Judge dismisses key claims in SEC lawsuit on 2020 SolarWinds hack

A federal district court judge on Thursday dismissed most claims in a Securities and Exchange Commission lawsuit against SolarWinds that alleged the company defrauded investors because it deliberately hid knowledge of cyber vulnerabilities in its systems ahead of a major security breach discovered in 2020.

It was revealed in late 2020 that Kremlin-linked hackers had leveraged what later became known as the Sunburst trojan that allowed them to access SolarWinds’s Orion IT management software, letting the Russian operatives breach networks of multiple federal agencies including the National Nuclear Security Administration.

The SEC last year sued the company and its CISO on grounds that it concealed preexisting knowledge of system flaws in company statements and filings that allowed the nearly two-year long hack to occur. But U.S. District Judge Paul Engelmayer in Manhattan ruled that disclosures after the Sunburst discovery amounted to the benefit of hindsight and that the SEC can only pursue fraud claims for actions taken before Sunburst was unearthed.

“As to pre-SUNBURST disclosures, the Court sustains the SEC's claims of securities fraud based on the company's Security Statement. That statement is viably pled as materially false and misleading in numerous respects,” Engelmayer wrote. “The Court, however, dismisses the claims of securities fraud and false filings based on other statements and filings.”

The first of its kind lawsuit where the victim of a cyberattack faced prosecution from the government garnered pushback from dozens of cybersecurity leaders this year, who argued that the lawsuit could set a precedent that would harm company efforts to boost their cyber posture and worsen cybersecurity leadership retention.

The SEC declined to comment. 

“We are pleased that Judge Engelmeyer has largely granted our motion to dismiss the SEC’s claims," a Solarwinds spokesperson said in an emailed statement. "We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate. We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed.”

Editor's note: This article was updated July 18, 2024 with comment from Solarwinds.