US Court Rejects Securities & Exchange Commission Charges Against SolarWinds Over Russia-linked Cyberattack

US Court Rejects Securities & Exchange Commission Charges Against SolarWinds Over Russia-linked Cyberattack

The allegations against the chief information security officer Timothy Brown were also quashed

The US District Court - Southern District of New York has dismissed claims against SolarWinds by the Securities and Exchange Commission (SEC). The Commission accused the software company of defrauding investors by concealing its security weaknesses before and after a Russia-linked cyberattack targeted the US government.

In the SEC v. SolarWinds Corp et al case, the US District Judge Paul A. Engelmayer rejected the allegations against SolarWinds and chief information security officer Timothy Brown over statements made after the attack. The judge stated that the claims were based on ‘hindsight and speculation’.

In a 107-page decision, the bench also rejected the accusations concerning securities fraud based on SolarWinds' website statement asserting the company's security controls.

The cyberattack known as Sunburst targeted Austin, Texas-based SolarWinds by using its flagship Orion software platform to infiltrate the US government networks.

Several federal agencies including the Departments of Commerce, Energy, Homeland Security, State and Treasury were compromised before the attack was revealed in December 2020.

While the US government accused Russia of orchestrating the attack, the latter denied it. Meanwhile, the full consequences of the attack remain a mystery.

Filed in October last, the SEC case was the first that targeted a company becoming a cyberattack victim. The regulator did not announce a simultaneous settlement. It was rare for the Commission to sue public company executives, not closely involved in formulating financial statements.

The Commission alleged that SolarWinds hid the porous cybersecurity of its products before the attack and later, downplayed the severity. It added that the software company concealed customers’ warnings about the malicious activity involving Orion.

However, the court held that anti-fraud laws did not require that risk warnings contain ‘maximum specificity’, a process that could backfire if the caveats armed the cyber-attackers to exploit the information.

The judge stated that SolarWinds acknowledged that it could not be expected to prevent every cyberattack and had no duty to disclose individual incidents.

Judge Engelmayer held, "It has already disclosed the likelihood of these as, regrettably, a fact of life.”