SolarWinds Prevails in Most of US SEC Cyberattack Litigation
We independently review everything we recommend. When you buy through our links, we may earn a commission which is paid directly to our Australia-based writers, editors, and support staff. Thank you for your support!
Quick Read
- A US judge threw out the majority of the SEC’s lawsuit against SolarWinds.
- The lawsuit alleged that SolarWinds concealed security vulnerabilities both before and after a significant cyberattack.
- SolarWinds and its Chief Information Security Officer, Timothy Brown, were exonerated regarding statements made after the attack.
- The Sunburst cyberattack breached multiple US government agencies.
- This instance is notable as one of the few where the SEC took legal action against a company for being a victim of a cyberattack, and the case did not conclude with a settlement.
SolarWinds Prevails in Most of the SEC Cyberattack Lawsuit
Judge Rejects the Majority of Claims
US District Judge Paul Engelmayer in Manhattan has thrown out most of the Securities and Exchange Commission (SEC) lawsuit against SolarWinds, a software firm. The lawsuit alleged that SolarWinds misled investors by hiding its security flaws before and after a major cyberattack associated with Russia that targeted the US government.
Post-Attack Claims Refuted
The judge rejected all accusations against both SolarWinds and its chief information security officer, Timothy Brown, related to statements made following the attack. The rejection was based on the reasoning that these accusations were speculative and depended on hindsight.
Initial Assault Claims Partially Resolved
Though many of the SEC’s allegations regarding pre-attack statements were dismissed, the judge permitted securities fraud claims to move forward based on a declaration on SolarWinds’ website that touted the company’s security measures. The SEC chose not to comment on the ruling.
SolarWinds Responds
SolarWinds expressed approval of the decision, describing the outstanding claim against the company as “factually incorrect.” Brown’s attorneys did not promptly respond to requests for comments.
The Sunburst Cyberattack
The Sunburst cyberattack, lasting almost two years, compromised SolarWinds’ main Orion software platform to access multiple US government networks. The breached agencies included the Departments of Commerce, Energy, Homeland Security, State, and Treasury, before the attack was revealed in December 2020. Although the complete impact is still unknown, US officials suspect Russia was behind the attack, an accusation Russia denies.
SEC’s Unusual Move
The case initiated by the SEC last October was noteworthy because it was the first instance where the regulator targeted a company that had fallen victim to a cyberattack without declaring a simultaneous settlement. Additionally, it is unusual for the SEC to file lawsuits against public company executives who are not directly responsible for preparing financial statements.
Legal Views on Cybersecurity Reporting
The SEC accused SolarWinds of understating its cybersecurity weaknesses before the attack and downplaying the impact of the attack afterwards. Moreover, the SEC asserted that SolarWinds hid warnings from customers regarding malicious activities related to Orion. Nonetheless, Judge Engelmayer pointed out that anti-fraud laws do not mandate companies to give excessively detailed risk warnings that could inadvertently assist cyber attackers.
The judge also mentioned that SolarWinds had already admitted it couldn’t stop every cyberattack, highlighting that such events are an unavoidable aspect of the current digital environment.
Summary
In conclusion, SolarWinds has largely overcome the SEC’s lawsuit concerning the Sunburst cyberattack. This outcome underscores key aspects of cybersecurity disclosures and the legal obligations companies face within an increasingly intricate digital landscape.
What was the primary allegation against SolarWinds?
A:
The primary allegation was that SolarWinds deceived investors by hiding its security vulnerabilities both prior to and following the Sunburst cyberattack.
Who rejected the majority of the allegations in the legal case?
A:
US District Judge Paul Engelmayer in Manhattan threw out the majority of the allegations in the lawsuit.
Q: What made the SEC’s case against SolarWinds stand out?
A:
This case was notable as it was the first instance in which the SEC pursued a company that had suffered a cyberattack without simultaneously announcing a settlement. Additionally, it is uncommon for public company executives who are not directly tied to financial reporting to face lawsuits from the SEC.
Q: What were some of the impacts resulting from the Sunburst cyberattack?
A:
The Sunburst cyberattack infiltrated multiple US government agencies such as the Departments of Commerce, Energy, Homeland Security, State, and Treasury. The extent of the damage is still unclear, but there are suggestions that Russia was probably behind the attack.
Q: What was Judge Engelmayer’s comment regarding risk warnings?
A:
Judge Engelmayer observed that anti-fraud regulations do not necessitate excessively detailed risk warnings, as doing so might inadvertently provide cyber attackers with exploitable information. He further noted that SolarWinds had already conceded it could not thwart every cyberattack.
Q: What actions did SolarWinds take following the judge’s ruling?
A:
SolarWinds was pleased with the judge’s ruling and mentioned that the remaining allegation against them was “not based on factual evidence.”
What implications does this case have for other companies concerning cybersecurity disclosures?
A:
This situation highlights the critical need to strike a balance between transparency and practical challenges in cybersecurity disclosures. Businesses must maneuver through intricate legal environments while recognizing their constraints in thwarting all potential cyber threats.