In re SolarWinds Corporation Securities Litigation

595 F.Supp.3d 573

IN RE SOLARWINDS CORPORATION SECURITIES LITIGATION

1:21-CV-138-RP

United States District Court, W.D. Texas, Austin Division.

Signed March 30, 2022

ORDER

ROBERT PITMAN, UNITED STATES DISTRICT JUDGE

Before the Court is a consolidated motion to dismiss by Defendants Tim Brown ("Brown") and SolarWinds Corporation ("SolarWinds"), (Dkt. 41);¹ a motion to dismiss by Defendants Silver Lake Group, LLC and Silver Lake Technology Management, LLC (collectively, "Silver Lake"), (Dkt. 42); a motion to dismiss by Defendant Kevin B. Thompson ("Thompson"), (Dkt. 44); and a motion to dismiss by Defendant Thoma Bravo, LP ("Thoma Bravo"), (Dkt. 45). Plaintiffs, members of a putative class, filed a consolidated response in opposition, (Dkt. 55), and Brown and SolarWinds filed a reply, (Dkt. 59), as did Silver Lake, (Dkt. 61), Thompson, (Dkt. 62), and Thoma Bravo, (Dkt. 63). The Court has considered the parties’ briefing and enters the following order.

I. BACKGROUND

This case concerns a cybersecurity breach that occurred at SolarWinds, a publicly traded company that, during the class period, provided information technology software to a host of private and government actors. The parties do not appear to dispute that the Russian Foreign Intelligence Service injected a malicious code into SolarWinds "Orion" software, which was discovered in late 2020. (Compl, Dkt. 26, at 61; Dkt. 41, at 8). When the infected code was downloaded onto a customer's server, it could be used to compromise the server. (Id. ). As a result of the breach, SolarWinds’ stock value plummeted leading to the present class-action complaint against SolarWinds. (Compl., Dkt. 26, at 65). The Lead Plaintiff in this action is the New York City District Council of Carpenters Pension Fund. (Id. at 4). Hereinafter, the Court will refer to the class-action plaintiffs as "Plaintiffs." On February 9, 2021, Plaintiffs filed their initial complaint in this Court, seeking recovery under the Exchange Act on behalf of the Carpenters Pension Fund "and all persons and entities, except Defendants and their affiliates, and who purchased or otherwise acquired the securities of [SolarWinds] between October 18, 2018, and December 17, 2020 [ ] (the "Class Period") and were damaged" as a result of the breach and SolarWinds stock's resultant loss of value. (Dkt. 1; Compl., Dkt. 26, at 4). Plaintiffs later filed a consolidated complaint, (Id. ), and have now alleged causes of action against SolarWinds, Thompson (SolarWinds Chief Executive Officer during the class period), J. Barton Kalsu (SolarWinds’ Executive Vice President, Chief Financial Officer, and Treasurer during the class period), Tim Brown (SolarWinds’ Vice President of Security Architecture during the class period), and Silver Lake and Thoma Bravo (private equity firms each owning approximately 40% of SolarWinds’ securities during the class period).

According to Plaintiff's complaint, SolarWinds customers—which included the U.S. Pentagon, State Department, Office of the President, FBI, Secret Service, and National Security Administration—utilized SolarWinds’ information technology software. (Id. ). Given its customers’ highly sensitive data and need for significant cybersecurity measures, SolarWinds "falsely and misleadingly" told investors that SolarWinds had a robust cybersecurity system and adhered to specific cybersecurity practices set forth in a "Security Statement" on its website. (Id. ). The Security Statement represented that SolarWinds had a security team, had an information security policy, provided security training to its employees, followed a password policy, and segmented its network, among other things. (Id. at 5). A photo and video of Brown was featured prominently near the Security Statement, and Brown likewise regularly wrote articles and appeared in interviews and on podcasts touting SolarWinds’ focus on "heavy-duty hygiene" and directing customers and investors to the Security Statement. (Id. at 5, 18–19). SolarWinds’ commendations of its cybersecurity measures "helped the Company build up its customer base," "as it gained 300,000 customers worldwide and more than $230 million in federal government contracts" during the class period. (Id. at 5).

However, SolarWinds purported security measures were "woefully deficient and not as represented." (Id. at 6). Indications that SolarWinds’ cybersecurity efforts were not as they seemed include a presentation given by Ian Thornton-Trump ("Thornton-Trump"), SolarWinds former Global Cybersecurity Strategist, before the class period began. (Id. ). Thornton-Trump's presentation was given to the Company's top executives including individuals who reported directly to Thompson. (Id. ; id. at 34). Thornton-Trumps presentation addressed SolarWinds’ deficient cybersecurity practices. (Id. at 6). Thompson's direct-reports noted that Thompson would not be willing to invest in the cybersecurity improvements proposed by Thornton-Trump; when the company refused to implement Thornton-Trump's changes, he resigned in protest. (Id. ).

During the class period, on November 11, 2019, a cybersecurity researcher notified SolarWinds in writing that the password for its Update Server—the server from which customers downloaded software updates for the Company's products—had been publicly available on the website GitHub for around one-and-a-half years. (Id. at 6–7, 52). The password was "solarwinds 123." (Id. at 7). It had been set by an intern and remained unchanged since it was posted on GitHub. (Id. at 7, 46). Brown and SolarWinds changed the password within an hour of receiving the email, but did not disclose the password leak, nor its significance: that any hacker could have used the password to upload malicious files to the server SolarWinds customers used to download updates. (Id. ; id. at 74). Ten former employees of the company also stated that SolarWinds did not employ the cybersecurity measures it purported to employ. The employees stated the company did not have a security team, no security information policy, no password policy, no security training, and no segmenting of its networks to limit user access to parts of the SolarWinds network related to their job functions. (Id. at 7–8).

One week before the breach was revealed and SolarWinds’ stock price dropped, Thompson sold over $20 million in SolarWinds stock and Silver Lake and Thoma Bravo sold $261 million in shares. (Id. at 29–30). After the breach, which was widely reported on by major media outlets, was discovered in late 2020, SolarWinds’ share price plummeted 34%. (Id. at 8). Customers abandoned the company's software, and the homeland security adviser to President Donald Trump stated that "[t]he magnitude of this ongoing attack is hard to overstate." (Id. at 67). The stock price has not recovered, and analysists have continued to reduce its price targets. (Id. ). The Department of Justice, the Securities and Exchange Commission ("SEC"), and various state Attorneys General are investigating SolarWinds’ alleged misconduct. (Id. at 71). SolarWinds’ new CEO, Sudhakar Ramakrishna ("Ramakrishna"), plans to institute several reforms to improve SolarWinds’ cybersecurity efforts. (Id. at 68).

Brown, SolarWinds, Thompson, Silver Lake, and Thoma Bravo heavily dispute Plaintiffs’ allegations, and each filed a motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6), alleging that Plaintiffs have failed to state a claim upon which relief can be granted. (See generally Dkt. 41, 42, 44, 45). Defendants Brown and SolarWinds filed their motion to dismiss on August 2, 2021, asserting that Plaintiffs failed to sufficiently plead that they engaged in material, misleading statements or omissions, failed to demonstrate a strong inference that they acted with scienter, and failed to allege that the material, misleading statements or omissions caused Plaintiffs’ losses. (See Dkt. 41). Thompson similarly seeks dismissal on the ground that Plaintiffs failed to allege that he made any material, false or misleading statements, or that he possessed the mental state required under the Exchange Act. (Dkt. 44). Thompson, Silver Lake, and Thoma Bravo each aver that Plaintiffs have failed to properly assert a control-person claim under Section 20(a) of the Exchange Act). (Dkts. 42, 44, 45). The Court will address each motion in turn.

II. LEGAL STANDARD

Pursuant to Rule 12(b)(6), a court may dismiss a complaint for "failure to state a claim upon which relief can be granted." Fed. R. Civ. P. 12(b)(6). In deciding a 12(b)(6) motion, a "court accepts ‘all well-pleaded facts as true, viewing them in the light most favorable to the plaintiff.’ " In re Katrina Canal Breaches Litig. , 495 F.3d 191, 205 (5th Cir. 2007) (quoting Martin K. Eby Constr. Co. v. Dallas Area Rapid Transit , 369 F.3d 464, 467 (5th Cir. 2004) ). "To survive a Rule 12(b)(6) motion to dismiss, a complaint ‘does not need detailed factual allegations,’ but must provide the plaintiff's grounds for entitlement to relief—including factual allegations that when assumed to be true ‘raise a right to relief above the speculative level.’ " Cuvillier v. Taylor , 503 F.3d 397, 401 (5th Cir. 2007) (citing Bell Atl. Corp. v. Twombly , 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ). That is, "a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ " Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Twombly , 550 U.S. at 570, 127 S.Ct. 1955 ).

A claim has facial plausibility "when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. "The tenet that a court must accept as true all of the allegations contained in a complaint is inapplicable to legal conclusions. Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do...