On July 18, 2024, a federal judge in the Southern District New York dismissed a large portion of the SEC’s cybersecurity enforcement lawsuit against SolarWinds and its Chief Information Security Officer (CISO). In a notable setback to the SEC, the court rejected the agency’s novel theories that the company’s cybersecurity failures and subsequent disclosures regarding the breach violated the internal accounting controls and disclosure controls provisions of the federal securities laws. The decision provides needed clarity around the scope of the agency’s enforcement authority in the realm of cybersecurity.
Background
In December 2020, SolarWinds announced that an unknown threat actor had compromised its flagship software product, Orion. The cyber incident, later dubbed SUNBURST, involved a “highly sophisticated, targeted and manual supply chain attack by an outside nation state.”
The compromise of the SolarWinds Orion product was particularly significant because the software was used by thousands of government and private sector customers to monitor their networks and other IT systems. Subsequent forensic analysis determined that the compromise of Orion enabled an extensive series of cyberattacks on SolarWinds customers that occurred between January 2019 and November 2020. According to the SEC, hackers infiltrated SolarWinds’ corporate VPN, conducted reconnaissance, collected data, identified vulnerabilities, and harvested credentials of SolarWinds employees. The hackers then attempted to push malware out to SolarWinds customers and infiltrate their networks.
On October 30, 2023, the SEC sued SolarWinds and its CISO, alleging violations of the antifraud, internal accounting and disclosure controls provisions.