Judge Guts SEC Case Against SolarWinds Over Cyber Practices

A US federal judge dismissed much of the Securities and Exchange Commission’s lawsuit against SolarWinds Corp. that alleged the software provider misled investors about its cybersecurity practices and the significance of a major data breach that spilled into the US government.

Thursday’s ruling was seen as a blow to the SEC’s aggressive efforts to regulate the cybersecurity practices of publicly traded companies, actions that had created significant angst among the private sector and from security practitioners.

But the agency’s case wasn’t entirely dismissed. US District Judge Paul Engelmayer of the Southern District of New York allowed the SEC to move forward with a claim that SolarWinds committed securities fraud with a statement about the Austin-based company’s cyber preparedness. However, in his decision Thursday, Engelmayer threw out the SEC’s allegations that other statements and filings were misleading, and its claims that the company had mininized the scope and severity of a major hack that was disclosed in December 2020.

Judge Engelmayer also dismissed at least some claims against SolarWinds’ Chief Information Officer Timothy Brown, whom the SEC accused of intentionally failing to disclose the company’s expansive security vulnerabilities in From 8-K filings during the months leading up to and after the Russian intrusion.

But Engelmayer found that SolarWinds’ executives and Brown’s bosses were ultimately the parties responsible for crafting and signing the disclosures, not Brown himself.

The SEC’s complaint failed to claim that “the officers who approved the cybersecurity risk disclosure understood it was misleading,” he said. “These executives, not Brown, appear to have had ultimate authority over the company’s risk disclosure.”

Engelmayer upheld claims over Brown’s role in the company’s allegedly misleading security statement about SolarWinds’ practices before the hacking disclosures. The rest of the claims against Brown over his public statements in company-approved press releases, blog posts, podcasts and the disclosures made in the Forms S-1 and 8-Ks were dismissed.

“I think the SolarWinds case is a bellwether action,” said Jennifer Lee, a partner at Jenner & Block and a former SEC official. “I absolutely think that the SEC will be looking at this decision, thinking about how it might want to refine its theories, and also consider just how it wants to move forward in terms of enforcement actions.”

Michael Borgia, a partner at Davis Wright Tremaine LLP, said, “I think it’s a bit of a slap down certainly.”

“I do not think this spells a more sort of reticent, timid SEC in the cyber enforcement space,” he said. “I think they’ll dust themselves off and keep going because clearly they think this is a significant priority.”

Gerry Stegmaier, a partner at Reed Smith LLP, said any sighs of relief over the decision may be premature. “The SEC continues to remain very active in looking at cybersecurity generally and companies’ incident response,” he said, in a statement.

Russian hackers breached SolarWinds by inserting malicious code into a software update that was sent to its customers. The hackers then used the malware as a backdoor for further intrusions on a relatively small number of them, including dozens of companies and at least nine government agencies. The breach was revealed in December 2020.

“We are pleased that Judge Engelmayer has largely granted our motion to dismiss the SEC’s claims. We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate,” a SolarWinds spokesperson said in a statement. “We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed.”

An SEC spokesperson declined to comment.

(Updates with quote from Gerry Stegmaier in 11th paragraph. A previous version of this story mispelled Judge Paul Engelmayer’s name.)

To contact the reporters on this story:
Cassandre Coyer in Arlington at ccoyer1@bloomberg.net;
Jeff Stone in New York at jstone183@bloomberg.net

To contact the editors responsible for this story:
Andrew Martin at amartin146@bloomberg.net

Adam M. Taylor

© 2024 Bloomberg L.P. All rights reserved. Used with permission.