Sizable Chunk of SEC Charges Against SolarWinds Tossed Out of Court

  /     /     /  
Publicated : 23/11/2024   Category : security


Sizable Chunk of SEC Charges Against SolarWinds Tossed Out of Court


Judge dismisses claims against SolarWinds for actions taken after its systems had been breached, but allows the case to proceed for alleged misstatements prior to the incident.



A judge has dismissed a major portion of the Securities and Exchange Commission (SEC) litigation against SolarWinds and its chief information security officer (CISO), Tim Brown, ruling that they cannot be held liable for statements and filings made after the breach of the companys flagship Orion product.
However, the SEC can proceed with its
charge against SolarWinds and Brown
for misrepresentations made about the companys cybersecurity posture leading up to the cyberattack, according to the ruling from US District Court Judge Paul A. Engelmayer released on July 18. Court filings refer to the cyber incident as Sunburst.
The ruling is in response to SolarWinds
motion to dismiss the SEC lawsuit
filed in January of this year.
Legal and cybersecurity experts say the ruling is a positive move toward providing guidance to other publicly traded companies on how to deal with cybersecurity incident disclosure regulations.
For public companies rushing both to investigate an incident and make a materiality disclosure, the courts opinion allows the totality of the disclosure to prevail over the nitty-gritty details, says cyber attorney Beth Burgin Waller of Woods, Rogers, Vandeventer, Black PLC. This decision vindicates SolarWinds information sharing with the cybersecurity community post-incident.
While the ruling removes many of the
charges against SolarWinds and Brown
, the SEC will be allowed to pursue action for statements and other claims made about the cybersecurity posture of the company prior to its compromise. Disclosures and statements made about the companys security posture prior to the breach are viably pled as materially false and misleading in numerous aspects, the judge wrote.
After joining SolarWinds in 2017, Brown internally highlighted deficits in the companys defenses while delivering more rosy assessments to customers, the ruling explained. Notably, the SolarWinds Security Statement falsely claimed compliance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
A SolarWinds spokesperson said the company was pleased with the ruling in a statement.
We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate, the statement said. We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed.
Jessica Sica, CISO with Weave, was especially encouraged by the courts decision to toss out internal communications evidence among SolarWinds employees.
Internally, you need to be able to discuss the state of security — for better or for worse — and not have that get out as if you weren’t doing your job, Sica says. The SEC keeping that portion in could have led to more companies having a sort of don’t ask, don’t tell policy on security, and that would make things much worse.
The court ruling also loosens some constraints on CISOs, according to Fred Kwong, Ph.D., vice president, and CISO of DeVry University.
Holding CISOs personally liable, especially those CISOs that do not hold a position on the executive committee, is deeply flawed and would have set a precedent that would be counterproductive and weaken the security posture of organizations, Kwong says. While not out of the woods, Im happy to see that the court has dismissed most of the charges, especially those post-Sunburst.
Regardless of the ultimate outcome of the SECs action against SolarWinds and Brown, Sica urges fellow CISOs to continue to be transparent.
I think this doesn’t change the fact that you need to be honest about your security posture, and that’s a good thing, Sica says. If you are promising publicly that you are doing it.

Last News

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security

▸ Fully committed to the future world of technology. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Sizable Chunk of SEC Charges Against SolarWinds Tossed Out of Court