A US District Court judge has made a ruling on a civil fraud case filed against SolarWinds by the Securities and Exchange Commission [4].

Description

The court dismissed most of the charges against SolarWinds and its CISO [1], Tim Brown [1] [5], in a civil fraud case filed by the SEC. The ruling stated that SolarWinds and Brown cannot be held liable for statements made after the breach of the company’s Orion product [1], as SEC rules do not cover cybersecurity measures [2]. However, the SEC can proceed with charges for misrepresentations made about the company’s cybersecurity posture before the cyberattack [1]. Claims of securities fraud based on SolarWinds’ security statement were sustained [4], but other claims, including those related to post-Sunburst disclosures and internal accounting controls [4], were dismissed [3] [4] [5]. Allegations regarding a 2017 security statement on the company’s website will continue to be litigated [4]. SolarWinds had over 300,000 customers during the period in question [4], with the Orion platform being a significant revenue driver [4]. The company expressed gratitude for support from industry officials [4], customers [4], and government officials [4]. SolarWinds is pleased with the ruling and looks forward to presenting evidence to refute the remaining claim [1] [3]. The court’s decision to dismiss internal communications evidence among SolarWinds employees is seen as a positive development for CISOs [1], who should continue to be transparent about their security posture [1]. SolarWinds’ VP of security was allegedly responsible for the security statement in question [4], posted in late 2017 [4]. Russian hackers breached SolarWinds in December 2020 by inserting malicious code into a software update [5]. The ruling allowed the SEC to move forward with a claim of securities fraud related to a statement about SolarWinds’ cyber preparedness [5]. However, other claims were dismissed [5], including those against SolarWinds’ Chief Information Officer Timothy Brown [5]. The judge found that SolarWinds’ executives were ultimately responsible for crafting and signing disclosures [5]. The SEC’s complaint failed to show that the officers who approved the cybersecurity risk disclosure understood it was misleading [5]. Claims against Brown over his public statements were also dismissed [5]. An SEC spokesperson declined to comment [5].

Conclusion

The ruling has significant implications for the cybersecurity industry, emphasizing the importance of transparency in security posture disclosures. SolarWinds’ case highlights the need for companies to accurately represent their cybersecurity measures to investors and the public. Moving forward [5], CISOs should take note of the court’s decision and ensure that their security statements are clear, accurate, and transparent [1].

References

[1] https://www.darkreading.com/application-security/solarwinds-charges-tossed-out-of-court-in-legal-victory-against-sec
[2] https://www.radicalcompliance.com/2024/07/18/sec-lawsuit-against-solarwinds-gutted/
[3] https://www.nextgov.com/cybersecurity/2024/07/judge-dismisses-key-claims-sec-lawsuit-2020-solarwinds-hack/398153/
[4] https://www.cybersecuritydive.com/news/majority-sec-fraud-solarwinds-dismissed/721753/
[5] https://news.bloomberglaw.com/privacy-and-data-security/judge-guts-secs-cyber-case-against-hacking-victim-solarwinds