “We require that authorized users be provisioned with unique account IDs. Our password policy covers all applicable information systems, applications, and databases. Our password best practices enforce the use of complex passwords that include both alpha and numeric characters, which are deployed to protect against unauthorized use of passwords.” …

Contrary to its Security Statement, SolarWinds did not enforce strong password requirements on all of its information systems, applications, and databases, as Brown and SolarWinds knew or were reckless or negligent in not knowing. …

In an April 2017 email to the newly hired CIO, a SolarWinds employee expressed surprise that things “like ‘default passwords’ are [still] plaguing us when the product has been in the market [this long,]” explaining, “[m]any of these vulnerabilities seem pretty well amateur hour.” As an example, the employee noted one product for which the default password was “password.” Senior InfoSec Manager E testified that having a default password of “password” is a “poor security practice.”

Read full report: https://www.bloomberg.com/opinion/articles/2023-10-31/bad-passwords-are-securities-fraud#xj4y7vzkg