A significant portion of the U.S. Securities and Exchange Commission’s (SEC) high-profile lawsuit against SolarWinds, the IT software company at the center of the 2020 cyberattack, was dismissed by a federal judge on Thursday.
While the SolarWinds data breach compromised several major tech firms and government agencies, the number of customers affected is thought to be fewer than 100 customers. The recent ruling marks a notable development closely watched by security chiefs and executives concerned about the SEC’s increasing scrutiny on breach management and cybersecurity disclosures to shareholders.
The Court’s Decision on SolarWinds Data Breach
The U.S. District Judge Paul Engelmayer’s 107-page decision marked a notable victory for SolarWinds. He concluded that the SEC’s complaint failed to “plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack” and criticized the claims for relying on “hindsight and speculation.”
The case, filed in October 2023 in the Southern District of New York, targeted both SolarWinds and its Chief Information Security Officer (CISO) Tim Brown.
The 98-page complaint accused SolarWinds and Brown of concealing the company’s poor cybersecurity practices and heightened risks leading up to the hack, widely believed to have been orchestrated by Russian intelligence. The hackers inserted malicious code into SolarWinds’ flagship Orion software, which then spread to customers through routine updates.
Engelmayer’s ruling found that SolarWinds’ post-hack disclosures were accurate and “fairly captured known facts,” stating that they “read as a whole, captured the big picture: the severity of the SUNBURST attack.” He dismissed the SEC’s allegations that SolarWinds failed to maintain appropriate internal accounting controls, noting that cybersecurity controls do not fall within the scope of accounting.
A spokesperson from SolarWinds shared the following statement to the Cyber Express Team:
“We are pleased that Judge Engelmayer has largely granted our motion to dismiss the SEC’s claims. We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate. We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed.”
Remaining Claims and Industry Concerns
However, the case is not entirely resolved. Judge Engelmayer allowed the SEC’s claims that SolarWinds and Brown made misleading statements about the company’s cybersecurity on its website to proceed. He found these representations materially misleading, particularly concerning access controls and password protection policies. These claims have alarmed chief security officers, who fear increased personal liability in such cases.
The SEC’s lawsuit against SolarWinds, based in Austin, Texas, is notable for targeting a company victimized by a cyberattack without a simultaneous settlement. It is also rare for the SEC to sue public company executives not directly involved in financial statement preparation.
The SEC alleged that SolarWinds hid the vulnerabilities in its products before the attack and downplayed its severity afterward. The complaint accused SolarWinds of filing a “boilerplate” disclosure that misrepresented real cyber threats as hypothetical. It also claimed SolarWinds misled the public about the breach’s magnitude once it became known.
Judge Engelmayer disagreed, ruling that the anti-fraud laws do not require risk warnings to have “maximum specificity,” which could potentially provide cyberattackers with additional exploitable information. He noted that SolarWinds had disclosed the likelihood of cyberattacks as an inevitable aspect of business, with no obligation to detail individual incidents.
The Sunburst attack, which targeted SolarWinds’ Orion software, infiltrated several U.S. government agencies, including the Departments of Commerce, Energy, Homeland Security, State, and Treasury. The full impact of the breach remains unknown, but U.S. officials have attributed the attack to Russia, which has denied responsibility.
The ongoing legal battle highlights the complexities and challenges companies face in managing cybersecurity threats and regulatory scrutiny. As the case proceeds, it will continue to be a focal point for cybersecurity professionals and corporate executives alike.
