In a recent development, a judge has made a significant decision regarding the Securities and Exchange Commission (SEC) litigation against SolarWinds and its chief information security officer (CISO), Tim Brown. The ruling indicates that SolarWinds and Brown cannot be held accountable for statements and filings made after the breach of the company’s flagship Orion product.
However, the SEC is permitted to continue pursuing its charges against SolarWinds and Brown for misrepresentations concerning the company’s cybersecurity posture leading up to the cyberattack, which has been referred to as “Sunburst” in court filings. This ruling stems from US District Court Judge Paul A. Engelmayer’s decision released on July 18, in response to SolarWinds’ motion to dismiss the SEC lawsuit filed earlier this year.
Experts in the legal and cybersecurity fields view this ruling as a positive step towards providing clarity for other publicly traded companies on how to navigate cybersecurity incident disclosure regulations. Cyber attorney Beth Burgin Waller from Woods, Rogers, Vandeventer, Black PLC mentioned that the court’s opinion favors disclosure on a broader scale rather than focusing on minute details, thus vindicating SolarWinds’ efforts in sharing information with the cybersecurity community post-incident.
While many charges against SolarWinds and Brown have been dropped, the SEC is still allowed to pursue action for statements made about the company’s security posture before the compromise occurred. In particular, the judge highlighted that disclosures prior to the breach were misleading and false in several aspects. The ruling also shed light on Brown’s internal communications where he pointed out deficiencies in SolarWinds’ defense mechanisms internally while presenting a more positive outlook to customers. It was noted that SolarWinds’ “Security Statement” inaccurately claimed compliance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
In response to the ruling, a spokesperson for SolarWinds expressed satisfaction, stating that they look forward to presenting their evidence and refuting the remaining claim as factually inaccurate. The company also acknowledged the support received from customers, cybersecurity professionals, and government officials. The ruling has been well received by the cybersecurity community, offering a sense of relief to CISOs like Jessica Sica from Weave and Fred Kwong from DeVry University. Sica praised the decision to dismiss internal communications evidence, emphasizing the importance of open discussions on security within organizations. Kwong highlighted the flawed nature of holding CISOs personally liable, especially when they do not hold executive positions, and appreciated the court for dismissing most charges post-Sunburst.
Amidst ongoing legal proceedings, Sica encourages fellow CISOs to prioritize transparency regarding their organization’s security posture. The ruling concluded that post-Sunburst disclosures do not assert actionable deficiencies in SolarWinds’ reporting of the cybersecurity incident, dismissing such claims as relying on hindsight and speculation. As the case progresses, the cybersecurity landscape continues to evolve, with the importance of honesty and transparency in security practices remaining pivotal.