Hooray: Judge Dismisses Most of SEC Case Against SolarWinds and CISO

A U.S. judge has largely dismissed a Securities and Exchange Commission (SEC) lawsuit against SolarWinds, a software company, alleging it defrauded investors by hiding its security vulnerabilities before and after a Russia-linked cyberattack targeting the U.S. government.  

‍

U.S. District Judge Paul Engelmayer in Manhattan dismissed all claims against SolarWinds and its Chief Information Security Officer, Timothy Brown, related to post-attack statements, labeling these claims as based on "hindsight and speculation."

‍

In a 107-page decision, Judge Engelmayer also dismissed most SEC claims regarding pre-attack statements, except for those concerning a statement on SolarWinds' website about the company's security controls.  

‍

SolarWinds expressed satisfaction with the ruling, calling the remaining claim "factually inaccurate." Brown’s lawyers did not comment, nor did the SEC, as reported by Reuters.

‍

The Sunburst cyberattack, targeting SolarWinds' Orion software platform, compromised several U.S. federal agencies before being revealed in December 2020. The U.S. government suspects Russian involvement, which Russia denies.  

‍

This SEC lawsuit, filed last October, is notable as it targets a company victimized by a cyberattack without announcing a simultaneous settlement and for involving an executive not closely tied to financial statements.

‍

The SEC accused SolarWinds of downplaying its cybersecurity issues and the attack's severity while hiding customer warnings about malicious activity involving Orion. However, Judge Engelmayer noted that anti-fraud laws do not mandate "maximum specificity" in risk warnings, which could inadvertently aid attackers.  

‍

He stated that SolarWinds had no obligation to disclose individual incidents, acknowledging cyberattacks as an unfortunate reality. "It has already disclosed the likelihood of these as, regrettably, a fact of life," he wrote.

‍

Takeaway: The SEC action against SolarWinds was deeply flawed and counterproductive. Regulatory and legal actions taken against companies who were the victim of a major cyberattack in order to compel transparency ironically leads to less transparency.  

‍

Although the case against SolarWinds was largely dismissed, the damage is already done. This little episode will likely create more top-down pressure to be less forthcoming following a incident, ultimately harming security.

‍

As well, legal and regulatory actions against executives at companies like Uber and SolarWinds reveals a troubling shift in liability for security-related decisions.  

‍

Leadership is increasingly being targeted, suggesting that victims of attacks could face prosecution and even jail time, especially if sensitive data is compromised. This trend underscores the government's failure to protect organizations from ransomware attacks, highlighting its own ineptitude.

‍

When unable to defend organizations against state-sponsored cyber operations effectively, the government re-victimizes attack victims, claiming they are addressing the problem while exacerbating it.  

‍

Greater visibility and accountability in security-related events for publicly traded companies is beneficial, but conflating disclosure with investor education can be dangerous.

‍

Firstly, anyone versed in cybersecurity understands that a determined attacker with ample resources will eventually succeed, and that forensic investigations are complex and time-consuming.  

‍

The SEC's four-day disclosure rule, without adequate investor education, risks disclosing attacks prematurely, with murky details taking weeks or months to clarify. This creates unrealistic demands from investors for immediate details, making company leadership appear incompetent and undermining investor confidence.

‍

Leadership, under pressure to provide incomplete information as investigations unfold, faces "death by a thousand cuts."  

‍

Immediate disclosure without complete answers can create confusion and anxiety among investors, prompting overreactions to potentially minor security events.  

‍

The SEC rules could also negatively impact security culture within organizations. Security teams may feel pressured to withhold information from leadership unless absolutely necessary, hindering effective security operations.

‍

Ultimately, these factors culminate in a scenario where organizations, already struggling to defend against ransomware and data extortion, now also face the threat of punitive regulatory measures. This overzealous regulatory landscape re-victimizes these organizations, compounding their challenges.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.