SolarWinds breaks free, waving bye to SEC’s legal entanglements

January 30, 2024
1 min read




Summary of Article

TLDR:

SolarWinds has filed a motion to dismiss the SEC lawsuit, providing a detailed defense of how the cyber espionage attack on its system was handled. The company argues that the SEC lacks both the expertise and authority to charge SolarWinds and its chief information security officer (CISO) with mishandling the attack. The SEC alleges securities fraud and internal controls failures, claiming that SolarWinds knew it lacked appropriate cybersecurity controls and misled customers about the threat.

SolarWinds Files Motion to Dismiss SEC Lawsuit

In response to charges from the Securities and Exchange Commission (SEC), SolarWinds has filed a motion to dismiss the lawsuit, providing a detailed defense of its handling of the Russian-backed cyber espionage attack on its Orion platform in 2020.

The SEC had charged SolarWinds and its CISO Tim Brown with securities fraud and internal controls failures for their response to the cyberattack campaign. The SEC alleged that SolarWinds knew it lacked appropriate cybersecurity controls and willfully misled customers about the threat. They also accused Brown of insider trading by dumping SolarWinds stock before the cyberattack was made public.

SolarWinds immediately vowed to mount a defense in court following the charges. The new motion to dismiss offers a detailed denial of the SEC’s accusations, arguing that SolarWinds made proper disclosures before and after the attack and that the SEC is overstepping their authority by seeking to regulate public companies’ cybersecurity controls.

The company points out that the SEC failed to clearly identify which security controls violated regulations and asserts that the SEC is attempting to rewrite accounting controls laws. SolarWinds maintains that it acted appropriately and transparently throughout the cyberattack response, claiming to be a victim rather than a perpetrator of the cybercrime.

Overall, SolarWinds is seeking to have the lawsuit dismissed, asserting that the SEC lacks the necessary expertise and authority in cybersecurity to bring the charges against the company and its CISO. The case raises larger questions about the role of regulatory bodies in overseeing and regulating cybersecurity controls for public companies.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and