A federal court has dismissed most of the SEC’s complaint against software company SolarWinds for alleged securities laws violations related to the SUNBURST cyberattack. A sliver of the SEC’s case against SolarWinds and its CISO Timothy Brown survives: the allegations regarding misstatements in the company’s public Security Statement. Now, the SEC will have the opportunity to develop evidence of these alleged securities law violations through discovery in the case.
SolarWinds sells IT management software used to monitor and manage computer networks, systems, and applications. According to the motion to dismiss decision, 499 of Fortune 500 companies were SolarWinds customers. SolarWinds’ Orion platform—a comprehensive network and system management software—is used by tens of thousands of organizations, including government agencies, healthcare providers, schools, banks, and other public corporations.
In December 2020, the Washington Post reported multiple government agencies were breached through the Orion platform. The breaches resulted from a two-year cyberattack—dubbed SUNBURST—by hackers who likely worked for the Russian Foreign Intelligence Service. The hackers gained highest level access to SAML token-signing certificates, which are used to facilitate single sign-on (SSO) systems (where users can authenticate one time and gain access to multiple applications or services). The hackers used this access to gain trusted and highly privileged access to SolarWinds’ customer networks. It’s estimated that the attack cost cyber insurance firms $90 million.
After the attack, investors filed a class action lawsuit that SolarWinds settled for $26 million in 2022. In October 2023, the SEC charged SolarWinds with fraud and internal control failures, alleging SolarWinds and its CISO “defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.”
The allegations in the SEC’s complaint against SolarWinds predominantly fall in two categories: (1) claims based on alleged misrepresentations regarding cybersecurity practices, products, and risks before the SUNBURST attack (“pre-SUNBURST disclosures”); and (2) claims based on misrepresentations regarding the scope and severity of the SUNBURST attack in its immediate aftermath (“post-SUNBURST disclosures”). The federal court dismissed all the SEC’s claims regarding the post-SUNBURST disclosures. It also dismissed most of the SEC’s claims based on pre-SUNBURST disclosures, except for allegations regarding misrepresentations in the Security Statement on SolarWinds’ website. The court also dismissed claims based on the SEC’s novel theory that SolarWinds violated SEC requirements for establishing and maintaining internal accounting control systems due to these cybersecurity failings. Going forward, the focus of the litigation will likely be on the statements in SolarWinds’ Security Statement, and what SolarWinds and its CISO knew about its cybersecurity vulnerabilities, and when.
The SolarWinds complaint reflected a marked shift in the SEC’s cybersecurity enforcement strategy in two ways: (1) the SEC brought charges against an individual—the CISO—in addition to the company; and (2) it alleged SolarWinds intentionally deceived investors, unlike its prior actions where it alleged companies behaved negligently. Even though its lawsuit has been significantly narrowed by this court decision, the agency’s approach to this case signals its increasing focus on cyberfraud, which is notable considering the SEC already has a robust track record in cybersecurity enforcement and shows no signs of slowing down. Since 2015, the SEC has taken numerous enforcement actions against companies and individuals based on: (1) failures to disclose cyberbreaches to investors and to the SEC, or misrepresentations regarding known breaches; (2), failures to safeguard public data from cyberbreaches; (3) failures to establish adequate cybersecurity policies and procedures; and (4) more traditional securities laws violations (insider trading, failing to file SARs) involving cybersecurity vulnerabilities. These actions demonstrate the SEC's ongoing commitment to addressing cybersecurity failures through federal securities laws.