Policy

Judge dismisses much of SEC suit against SolarWinds over cybersecurity disclosures

The groundbreaking lawsuit’s claims about inadequate disclosures related to the historic Sunburst attack were thrown out Thursday.

By Tim Starks

July 18, 2024

(kolderal/Getty Images)

A U.S. judge on Thursday dismissed most of a Securities and Exchange Commission lawsuit against SolarWinds and a company official over allegations that it misled investors about the security of its Orion software, which accused Russian hackers exploited to conduct one of the most audacious cyberattack campaigns ever.

District Court Judge Paul Engelmayer threw out claims that SolarWinds didn’t adequately disclose the Sunburst attack that began in 2019 and was discovered in 2020.

“These do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack,” Engelmayer wrote. “They impermissibly rely on hindsight and speculation.”

He sustained claims of securities fraud related to one of SolarWinds’ pre-Sunburst statements about Orion security, but dismissed other SEC claims about separate company cybersecurity assertions.

The SolarWinds breach ultimately led to hackers, whom the U.S. government said were tied to the Russian government, infiltrating at least nine federal agencies and hundreds of companies.

The SEC brought its groundbreaking suit in October against SolarWinds and its former chief information security officer, Tim Brown, in what was widely seen as a message that the commission would hold executives accountable for known security failures.

Engelmayer’s ruling is largely a victory for industry officials who have said the charges would create a chilling effect in the field that would make individuals less likely to probe for vulnerabilities if they could later face legal ramifications.

A SolarWinds spokesperson said in an email that the company is “pleased that Judge Engelmayer has largely granted our motion to dismiss the SEC’s claims. We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate. We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed.”

An SEC spokesperson declined to comment.

You can read the full opinion here.

This story was updated July 18, 2024, with SolarWinds and SEC responses to requests for comment.