A significant portion of the Securities and Exchange Commission (SEC) lawsuit against SolarWinds and its chief information security officer (CISO), Tim Brown, has been dismissed by a judge. The ruling states that they cannot be held responsible for statements and filings made after the breach of the company’s flagship Orion product.
However, the SEC is allowed to proceed with its charge against SolarWinds and Brown for misrepresentations regarding the company’s cybersecurity posture leading up to the cyberattack. This decision was made by US District Court Judge Paul A. Engelmayer in a ruling released on July 18, referring to the cyber incident as “Sunburst.”
SolarWinds had filed a motion to dismiss the SEC lawsuit earlier this year, and this ruling is a response to that motion.
SolarWinds Information-Sharing “Vindicated”
Legal and cybersecurity experts view this ruling as a positive step towards providing guidance to other publicly traded companies on how to handle cybersecurity incident disclosure regulations.
Cyber attorney Beth Burgin Waller of Woods, Rogers, Vandeventer, Black PLC, commented, “For public companies rushing to investigate an incident and make a materiality disclosure, the court’s opinion emphasizes the importance of the overall disclosure rather than focusing on minor details. This ruling supports SolarWinds’ information sharing with the cybersecurity community post-incident.”
Although many charges against SolarWinds and Brown have been dropped, the SEC can still pursue action for statements made about the company’s security posture prior to the breach. The judge found that disclosures and statements regarding the company’s security posture pre-breach were materially false and misleading in several aspects.
After joining SolarWinds in 2017, Brown pointed out deficiencies in the company’s defenses internally while presenting a more positive image to customers. Notably, the SolarWinds “Security Statement” falsely claimed compliance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
In a statement, a SolarWinds spokesperson expressed satisfaction with the ruling and looks forward to presenting evidence to refute the remaining claim, as well as appreciating the support received from various industry stakeholders.
CISO Hot Takes
Jessica Sica, CISO at Weave, welcomed the court’s decision to exclude internal communications among SolarWinds employees from the case.
Sica emphasized the importance of internal discussions about security without fear of repercussions, stating that the SEC including such communications could lead to a culture of secrecy detrimental to security practices.
Fred Kwong, Ph.D., Vice President and CISO of DeVry University, noted that holding CISOs personally liable, especially those not on the executive committee, could weaken organizations’ security posture. He expressed relief at the dismissal of most charges, particularly those post-Sunburst.
Despite the ongoing SEC action, Sica advised CISOs to remain transparent about their security posture, emphasizing the importance of honesty in public promises regarding security measures.