A US judge [1] [2] [8], Paul Engelmayer of the US District Court for the Southern District of New York [9], has dismissed most of the US Securities and Exchange Commission (SEC) accusations against SolarWinds and its CISO [2] [5] [7], Timothy Brown [2] [3] [6] [7], over the 2020 cyberattack known as the ‘Sunburst’ hack [2].
Description
The judge ruled to grant SolarWinds’ motion to dismiss charges related to securities fraud and false filings [9], with the exception of claims based specifically on its security statement [9]. The judge stated that the SEC’s claims of SolarWinds concealing security weaknesses were based on hindsight and speculation [2]. Most SEC claims regarding cybersecurity weaknesses in SolarWinds products before the attack were also dismissed [2], with the only legitimate accusation being the failure of security controls in SolarWinds products [2]. All post-Sunburst claims and claims relating to internal accounting and disclosure controls were also dismissed [9]. The court sustained claims of securities fraud based on SolarWinds’ security statement but dismissed other claims [3], including those involving post-Sunburst disclosures and internal accounting controls [3]. The company expressed gratitude for industry officials [3], customers [3] [5] [6] [7], and government officials who supported their legal arguments [3]. The SolarWinds Orion platform [3], a key product [3], was heavily impacted by the hack [3], accounting for a significant portion of revenue [3]. The ruling is seen as a positive move toward providing guidance to other publicly traded companies on how to deal with cybersecurity incident disclosure regulations [5]. Legal and cybersecurity experts believe that the court’s decision vindicates SolarWinds’ information sharing with the cybersecurity community post-incident [5]. While many charges against SolarWinds and Brown have been dismissed [5], the SEC can still pursue action for claims made about the company’s security posture prior to the breach [5]. SolarWinds’ internal communications highlighted deficits in the company’s defenses [5], with the CISO delivering more positive assessments to customers [5]. SolarWinds is pleased with the ruling and looks forward to presenting its own evidence in the next stage of the legal proceedings [5]. The court’s decision to dismiss internal communications evidence among SolarWinds employees has been welcomed by CISOs [5], who believe that transparency is essential in discussing the state of security internally [5]. The ruling also loosens constraints on CISOs [5], with experts noting that holding CISOs personally liable could weaken the security posture of organizations [5]. Regardless of the outcome of the SEC’s action against SolarWinds and Brown [5], CISOs are urged to continue being transparent about their security posture [5]. It is important for companies to be honest about their security practices and not shy away from discussing vulnerabilities or weaknesses [5]. The judge dismissed post-Sunburst charges [7], citing lack of actionable deficiencies in reporting the hack [7]. However, pre-Sunburst charges related to sustained public misrepresentations about access controls can proceed [7]. The SolarWinds breach [3] [7], attributed to Russian threat actors [7], allowed backdoors into thousands of customers’ networks [7], including US federal agencies [7]. Cybersecurity leaders criticized the lawsuit [4], fearing it could harm company efforts to boost cyber posture [4]. SolarWinds spokesperson expressed gratitude for industry support and looks forward to presenting evidence to refute remaining claims [4] [6].
Conclusion
The ruling in the SolarWinds case has significant implications for cybersecurity incident disclosure regulations and the responsibilities of CISOs. The decision to dismiss many of the SEC’s charges highlights the importance of transparency and honesty in discussing security practices. Moving forward [6], companies and CISOs must continue to prioritize cybersecurity and be proactive in addressing vulnerabilities to prevent future breaches.
References
[1] https://legal.economictimes.indiatimes.com/news/international/solarwinds-beats-most-of-u-s-sec-lawsuit-over-russia-linked-cyberattack/111843941
[2] https://www.infosecurity-magazine.com/news/judge-dismiss-sec-charges/
[3] https://www.cybersecuritydive.com/news/majority-sec-fraud-solarwinds-dismissed/721753/
[4] https://www.nextgov.com/cybersecurity/2024/07/judge-dismisses-key-claims-sec-lawsuit-2020-solarwinds-hack/398153/
[5] https://www.darkreading.com/application-security/solarwinds-charges-tossed-out-of-court-in-legal-victory-against-sec
[6] https://news.bloomberglaw.com/privacy-and-data-security/judge-guts-secs-cyber-case-against-hacking-victim-solarwinds
[7] https://www.techtarget.com/searchsecurity/news/366596039/Judge-tosses-most-of-SECs-lawsuit-against-SolarWinds
[8] https://cyberscoop.com/judge-dismisses-much-of-sec-suit-against-solarwinds-over-cybersecurity-disclosures/
[9] https://www.crn.com/news/security/2024/judge-throws-out-most-of-sec-s-solarwinds-sunburst-lawsuit