The Securities and Exchange Commission (SEC) announced on Thursday that it will dismiss its lawsuit against SolarWinds, a company previously accused of misleading investors regarding its cybersecurity measures. The lawsuit, which was filed in 2023, alleged that SolarWinds and its chief information security officer, Timothy Brown, committed fraud by failing to disclose significant cybersecurity vulnerabilities from the company’s initial public offering in October 2018 until December 2020.
The case drew attention due to the high-profile nature of the cybersecurity breach it involved. In late 2020, it was revealed that hackers linked to the Kremlin exploited what became known as the Sunburst trojan. This malware allowed unauthorized access to the SolarWinds Orion IT management software, facilitating breaches of multiple federal agencies, including the National Nuclear Security Administration.
Dismissal of the Case
The SEC’s dismissal notice was filed in the Southern District of New York, where the case was being litigated. This lawsuit marked a significant moment in cybersecurity law, as a victim of a cyberattack faced potential prosecution by the government. Last year, numerous cybersecurity leaders raised concerns that such legal actions might deter companies from enhancing their cybersecurity measures and could impact leadership retention in the field.
A spokesperson for SolarWinds expressed satisfaction with the dismissal, stating, “We are clearly delighted with the dismissal of the case against SolarWinds and our CISO, Tim Brown. We fought with conviction, arguing that the facts demonstrated our team acted appropriately—this outcome is a welcome vindication of that position.” The spokesperson also noted that the resolution of this case should alleviate concerns expressed by Chief Information Security Officers (CISOs) regarding the potential chilling effects of the lawsuit on their work.
Implications and Reactions
The lawsuit’s dismissal allows SolarWinds to refocus its efforts on delivering value to its customers while emphasizing security and innovation. The case had significant implications for federal networks, given the government’s reliance on SolarWinds’ IT management software. The breach prompted a comprehensive cybersecurity executive order issued by former President Joe Biden in 2021, aiming to strengthen national cybersecurity protocols.
In July 2024, U.S. District Judge Paul Engelmayer dismissed most of the claims made by the SEC, emphasizing that disclosures made after the discovery of the Sunburst malware constituted hindsight. Judge Engelmayer ruled that the SEC could only pursue fraud claims for actions that occurred prior to the identification of the breach. He stated, “As to pre-SUNBURST disclosures, the Court sustains the SEC’s claims of securities fraud based on the company’s Security Statement. That statement is viably pled as materially false and misleading in numerous respects.”
The incident surrounding the SolarWinds compromise has led to significant discussions within the cybersecurity community. It resulted in the establishment of the Cyber Safety Review Board, a group hosted by the Department of Homeland Security, tasked with studying major cybersecurity incidents. The board was disbanded at the beginning of the second Trump administration, highlighting the ongoing challenges in addressing cybersecurity at a national level.
The SEC’s decision to drop the lawsuit against SolarWinds reflects a complex interplay between regulatory oversight, corporate accountability, and the pressing need for robust cybersecurity measures in an increasingly digital world. As organizations navigate these challenges, the outcome of this case may influence future legal actions related to cybersecurity disclosures and corporate governance.
