A U.S. choose dismissed most of a Securities and Alternate Fee lawsuit accusing software program firm SolarWinds of defrauding traders by concealing its safety weaknesses earlier than and after a Russia-linked cyberattack focusing on the U.S. authorities.
U.S. District Choose Paul Engelmayer in Manhattan dismissed all claims in opposition to SolarWinds and chief data safety officer Timothy Brown over statements made after the assault, saying the claims have been primarily based on “hindsight and hypothesis.”
In a 107-page determination on Thursday, the choose additionally dismissed most SEC claims regarding statements predating the assault, aside from securities fraud claims primarily based on a press release on SolarWinds’ web site touting the corporate’s safety controls.
The SEC declined to remark.
SolarWinds stated it was happy with the choice, and referred to as the remaining declare in opposition to the corporate “factually inaccurate.” Brown’s legal professionals didn’t instantly reply to requests for remark.
The practically two-year cyberattack often called Sunburst focused Austin, Texas-based SolarWinds by utilizing its flagship Orion software program platform to infiltrate U.S. authorities networks.
A number of federal businesses together with the Departments of Commerce, Vitality, Homeland Safety, State and Treasury have been compromised earlier than the assault was revealed in December 2020.
Its full penalties stay unknown, and the U.S. authorities has stated Russia seemingly orchestrated the assault. Russia has denied accountability.
The SEC case filed final October seemed to be the primary focusing on an organization that fell sufferer to a cyberattack, the place the regulator didn’t announce a simultaneous settlement.
Associated: SEC Sues SolarWinds for Concealing Risks Before Massive Hack
It’s also uncommon for the SEC to sue public firm executives who, like Brown, should not intently concerned in making ready monetary statements.
The SEC alleged that SolarWinds hid the porous cybersecurity of its merchandise earlier than the assault, and downplayed the assault’s severity after it occurred.
It additionally stated SolarWinds hid how clients had warned about malicious exercise involving Orion.
However the choose stated anti-fraud legal guidelines don’t require that threat warnings include “most specificity,” a course of that would backfire if the warnings armed cyberattackers with further data to take advantage of.
Engelmayer additionally stated SolarWinds acknowledged it couldn’t be anticipated to stop each cyberattack, and had no obligation to reveal particular person incidents.
“It has already disclosed the chance of those as, regrettably, a reality of life,” the choose wrote.
The case is SEC v. SolarWinds Corp et al, U.S. District Courtroom, Southern District of New York, No. 23-09518.
Concerned about Cyber?
Get automated alerts for this matter.
