Click to open contact form.
Your Global Partners in the Business of Innovation

Federal Judge Dismisses SEC Claims Against SolarWinds in “Sunburst” Cyberattack

Client Updates / July 29, 2024

Written by: Haim Ravia and Dotan Hammer

In a 107-page decision, a Manhattan U.S. District Judge dismissed most claims against SolarWinds and its Chief Information Security Officer (CISO) in a Securities and Exchange Commission (SEC) lawsuit. The lawsuit alleged that SolarWinds misled investors about the security of its Orion software, which was exploited by Russian hackers in a major cyberattack known as “Sunburst.” This attack targeted thousands of organizations globally, including multiple US government networks.

The SEC claimed that SolarWinds misled investors about its cybersecurity practices and the security of its Orion software platform. According to the SEC, SolarWinds promoted its cybersecurity as robust while concealing significant vulnerabilities, thereby understating actual cybersecurity risks. The company was alleged to have made misleading statements on its website and in securities filings, leading investors to believe Orion had minimal vulnerability to cyberattacks. The SEC also alleged that SolarWinds misled the public about a series of cyberattacks, including the SUNBURST attack, believed to be conducted by state-sponsored Russian hackers. In the aftermath of SUNBURST, SolarWinds allegedly minimized the attack’s scope and severity and failed to disclose prior reports of similar malicious activity.

The judge upheld securities fraud claims related to one of SolarWinds’ pre-Sunburst statements about Orion security but dismissed other SEC claims about separate company cybersecurity assertions. The Judge ruled that anti-fraud laws do not require risk warnings to be “maximally specific,” as overly detailed warnings could aid cyberattacks. The judge noted that SolarWinds had acknowledged it could not prevent every cyberattack and had no obligation to disclose individual incidents, stating that the accusations were based on hindsight and speculation.

The decision was not influenced by the SEC’s new rules, which came into effect after the incident. These rules require public companies to immediately report significant cyber risks during security incidents and include disclosures in their periodic reports about cybersecurity risk management, strategies, and corporate governance mechanisms.

Click here to read the decision in SEC v. SolarWinds Corp et al, U.S. District Court, Southern District of New York, No. 23-09518.

MEDIA HIGHLIGHTS