SolarWinds appears off the hook over a U.S. Securities and Exchange Commission (SEC) lawsuit accusing the company and its CISO of defrauding investors by way of lax cybersecurity practices after a federal judge dismissed the case.
In New York City on Thursday, U.S. Federal Judge Paul Engelmayer dismissed most of the SEC’s lawsuit alleging Solar Winds concealed its security vulnerabilities before and after a Russia-linked cyberattack that also impacted parts of the U.S. federal government, Reuters reported.
More on the SEC's new disclosure rules and what they mean to MSSPs
The SEC alleged that SolarWinds hid the cybersecurity viability of its products before the attack and downplayed the attack's severity after it occurred. The court’s 107-page decision dismissed all claims against SolarWinds and Chief Information Security Officer Timothy Brown, which pertained to statements he made after the attack. Brown reportedly said the comments were made in “hindsight and speculation.”
It’s rare for the SEC to sue public company executives. A CISO like Brown is not closely involved in preparing financial statements. Perhaps the SEC will be more cautious in how it pursues future such cases. Regardless, how might the future of MSSPs and MSPs factor into the ruling?
Attorney Eric Tilds told MSSP Alert that the ruling is certainly a blow to the SEC’s efforts to opine of the cybersecurity practices of SEC-regulated companies
"The good news is that most, but not all, of the claims against SolarWinds’ CISO Timothy Brown were dismissed, under the theory that Brown’s bosses were ultimately responsible for the allegedly erroneous SEC filings," Tilds said. "I don’t think this is the end of SEC enforcement actions in this arena, although this shows that the SEC should likely rethink its 'shotgun' approach to cases like these and instead apply a narrower focus."
In seeking dismissal of the case, SolarWinds contended that documents, including its self-assessments performed under the National Institute of Standards and Technology (NIST) framework, show a robust cybersecurity program.
“We are pleased that Judge Engelmayer has largely granted our motion to dismiss the SEC’s claims," a SolarWinds spokesperson told MSSP Alert. "We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate. We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed."
Malicious Code Lurked for Months
In the infamous December 2020 attack, hackers targeted Austin, Texas-based SolarWinds by deploying malicious code into its Orion IT remote monitoring and management (RMM) software used by thousands of businesses and government agencies worldwide. Russian operative Cozy Bear/Nobelium, which reportedly made away with vital information, is widely named as the attackers.
Roughly 18,000 SolarWinds customers among a total of more than 30,000 had downloaded the malware-infected software, though the number of fully compromised victims ended up in the hundreds. IT companies and telecoms were included in the infiltration. The U.S. Departments of Commerce, Energy, Homeland Security, State and Treasury were compromised before the attack was revealed in December 2020.
It's widely believed that attackers first gained access in September 2019 through a third-party user with access to SolarWinds’ IT systems. As the attack was not publicly discovered or reported until December 2020, attackers may well have had 14 or more months of unfettered access.