Judge in SolarWinds case rejects SEC oversight of cybersecurity controls

“The SEC’s rationale, which is to interpret the law so broadly as to cover all systems that public companies use to protect their valuable assets, would have serious consequences,” Engelmayer wrote in his article. 107-page decision.

“This would give the agency the authority to regulate background checks used in hiring night security guards, lock picking for storage lockers, water park safety measures whose reliability depends on customer goodwill, and password lengths and configurations required to access company computers,” he wrote.

The Manhattan federal judge also rejected the SEC’s claims that SolarWinds’ disclosures after it learned its customers were affected improperly covered up the severity of the breach, in which Russian intelligence operatives were accused of mining SolarWinds software for more than a year to gain access to multiple federal agencies and major tech companies. U.S. authorities have described the operation, which was uncovered in December 2020, as one of the most serious in recent years, and its consequences for government and industry are still being felt.

In an era when destructive hacking campaigns are commonplace, the lawsuit has raised concerns among business leaders, some security officials and even former government officials, as expressed in amicus curiae briefs that called for its dismissal. They argued that adding liability for false statements would discourage hacking victims from sharing what they know with customers, investors and security authorities.

Austin-based SolarWinds said it was pleased the judge “largely granted our motion to dismiss the SEC’s claims,” adding in a statement that it was “grateful for the support we have received so far across the industry, from our customers, cybersecurity professionals, and veteran government officials who have echoed our concerns.”

The SEC did not respond to a request for comment.

Engelmeier did not dismiss the case entirely, allowing the SEC to try to prove that SolarWinds and its top security official, Timothy Brown, committed securities fraud by failing to warn in a public “security statement” before the hack that it knew it was highly vulnerable to attacks.

“The SEC alleges that SolarWinds and Brown provided in their security statement persistent misleading information, many of which amounted to outright lies, about the adequacy of their access controls,” Engelmayer wrote in his letter. “Given the centrality of cybersecurity to SolarWinds’ business model as a company that provides sophisticated software products to customers for whom computer security is of paramount importance, this misinformation was undoubtedly material.”

The judge credited the SEC with supporting that argument with an investigation that produced internal letters and presentations criticizing the company's access controls, password policies and limited ability to monitor its networks.

In 2019, an outside security researcher informed the company that a password for a server used to send software updates had been exposed: it was “solarwinds 123.”

A year earlier, an engineer warned in an internal presentation that a hacker could use the company’s virtual private network from an unauthorized device and upload malicious code. Brown did not pass that information on to senior executives, and the hackers later used the same technique, the judge wrote.