A federal judge has dismissed a significant portion of the U.S. Securities and Exchange Commission’s lawsuit against SolarWinds, the IT firm involved in the 2020 cyberattack. U.S. District Judge Paul Engelmayer’s ruling found that the SEC’s claims, which accused SolarWinds of failing to disclose deficiencies in its cybersecurity practices, were based on hindsight and speculation. The judge determined that SolarWinds’ post-hack disclosures were accurate and adequately described the impact of the SUNBURST attack, which had exploited vulnerabilities in the company’s Orion software.
Filed in October 2023, the SEC’s complaint targeted both SolarWinds and its Chief Information Security Officer, Tim Brown. The SEC alleged that the company had concealed its poor cybersecurity practices and failed to disclose the full extent of the risks leading up to the attack. Despite the ruling, Engelmayer allowed some claims to proceed, particularly those accusing SolarWinds of making misleading statements about its cybersecurity practices on its website.
The lawsuit’s dismissal is notable as it is rare for the SEC to target a company that was itself a victim of a cyberattack without a settlement. The case also stands out for targeting company executives not directly involved in financial reporting. The ruling reflects ongoing concerns about the balance between adequate cybersecurity disclosures and the potential for exposing sensitive information.
As the legal battle continues, the decision highlights the complex interplay between cybersecurity management and regulatory scrutiny. The case remains a key point of interest for cybersecurity professionals and executives, emphasizing the need for clear and accurate disclosures while navigating the challenges of cyber threats.
Reference: