Judge Throws Out Most Of SEC’s SolarWinds Sunburst Lawsuit

Judge Paul Engelmayer of the U.S. District Court for the Southern District of New York dismisses nearly all claims made by the SEC related to the late 2020 SolarWinds Orion cyberattack, also known as Sunburst.

The judge overseeing the U.S. Securities and Exchange Commission’s lawsuit against SolarWinds and CISO Tim Brown Thursday ruled to grant SolarWinds’ motion to dismiss nearly all charges related to the late 2020 SolarWinds Orion cyberattack, also known as Sunburst.

In his ruling, Paul Engelmayer, a judge in the U.S. District Court for the Southern District of New York, dismissed the SEC’s claims of securities fraud and false filings based on SolarWinds’ statements and filings prior to the Sunburst disclosures with the exception of SEC claims of securities fraud based specifically on its security statement.

The judge also dismissed all of the SEC’s post-Sunburst claims as well as claims relating to SolarWinds’ internal accounting and disclosure controls and procedures.

SolarWinds, in an emailed statement, said that it is looking forward to getting the last claim dismissed.

“We are pleased that Judge Engelmayer has largely granted our motion to dismiss the SEC’s claims. We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate. We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed,” SolarWinds said.

The company declined to elaborate further on the case. An SEC spokesperson told CRN via email that the organization declines to comment.

The case stems from the 2020 launch of the Sunburst malware attack. That incident became one of the most significant cyberattacks in history, resulting in nearly 18,000 of SolarWinds’ customers, including the U.S. government, receiving a compromised software update. However, SolarWinds later said fewer than 100 customers, including at least nine MSPs, were actually hacked as a result of the attack.

The SEC in June 2023 issued a Wells notice related to the Sunburst attack. A Wells notice is a letter the SEC sends to companies or people after an SEC investigation has concluded that the recipients will be subject to an enforcement action.

The SEC followed up in October 2023 to accuse SolarWinds and its CISO Brown of misleading statements, omissions and schemes that defrauded investors and customers in the years before and the months following the Sunburst attack.

In its suit, the SEC cited several alleged violations of securities laws and demanded that Brown and SolarWinds be found responsible for numerous counts of fraud. The SEC also wanted to strip both SolarWinds and Brown of any “ill-gotten gains” they received from violating securities laws and asked that Brown be barred from holding a seat as an officer at a publicly traded company.

SolarWinds in January responded to the SEC’s allegations with a filing in the U.S. District Court Southern District of New York for a motion to dismiss the complaint, saying that the SEC sought to revictimize the victim with its allegations against the company.

In his Thursday ruling, Judge Engelmayer wrote that “the Court denies in part, but grants in large part, the motion to dismiss.”

In regard to the disclosures SolarWinds made before the attack, Engelmayer wrote that “the Court sustains the SEC’s claims of securities fraud based on the company’s Security Statement. That statement is viably pled as materially false and misleading in numerous respects. The Court, however, dismisses the claims of securities fraud and false filings based on other statements and filings.”

That Security Statement, written primarily by Brown starting in late 2017, was posted on its website’s Trust Center section. It provided information about the company’s security infrastructure and practices as a way to show how SolarWinds mitigated the risk of cyberattacks, as noted in Thursday’s filing.

In regard to disclosures made after the Sunburst attack, Engelmayer wrote that the court dismissed all claims.

“These do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack. They impermissibly rely on hindsight and speculation. Finally, the Court dismisses as ill-pled the SEC’s claims relating to SolarWinds’ internal accounting and disclosure controls and procedures,” he wrote.