Judge tosses out most of SEC cybersecurity case against SolarWinds

pppLeadershipppCybercrimeppNationstateppElectionsppTechnologyppCyber DailyppClick Here Podcastpp Free Newsletterpp A US District Court judge dismissed most of a landmark case against software company SolarWinds throwing cold water on attempts by the federal government to punish the firm after it was hit by Russias Sunburst hacking campaign  pp In a 107page decision published on Thursday US District Judge Paul Engelmayer in Manhattan said most of the governments charges against Solarwinds impermissibly rely on hindsight and speculation pp For the foregoing reasons the Court grants in part and denies in part defendants motion to dismiss Engelmayer wrote pp The SEC declined to comment on the decision or answer questions about potential appeals SolarWinds now has 14 days to respond to the charges that are still in place  pp A SolarWinds spokesperson said they were pleased with the decision and look forward to the next stage where they can present evidence showing why the remaining claim is factually inaccurate pp We are also grateful for the support we have received thus far across the industry from our customers from cybersecurity professionals and from veteran government officials who echoed our concerns with which the court agreed the spokesperson said  pp The Securities and Exchange Commission SEC announced in October that it planned to charge the company and its Chief Information Security Officer Timothy Brown with fraud for their role in allegedly lying to investors by overstating SolarWinds cybersecurity practices and understating or failing to disclose known risks from 2017 to 2021  pp The SEC also said the company lied to investors in 8K filings by not immediately realizing and explaining that two customer reports of cyberattacks were part of a larger Russian campaign  pp The case revolved around Brown and SolarWinds actions before during and after the Sunburst incident a nearlytwo year cyberattack that the US government attributed to the Russian Foreign Intelligence Service pp Hackers found a way to insert malware into a version of SolarWinds Orion IT monitoring application allowing Russian operatives to gain a foothold in highvalue targets They used the access to deploy additional malware to compromise internal and cloudbased systems and steal sensitive information over several months pp The attack allowed Russian hackers to infiltrate several large companies as well as the Defense Department Justice Department Commerce Department Treasury Department the Department of Homeland Security the State Department the Department of Energy and more pp SolarWinds and Brown submitted a motion to dismiss earlier this year arguing that the SEC was unfairly targeting the victim of a nationstate attack and misusing past generalized cybersecurity statements as a cudgel against them  pp Engelmayer validated the SEC charges that centered on Solarwinds Security Statement writing that the companys claims of stringent cybersecurity practices were materially misleading and false pp In essence the Statement held out SolarWinds as having sophisticated cybersecurity controls in place and as heeding industry best practices In reality based on the pleadings the company fell way short of even basic requirements of corporate cyber health the judge wrote pp Its passwords including for key products were demonstrably weak and the company gave far too many employees unfettered administrative access and privileges leaving the door wide open to hackers and threat actors pp But Engelmayer threw out almost every other charge levied against SolarWinds and Brown arguing that many of the companys other statements about cybersecurity amounted to nonactionable corporate puffery pp He added that other decisions in the district have proven that antifraud laws do not require cautions to be articulated with maximum specificity arguing that doing so would backfire in many ways and potentially arm hackers with information they could exploit   pp Engelmayer throughout the filing defended SolarWinds response to the Sunburst attack writing that the company adequately shared what it knew at the time with the public and with investors  pp The risk disclosure issued by Solarwinds at the time of the cyberattacks was not inaccurate but according to Engelmayer the SEC cannot plausibly allege that Brown actually understood that SolarWinds public statements were inaccurate pp The Court accordingly does not find either Form 8K false or misleading he added  pp The case was considered the first attempt by the SEC to hold companies liable for cybersecurity claims made in public and in official regulatory documents But the agency has faced withering backlash from the cybersecurity community over the charges with many arguing that the SolarWinds case and other prominent incidents would have a chilling effect on the industry ppJonathan Greigppis a Breaking News Reporter at Recorded Future News Jonathan has worked across the globe as a journalist since 2014 Before moving back to New York City he worked for news outlets in South Africa Jordan and Cambodia He previously covered cybersecurity at ZDNet and TechRepublicppPrivacyppAboutppContact Uspp Copyright 2024 The Record from Recorded Future Newsp