Judge tosses out most of SEC cybersecurity case against SolarWinds

A U.S. District Court judge dismissed most of a landmark case against software company SolarWinds, throwing cold water on attempts by the federal government to punish the firm after it was hit by Russia’s Sunburst hacking campaign. 

In a 107-page decision published on Thursday, U.S. District Judge Paul Engelmayer in Manhattan said most of the government’s charges against Solarwinds “impermissibly rely on hindsight and speculation.”

“For the foregoing reasons, the Court grants in part and denies in part defendants' motion to dismiss,” Engelmayer wrote.

The SEC declined to comment on the decision or answer questions about potential appeals. SolarWinds now has 14 days to respond to the charges that are still in place. 

A SolarWinds spokesperson said they were pleased with the decision and look forward to the next stage where they can present evidence showing “why the remaining claim is factually inaccurate.”

“We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed,” the spokesperson said. 

The Securities and Exchange Commission (SEC) announced in October that it planned to charge the company and its Chief Information Security Officer Timothy Brown with fraud for their role in allegedly lying to investors by “overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks” from 2017 to 2021. 

The SEC also said the company lied to investors in 8-K filings by not immediately realizing and explaining that two customer reports of cyberattacks were part of a larger Russian campaign. 

The case revolved around Brown and SolarWinds’ actions before, during and after the Sunburst incident, a nearly-two year cyberattack that the U.S. government attributed to the Russian Foreign Intelligence Service.

Hackers found a way to insert malware into a version of SolarWinds’ Orion IT monitoring application, allowing Russian operatives to gain a foothold in high-value targets. They used the access to deploy additional malware to compromise internal and cloud-based systems and steal sensitive information over several months.

The attack allowed Russian hackers to infiltrate several large companies as well as the Defense Department, Justice Department, Commerce Department, Treasury Department, the Department of Homeland Security, the State Department, the Department of Energy and more.

SolarWinds and Brown submitted a motion to dismiss earlier this year, arguing that the SEC was unfairly targeting the victim of a nation-state attack and misusing past generalized cybersecurity statements as a cudgel against them. 

Engelmayer validated the SEC charges that centered on Solarwinds’ Security Statement, writing that the company’s claims of stringent cybersecurity practices were “materially misleading and false.”

“In essence, the Statement held out SolarWinds as having sophisticated cybersecurity controls in place and as heeding industry best practices. In reality, based on the pleadings, the company fell way short of even basic requirements of corporate cyber health,” the judge wrote.

“Its passwords — including for key products — were demonstrably weak and the company gave far too many employees unfettered administrative access and privileges, leaving the door wide open to hackers and threat actors.”

But Engelmayer threw out almost every other charge levied against SolarWinds and Brown, arguing that many of the company’s other statements about cybersecurity amounted to “non-actionable corporate puffery.”

He added that other decisions in the district have proven that anti-fraud laws “do not require cautions to be articulated with maximum specificity,” arguing that doing so would “backfire” in many ways and potentially arm hackers with information they could exploit.  

Engelmayer throughout the filing defended SolarWinds’ response to the Sunburst attack, writing that the company adequately shared what it knew at the time with the public and with investors. 

The risk disclosure issued by Solarwinds at the time of the cyberattacks “was not inaccurate” but according to Engelmayer, the SEC “cannot plausibly allege that Brown actually ‘understood that [SolarWinds'] public statements were inaccurate.’"

“The Court accordingly does not find either Form 8-K false or misleading,” he added. 

The case was considered the first attempt by the SEC to hold companies liable for cybersecurity claims made in public and in official regulatory documents. But the agency has faced withering backlash from the cybersecurity community over the charges, with many arguing that the SolarWinds case and other prominent incidents would have a chilling effect on the industry.