- A US judge dismissed most of the SEC’s lawsuit against SolarWinds, ruling the claims were based on “hindsight and speculation.”
- The SEC accused Solarwind of concealing the vulnerability and severity of the attack, ignoring the complexity of cybersecurity and being biased with hindsight.
OUR TAKE
The SEC’s action disregards the complexities of cybersecurity, demanding SolarWinds disclose every incident, akin to aiding hackers. Companies must strike a balance between transparency and security, and the SEC’s stance disrupts this. What the SEC should do is focus on promoting cybersecurity practices instead of punishing victims of cyberattacks.
–Ashley Wang, BTW reporter
What happened
A US judge has dismissed the majority of a Securities and Exchange Commission (SEC) lawsuit against software company SolarWinds, which was accused of defrauding investors by hiding its security weaknesses before and after a cyberattack linked to Russia.
The cyberattack, known as Sunburst, targeted SolarWinds’ Orion software platform, infiltrating several US government networks, including those of the Departments of Commerce, Energy, Homeland Security, State, and Treasury. Disclosed in December 2020, the full consequences of the attack remain unclear, though the US government attributes it to Russia, which was then denied by Russia.
US District Judge Paul Engelmayer in Manhattan dismissed all claims against SolarWinds and Timothy Brown, its chief information security officer, over statements made post-attack. He ruled these claims were based on “hindsight and speculation.” In his 107-page decision, the judge also dismissed most SEC claims regarding statements made before the attack, except for securities fraud claims related to a statement on SolarWinds’ website about the company’s security controls. SolarWinds expressed satisfaction with the decision, labelling the remaining claim against the company as “factually inaccurate.”
Also read: Cybersecurity threats: The shadowy realities of digital espionage
Also read: Three layers of security required by IoT platforms
Why it’s important
The SEC’s case, filed last October, marked the first time the regulator targeted a company victimised by a cyberattack without announcing a simultaneous settlement. It is also uncommon for the SEC to sue executives not closely involved in financial statement preparations. The SEC alleged that SolarWinds downplayed its cybersecurity vulnerabilities and the severity of the attack, and concealed customer warnings about Orion’s malicious activity.
However, the SEC’s action ignores the complex reality of cybersecurity. Expecting SolarWinds to disclose every individual incident and vulnerability would be dangerous as it will expose the company to hackers. Companies must balance transparency with security, and the SEC’s stance disrupts this delicate equilibrium.
SolarWinds acknowledged the pervasive risk of cyberattacks, which is an honest admission in today’s digital landscape. Punishing them for falling victim to a cyber onslaught only deters other companies from such transparency. The SEC must recalibrate its strategy, focusing on fostering robust cybersecurity practices rather than scapegoating companies caught in the crossfire of global cyber warfare.