SolarWinds beats most of US SEC lawsuit over Russia-linked cyberattack

SolarWinds beats most of US SEC lawsuit over Russia-linked cyberattack

Technology

SolarWinds beats most of US SEC lawsuit over Russia-linked cyberattack

Follow on
Follow us on Google News
 

NEW YORK (Reuters) - A US judge dismissed most of a Securities and Exchange Commission lawsuit accusing software company SolarWinds of defrauding investors by concealing its security weaknesses before and after a Russia-linked cyberattack targeting the US government.

US District Judge Paul Engelmayer in Manhattan dismissed all claims against SolarWinds and chief information security officer Timothy Brown over statements made after the attack, saying the claims were based on "hindsight and speculation."

In a 107-page decision on Thursday, the judge also dismissed most SEC claims concerning statements predating the attack, apart from securities fraud claims based on a statement on SolarWinds' website touting the company's security controls.

SolarWinds and Brown's lawyers had no immediate comment. The SEC did not immediately respond to requests for comment.

The nearly two-year cyberattack known as Sunburst targeted Austin, Texas-based SolarWinds by using its flagship Orion software platform to infiltrate US government networks.

Several federal agencies including the Departments of Commerce, Energy, Homeland Security, State and Treasury were compromised before the attack was revealed in December 2020.

Its full consequences remain unknown, and the US government has said Russia likely orchestrated the attack. Russia has denied responsibility.

The SEC case filed last October appeared to be the first targeting a company that fell victim to a cyberattack, where the regulator did not announce a simultaneous settlement.

Guo Wengui, an exiled Chinese businessman and vocal critic of Beijing, has been convicted in the US of stealing hundreds of millions of dollars from online followers.

It is also rare for the SEC to sue public company executives who, like Brown, are not closely involved in preparing financial statements.

The SEC alleged that SolarWinds hid the porous cybersecurity of its products before the attack, and downplayed the attack's severity after it occurred.

It also said SolarWinds concealed how customers had warned about malicious activity involving Orion.

But the judge said anti-fraud laws do not require that risk warnings contain "maximum specificity," a process that could backfire if the warnings armed cyberattackers with extra information to exploit.

Engelmayer also said SolarWinds acknowledged it could not be expected to prevent every cyberattack, and had no duty to disclose individual incidents.

"It has already disclosed the likelihood of these as, regrettably, a fact of life," the judge wrote.