A significant portion of the Securities and Exchange Commission’s (SEC) lawsuit against SolarWinds, which accused the software provider of misleading investors about its cybersecurity practices and the implications of a major data breach affecting the US government, was dismissed by a US federal judge on Thursday.
The ruling, issued by US District Judge Paul Engelmayer of the Southern District of New York, dealt a blow to the SEC’s assertive stance on regulating the cybersecurity practices of publicly traded companies, a stance that had raised concerns within the private sector and among security practitioners.
Despite the setback, the case was not entirely dismissed. Judge Engelmayer allowed the SEC to proceed with a claim that SolarWinds committed securities fraud regarding a statement about the company’s cyber preparedness. However, he dismissed allegations that other statements and filings were misleading, and that the company had downplayed the scope and severity of the significant hack disclosed in December 2020.
Additionally, Judge Engelmayer dismissed some claims against SolarWinds’ Chief Information Officer Timothy Brown, whom the SEC accused of failing to disclose the company’s extensive security vulnerabilities in Form 8-K filings before and after the Russian intrusion. Engelmayer stated that the responsibility for crafting and signing the disclosures ultimately lay with SolarWinds’ executives, not Brown.
“The SEC’s complaint failed to claim that ‘the officers who approved the cybersecurity risk disclosure understood it was misleading,’” Engelmayer noted. “These executives, not Brown, appear to have had ultimate authority over the company’s risk disclosure.”
However, the judge upheld claims concerning Brown’s role in the company’s allegedly misleading security statement about SolarWinds’ practices prior to the hacking disclosures. Other claims against Brown, regarding his public statements in company-approved press releases, blog posts, podcasts, and disclosures in Forms S-1 and 8-K, were dismissed.
Jennifer Lee, a partner at Jenner & Block and a former SEC official, remarked, “I think the SolarWinds case is a bellwether action. The SEC will likely review this decision, refine its theories, and consider how to proceed with enforcement actions.”
Michael Borgia, a partner at Davis Wright Tremaine LLP, commented, “It’s a bit of a slap down certainly. However, I do not think this will lead to a more reticent SEC in the cyber enforcement space. They’ll dust themselves off and keep going because this is a significant priority.”
Gerry Stegmaier, a partner at Reed Smith LLP, warned that any relief felt over the decision might be premature. “The SEC remains very active in scrutinizing cybersecurity practices and companies’ incident response in general,” he said.
The breach in question involved Russian hackers inserting malicious code into a SolarWinds software update, which was then sent to its customers. This malware acted as a backdoor for further intrusions affecting a relatively small number of customers, including dozens of companies and at least nine government agencies. The breach was revealed in December 2020.
A SolarWinds spokesperson expressed satisfaction with the ruling, stating, “We are pleased that Judge Engelmayer has largely granted our motion to dismiss the SEC’s claims. We look forward to presenting our evidence to demonstrate why the remaining claim is factually inaccurate. We are also grateful for the support we have received across the industry.”
Main Image: CSO Online