U.S. District Judge Paul Engelmayer dismissed most of the Securities and Exchange Commission’s (SEC) charges against SolarWinds, a software company heavily impacted by the notorious Sunburst cyberattack that first made headlines in December of 2020.

This case has been closely watched, as it represents the SEC’s attempt to hold a company accountable for its cybersecurity disclosures in the wake of a major security breach. Judge Engelmayer’s ruling has significant implications for how companies manage and disclose cybersecurity risks, affecting the future of corporate accountability in cybersecurity.

The SEC’s Case Against SolarWinds

The SEC’s charges, brought in October of 2023, accused SolarWinds and its Chief Information Security Officer, Timothy Brown, of misleading investors about the company’s cybersecurity practices.

The allegations centered on claims that SolarWinds overstated its security measures and failed to promptly disclose known risks and the extent of the Sunburst cyberattack, which began in 2019 and was attributed to Russian state actors. The attack compromised SolarWinds’ Orion IT monitoring application, allowing hackers to infiltrate numerous high-profile targets, including several U.S. federal agencies.

Judge Engelmayer’s 107-page decision dismissed the majority of the SEC’s claims, asserting that many of the charges relied too heavily on hindsight and speculation. He stated that the government’s arguments did not plausibly demonstrate actionable deficiencies in SolarWinds’ cybersecurity reporting. Specifically, he dismissed allegations related to SolarWinds’ failure to disclose the attack promptly and accurately in its 8-K filings.

However, Engelmayer upheld the SEC’s charges concerning one specific pre-Sunburst statement by SolarWinds about its Orion software’s security. He found that the company’s claims of having sophisticated cybersecurity controls were materially misleading, as the company failed to meet even basic cybersecurity standards.

Implications for the Cybersecurity Industry

The SEC’s case against SolarWinds marked the first major attempt to hold a company legally responsible for cybersecurity claims made in public statements and official documents. The mixed ruling from Judge Engelmayer has sparked a significant debate within the cybersecurity community.

Industry experts argue that overly stringent regulations on cybersecurity disclosures could deter companies from actively investigating and disclosing vulnerabilities, fearing potential legal repercussions.

The case also highlights the delicate balance companies must strike between providing sufficient cybersecurity information to stakeholders and avoiding overly detailed disclosures that malicious actors could exploit. Judge Engelmayer’s ruling emphasized that anti-fraud laws do not require maximum specificity in risk disclosures, as overly detailed cautions could inadvertently aid hackers.

The Road Ahead for SolarWinds

Following the judge’s decision, SolarWinds and Timothy Brown have 14 days to respond to the remaining charges. The company’s spokesperson expressed satisfaction with the ruling, emphasizing their eagerness to present evidence to refute the remaining claims.

This next stage of litigation will be crucial for SolarWinds as it seeks to rebuild its reputation and restore investor confidence.

The SEC, on the other hand, has yet to comment on the ruling or indicate whether it plans to appeal. The outcome of this case will likely influence how the SEC approaches similar cases in the future, potentially reshaping the regulatory framework for corporate cybersecurity practices.

The Wrap

Judge Engelmayer’s ruling in the SEC’s case against SolarWinds represents a landmark moment in cybersecurity litigation. By dismissing most of the charges, the decision alleviates some industry concerns about the chilling effect on vulnerability disclosures. However, the upheld charges serve as a stark reminder of the critical importance of accurate and truthful cybersecurity communications.

This case underscores the changing dynamics of cybersecurity accountability, where companies must strike a balance between corporate transparency and safeguarding sensitive information.

The outcome will undoubtedly influence future regulatory approaches and corporate practices, ultimately fostering a more secure and trustworthy cybersecurity environment for businesses and their stakeholders going forward.

Go Deeper -> Judge Tosses out Most of SEC Cybersecurity Case Against SolarWinds – The Record

Judge Dismisses Much of SEC Suit Against SolarWinds Over Cybersecurity Disclosures – CyberScoop