The 2020 SolarWinds hack was perhaps one of the worst cyberattacks in history, reportedly directed by the Russian intelligence service and affecting 18,000 customers, including some very well-known companies and about a dozen government agencies including the Treasury, Justice and Energy departments. Following the cyberattack, the SEC filed a complaint against SolarWinds and its Chief Information Security Officer, charging securities “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” (See this PubCo post.) SolarWinds and Brown then moved to dismiss the complaint for failure to state a claim. On July 18, 2024, a federal district court issued a 107-page opinion, dismissing most of the SEC’s case against SolarWinds and its CISO.
As discussed in this terrific new Cooley Alert, Federal Court Dismisses Bulk of SEC’s Complaint Against SolarWinds in Cyberattack Case from our White Collar Defense and Investigations and Cyber/Data/Privacy groups, while the “SEC’s (more traditional) claims that SolarWinds’ public statements materially misled investors were permitted to proceed,” they were substantially “narrowed in scope.” In particular, the Alert observes, the court “dismissed all claims about the company’s SEC filings,” as well as “claims that were based on press releases, blog posts, and podcasts,” but allowed “the SEC’s allegations about SolarWinds’ ‘Security Statement,’ and its CISO’s involvement with it” to survive. In addition, the court “dismissed all claims that SolarWinds maintained insufficient internal accounting and disclosure controls for cybersecurity,” categorically rejecting “the SEC’s theory that its authority to regulate internal accounting controls extends to a company’s cybersecurity controls.” Note that earlier this year, Cooley filed an amicus brief on behalf of a coalition of more than 50 cybersecurity leaders and organizations.
The Alert offers valuable advice for companies and cybersecurity professionals in light of the decision. Be sure to check out the new Alert!