TLDR:

• A U.S. District Court judge dismissed most of the SEC cybersecurity case against SolarWinds, citing hindsight and speculation in the government’s charges.
• The case revolved around SolarWinds’ Chief Information Security Officer and the company’s response before, during, and after the Russian Sunburst cyberattack.

According to a recent article, a U.S. District Court judge dismissed most of the SEC cybersecurity case against software company SolarWinds, challenging the government’s charges on the grounds of hindsight and speculation. The case centered around SolarWinds’ Chief Information Security Officer, Timothy Brown, and the company’s actions in response to the Russian Sunburst cyberattack. The judge granted in part and denied in part the motion to dismiss, allowing SolarWinds to respond to the remaining charges. The SEC accused the company of fraud for allegedly misleading investors about their cybersecurity practices from 2017 to 2021, particularly surrounding the Sunburst incident. While some charges were upheld, many were thrown out, with the judge criticizing the SEC for targeting a victim of a nation-state attack and leveraging past general cybersecurity statements against the company.

The judge validated the SEC charges related to SolarWinds’ Security Statement, deeming the company’s claims about cybersecurity practices as misleading and false. However, he dismissed many other charges as non-actionable corporate puffery. Engelmayer defended SolarWinds’ response to the cyberattack, stating that the company adequately shared information with the public and investors at the time. This case marked the SEC’s first attempt to hold companies accountable for cybersecurity claims, but faced criticism from the cybersecurity community for potentially chilling effects on the industry. SolarWinds now has the opportunity to present evidence refuting the remaining charges as they move forward with the case.