A U.S. District Court judge on Thursday dismissed major parts of an SEC lawsuit charging SolarWinds and its CISO Timothy Brown with covering up software security vulnerabilities before and after a major supply chain attack in 2020.
In a 107-page ruling, New York Judge Paul Engelmayer upheld parts of the SEC claims after Solarwinds but threw out controversial claims that the company’s security chief misled investors about its cybersecurity practices and known risks.
“These do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack. They impermissibly rely on hindsight and speculation,” Judge Engelmayer declared.
The court did sustain the SEC’s claims of SolarWinds securities fraud, noting they were “materially false and misleading in numerous aspects.”
The court also dismissed all SEC claims related to SolarWinds internal accounting and disclosure controls and procedures.
The case has been closely watched since the SEC decided to personally include SolarWinds Chief Information Security Officer (CISO) in the charges, spooking much of the security leadership community.
The charges stemmed from alleged fraud and internal control failures related to known cybersecurity weaknesses that took place between the company’s October 2018 initial public offering (IPO) and its December 2020 revelation of a sophisticated cyberattack dubbed “SUNBURST.”
The software supply chain cyberattack involved Russia-linked threat actors breaching SolarWinds systems in 2019, or possibly even earlier. The hackers compromised the automated build environment for the company’s Orion monitoring software, and in the spring of 2020 they pushed out malicious Orion updates to SolarWinds customers.
Related: Cybersecurity Leaders Spooked by SEC Lawsuit Against SolarWinds CISO
Related: Feedback Friday: Reactions to SEC Charging SolarWinds CISO
Related: SolarWinds Outlines ‘Triple Build’ Software Development Model
Related: SEC Charges SolarWinds and Its CISO With Fraud and Cybersecurity Failures
