SolarWinds Seeks Dismissal of Unfounded SEC Cybersecurity Suit

p Connecting decision makers to a dynamic network of information people and ideas Bloomberg quickly and accurately delivers business and financial information news and insight around the world ppAmericas1 212 318 2000 ppEMEA44 20 7330 7500 ppAsia Pacific65 6212 1000 pp Connecting decision makers to a dynamic network of information people and ideas Bloomberg quickly and accurately delivers business and financial information news and insight around the world ppAmericas1 212 318 2000 ppEMEA44 20 7330 7500 ppAsia Pacific65 6212 1000 ppBy Skye WitleyppSolarWinds Corp issued a fullthroated denial of wrongdoing in how it handled one of the worst cyberattacks in history in a Friday court filing seeking the dismissal of US Securities and Exchange Commission allegations that its software security representations defrauded investors and violated rules on controls ppSolarWinds argued that it disclosed risks with legally sound specificity prior to a Russian state hack of its Orion platform and correctly informed investors of the breachs potential impact during the immediate aftermath according to a dismissal motion and supporting memorandum filed in New York federal court Cybercriminals breached about 100 organization networks that employed the software including large corporations and federal agencies ppThe public company and Chief Information Security Officer Tim Brown which the SEC named as defendants are pursuing a rare challenge to the agencys firstofitskind enforcement action which alleges securities fraud and controls violations The defendants claim the SECs action if successful would broaden the agencys powers and heighten the requirements for publicly disclosing an organizations cybersecurity posture ppSolarWinds made proper accurate disclosures both before and after the unprecedented SUNBURST cyberattack which is why this case should be dismissed said Serrin Turner a Latham Watkins LLP partner representing SolarWinds in the case in a statement to Bloomberg Law The SEC is trying to move the goalposts and force companies to disclose internal details about their cybersecurity programs which would be both impractical and dangerousppThe SEC didnt immediately return a request for comment In a prior statement to Bloomberg Law Director Gurbir S Grewal of the agencys enforcement division said cases like this empower CISOs by giving them the credibility and traction they need to effectively advise their company leadership of the consequences of noncomplianceppCharges that SolarWinds defrauded investors with falsified public statements should be dismissed because the company materially warned investors of a potential nationstate cyberattack before succumbing to the SUNBURST attack according to the motion ppThe securities regulators original complaint described risk disclosures to the agency as hypothetical generalized and boilerplate citing flaws with the companys virtual private network network and an internal cybersecurity assessment But those represented granular cybersecurity concerns that SolarWinds need not disclose to investors the motion said ppSolarWinds also contested the notion that it omitted crucial information from a Form 8K filed publicly the first business day following the hack alleging the agency was nitpicking rather than proving the company made materially misleading statements ppWhile the SECs complaint faulted the software maker for not disclosing that at least three organizations had already been impacted by the Orion vulnerability the dismissal motion said SolarWinds was entitled to conduct a more thorough investigation before reaching any definitive conclusions ppThe company also called for Judge Paul A Engelmayer to dismiss charges that SolarWinds violated internal accounting controls rules by failing to adequately protect its network from attack The SEC conflated controls used in financial accounting and auditing contexts with internal cybersecurity controls the motion argued ppIf Congress had meant to authorize the SEC to serve as some sort of roving cybersecurity commissioner for public companies it would have said so in plainer terms and there would have been some discussion of it in the legislative history the filing said ppBrown is the first executive of a public company to face SEC charges related to cybersecurity which the agency based on public statements and signatures on internal security attestations it alleges helped mislead investors ppBut Brown didnt aid and abet the alleged fraud or controls violations by signing documents about SolarWinds cybersecurity the filing argued because the statements in question werent intended for investors Neither did he seek to knowingly violate the disclosure or internal account controls it said ppThe motion to dismiss called Browns involvement in the suit not only unwarranted but inexplicableppThe case is SEC v SolarWinds Corp SDNY No 123cv09518 motion to dismiss filed 12624ppTo contact the reporter on this story Skye Witley at switleybloombergindustrycomppTo contact the editor responsible for this story Tonia Moore at tmoorebloombergindustrycompp AIpowered legal analytics workflow tools and premium legal business news pp Log in to keep reading or access research tools p