Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Legislation & Litigation
Judge Dismisses Most SEC Fraud Claims Against SolarWinds
Feds Can Proceed With Claims About Falsehoods in SolarWinds Security StatementA judge Thursday dismissed most of the claims federal regulators made against SolarWinds related to allegedly misleading investors about the company's cybersecurity practices and risks.
See Also: 2024 Report: Mapping Cyber Risks from the Outside
District Judge Paul Engelmayer ruled Thursday that the U.S. Securities and Exchange Commission can proceed only with claims related to the security statement issued by SolarWinds before the Russian Foreign Intelligence Service hack became public in December 2020, determining that a jury could conceivably find the company's security statement materially false or misleading.
All allegations around SolarWinds' disclosures after the hack became public were dismissed, as Engelmayer determined the SEC relied on hindsight and speculation and didn't identify actionable deficiencies in SolarWinds' reporting. The judge also dismissed SEC claims around SolarWinds' internal accounting and disclosure controls, determining that had been inadequately pleaded by the SEC.
Disclosures made by SolarWinds around its security practices via press releases or blogs before the hack became public also were dismissed, as Engelmayer ruled investors weren't relying on those as a basis for decision-making. Engelmayer said the case against SolarWinds isn't affected by the new SEC cybersecurity rules adopted in July 2023 since the conduct in question predates those rules.
"The court denies in part, but grants in large part, the motion to dismiss," Engelmayer wrote in a 107-page opinion. "As the SEC acknowledges, this case is the first in which it has brought an accounting control claim based on an issuer's cybersecurity failings."
Where the Judge Believes the SEC Has a Case
The SEC sued SolarWinds in October and accused the Austin-based company of material omissions and misstatements in its Security Statement, podcasts, press releases, blog posts and disclosures. The claims focused largely on allegedly inaccurate statements in SEC filings, particularly SolarWinds' cybersecurity risk disclosure as well as the company's disclosures following news of the hack becoming public (see: SEC Alleges SolarWinds, CISO Tim Brown Defrauded Investors).
Overall, Engelmayer found sufficient grounds for the government's securities fraud and scheme liability claims based on disclosures made before the Russian hack became public, but he dismissed the SEC's claims related to certain post-hack disclosures as well as statements the judge deemed non-actionable puffery. The SEC declined to comment on Engelmayer's opinion (see: SolarWinds Requests Court Dismiss Regulator's Fraud Case).
"We are pleased that Judge Engelmayer has largely granted our motion to dismiss the SEC’s claims," SolarWinds said in a statement emailed to Information Security Media Group. "We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate."
Specifically, SolarWinds' security statement claimed strong access controls, but the SEC said widespread granting of administrative rights to employees was internally recognized but not publicly disclosed. Also, the security statement claims robust password practices, but the SEC found the company's weak practices around simple and unencrypted passwords were documented internally but not publicly.
Engelmayer said SolarWinds CISO Tim Brown - a named defendant in the SEC lawsuit - knew of the company's deficiencies in access controls and password policies and acknowledged them internally but nonetheless allowed the misleading security statement to remain on SolarWinds' website. Since Brown is a company employee, the judge said SolarWinds can also be liable for the misrepresentations.
"Brown knew of the substantial body of data that impeached the Security Statement's content as false and misleading," Engelmayer said. "His conduct in allowing the statement to issue publicly, and to remain in place for years, in the face of company practices inconsistent with it, is plausibly plead as 'highly unreasonable or extreme misconduct.'"
What Didn't Pass Muster With the Judge
Following news of the Russian hack going public, the SEC alleged SolarWinds acted misleadingly by not disclosing earlier reports of malicious activity from the U.S. Department of Justice and Palo Alto Networks. But Engelmayer ruled SolarWinds' disclosure was sufficiently detailed, given the evolving understanding of the attack, and did not materially mislead investors.
The SEC also alleged that SolarWinds failed to maintain adequate internal accounting controls due to weak access controls, poor password policies and VPN security gaps exposing vital source code, databases and products. But Engelmayer ruled that "internal accounting controls" pertain specifically to financial accounting, not security measures, and therefore don't extend to all systems protecting assets.
"Cybersecurity controls are undeniably vitally important, and their failures can have systemically damaging consequences," Engelmayer said. "But these controls cannot fairly be said to be in place to 'prevent and detect errors and irregularities that arise in the accounting systems of the company.'"
The SEC alleged that SolarWinds' misclassification of incidents as lower-severity stopped proper disclosures by top executives, and federal regulators pointed to a failure to elevate a VPN vulnerability for executive review, which they said indicated systemic deficiencies in disclosure controls. But Engelmayer said isolated misclassifications don't indicate systemic deficiencies, and a single lapse doesn't suggest a broad failure.
Engelmayer also dismissed related claims of aiding and abetting made against CISO Tim Brown.