A US District Court judge has largely dismissed a significant case against SolarWinds by the U.S. Securities and Exchange Commission concerning actions taken by the around the 2020 attack.

The SEC brought charges against CISO Timothy Brown, as well as Solarwinds, with fraud for their role in allegedly lying to investors by “overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks” from 2017 to 2021. 

Judge Paul Engelmayer criticised most of the government’s charges as speculative and reliant on hindsight in his 107-page ruling, reports the Record. This marked the SEC's first attempt to hold a company accountable for cybersecurity claims, facing significant criticism from the cybersecurity community.

The case revolved around Brown and SolarWinds’ actions before, during and after the Sunburst incident, a near-two year cyber attack that the US government attributed to Russian Foreign Intelligence Service.

In that incident, attackers found a way to insert malware into a version of SolarWinds’ Orion IT monitoring application, allowing Russian operatives to gain a foothold in high-value targets.

SolarWinds and Brown argued that the SEC was unfairly targeting the victim of a nation-state attack. SolarWinds expressed satisfaction with the decision and gratitude for industry support, emphasising their readiness to contest the remaining claim.

In a statement sent to SC UK, a SolarWinds spokesperson said: "We are pleased that Judge Engelmayer has largely granted our motion to dismiss the SEC’s claims. We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate.

"We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.