Sizable Chunk of SEC Charges Against SolarWinds Tossed Out of Court

A judge has dismissed a major portion of the Securities and Exchange Commission (SEC) litigation against SolarWinds and its chief information security officer (CISO), Tim Brown, ruling that they cannot be held liable for statements and filings made after the breach of the company's flagship Orion product.

However, the SEC can proceed with its charge against SolarWinds and Brown for misrepresentations made about the company's cybersecurity posture leading up to the cyberattack, according to the ruling from US District Court Judge Paul A. Engelmayer released on July 18. Court filings refer to the cyber incident as "Sunburst."

The ruling is in response to SolarWinds' motion to dismiss the SEC lawsuit filed in January of this year.

SolarWinds Information-Sharing "Vindicated"

Legal and cybersecurity experts say the ruling is a positive move toward providing guidance to other publicly traded companies on how to deal with cybersecurity incident disclosure regulations.

"For public companies rushing both to investigate an incident and make a materiality disclosure, the court's opinion allows the totality of the disclosure to prevail over the nitty-gritty details," says cyber attorney Beth Burgin Waller of Woods, Rogers, Vandeventer, Black PLC. "This decision vindicates SolarWinds' information sharing with the cybersecurity community post-incident."

While the ruling removes many of the charges against SolarWinds and Brown, the SEC will be allowed to pursue action for statements and other claims made about the cybersecurity posture of the company prior to its compromise. Disclosures and statements made about the company's security posture prior to the breach are "viably pled as materially false and misleading in numerous aspects," the judge wrote.

After joining SolarWinds in 2017, Brown internally highlighted deficits in the company's defenses while delivering more rosy assessments to customers, the ruling explained. Notably, the SolarWinds "Security Statement" falsely claimed compliance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

A SolarWinds spokesperson said the company was "pleased" with the ruling in a statement.

"We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate," the statement said. "We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed."

CISO Hot Takes

Jessica Sica, CISO with Weave, was especially encouraged by the court's decision to toss out internal communications evidence among SolarWinds employees.

"Internally, you need to be able to discuss the state of security — for better or for worse — and not have that get out as if you weren’t doing your job," Sica says. "The SEC keeping that portion in could have led to more companies having a sort of 'don’t ask, don’t tell' policy on security, and that would make things much worse."

The court ruling also loosens some constraints on CISOs, according to Fred Kwong, Ph.D., vice president, and CISO of DeVry University.

"Holding CISOs personally liable, especially those CISOs that do not hold a position on the executive committee, is deeply flawed and would have set a precedent that would be counterproductive and weaken the security posture of organizations," Kwong says. "While not out of the woods, I'm happy to see that the court has dismissed most of the charges, especially those post-Sunburst."

Regardless of the ultimate outcome of the SEC's action against SolarWinds and Brown, Sica urges fellow CISOs to continue to be transparent.

"I think this doesn’t change the fact that you need to be honest about your security posture, and that’s a good thing," Sica says. "If you are promising publicly that you are doing it."