SEC Cybersecurity Allegations Against SolarWinds Dismissed

A district court judge has dismissed SEC cybersecurity allegations that SolarWinds didn’t adequately disclose the cyberattack that began in 2019 and was discovered in 2020, according to an article in Cyberscoop. Claims of securities fraud related to one of SolarWinds’ statements about the company’s security were sustained.

In respect to the inadequate disclosure allegations, district court judge Paul Engelmayer wrote: “These do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack. They impermissibly rely on hindsight and speculation.”

The so-called “SUNBURST” attack against SolarWinds has been pinned on hackers with ties to the Russian government. It facilitated infiltration into at least nine federal agencies and hundreds of companies.

The Security Exchange Commission brought a first-of-its-kind suit against SolarWinds and its former chief information security officer. The action was widely viewed as a message that the SEC would hold executives accountable for known security failures.

Tim Starks, writing in Cyberscoop, calls the ruling a victory for cybersecurity industry officials who say such charges create a chilling effect that makes individuals unlikely to probe for vulnerabilities if they could later face charges.

A SolarWinds spokesperson told Cyberscoop that his company is looking forward to presenting evidence that will demonstrate why the remaining claim is factually inaccurate. It also expressed gratitude the company received from the cybersecurity industry, its customers, “and from veteran government officials who echoed our concerns, with which the court agreed.”

An SEC spokesperson declined to comment.