In a significant legal development, a federal court has largely dismissed a cybersecurity lawsuit against the tech firm SolarWinds, marking a setback for government efforts to hold the company accountable following the extensive Sunburst cyber intrusion attributed to Russian operatives.
The ruling, extending over 107 pages and issued by Judge Paul Engelmayer of the Manhattan District Court, concluded that the bulk of the allegations brought forth by the government were based on retrospective analysis and conjecture.
Judge Engelmayer’s decision partially granted and partially denied the motion to dismiss put forward by the defendants, without providing further commentary.
The Securities and Exchange Commission (SEC), which had previously signaled its intention to pursue charges against SolarWinds and its Chief Information Security Officer Timothy Brown for purportedly misleading investors about the company’s cybersecurity measures and downplaying known threats from 2017 to 2021, has remained silent on the court’s ruling and any potential appeal strategies. SolarWinds now has a two-week window to address the remaining allegations.
A representative for SolarWinds expressed satisfaction with the court’s decision and anticipation for the opportunity to challenge the remaining accusation, which they assert is factually incorrect.
The spokesperson also acknowledged the support SolarWinds has received from various sectors, including customers, cybersecurity experts, and experienced government officials, whose concerns were validated by the court’s agreement.
The SEC’s case centered on the company’s conduct surrounding the Sunburst cyberattack, which lasted nearly two years and was officially attributed to the Russian Foreign Intelligence Service. The hackers managed to implant malware into SolarWinds’ Orion IT monitoring software, gaining entry into critical networks. This breach enabled them to deploy further malware, compromising systems and exfiltrating sensitive data over an extended period.
The intrusion facilitated access to numerous prominent organizations and several U.S. government departments, including Defense, Justice, Commerce, Treasury, Homeland Security, State, and Energy.
Earlier in the year, SolarWinds and Brown sought to have the case dismissed, contending that the SEC was inappropriately targeting a victim of a state-sponsored cyberattack and misapplying past generalized statements about cybersecurity against them.
Judge Engelmayer upheld the SEC’s claims related to SolarWinds’ Security Statement, finding the company’s assertions of robust cybersecurity protocols to be significantly misleading and false. He pointed out that SolarWinds’ cybersecurity measures fell short of even the most fundamental standards, with weak passwords and excessive administrative access granted to numerous employees, thereby exposing the company to potential cyber threats.
However, Judge Engelmayer rejected most other charges against SolarWinds and Brown, characterizing many of the company’s cybersecurity declarations as generic corporate assurances that are not legally actionable.
He further noted that requiring companies to detail their cybersecurity precautions with utmost precision could inadvertently provide valuable information to malicious actors, citing precedents within the district.
Throughout the document, Judge Engelmayer defended SolarWinds’ handling of the Sunburst incident, stating that the company effectively communicated its knowledge to the public and investors at the time. He determined that the risk disclosures made by SolarWinds during the cyberattacks were accurate, and the SEC could not convincingly argue that Brown was aware of any inaccuracies in the company’s public statements.
This case represents the SEC’s initial effort to hold corporations accountable for public and regulatory declarations regarding cybersecurity. However, the charges have elicited strong criticism from the cybersecurity community, with many suggesting that the repercussions of the SolarWinds case could deter industry transparency and cooperation.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
