Skip to main content
close search
site logo

SolarWinds legal ruling expected to narrow, but maintain SEC oversight on cyber transparency

The dismissal of most charges in a closely watched civil fraud case will test the ability of federal authorities to regulate risk disclosure.

Published July 29, 2024
David Jones's headshot
Reporter
SEC seal outside Washington D.C. building
The U.S. Securities and Exchange Commission seal hangs on the facade of its building September 18, 2008 in Washington, DC. Chip Somodevilla via Getty Images

The ruling by a federal court judge to dismiss most of the civil fraud charges against SolarWinds could significantly impact how the Securities and Exchange Commission moves forward in regulating cyber risk disclosure. 

SolarWinds and its CISO Timothy Brown were charged with misleading investors in the run up to the 2020 Sunburst supply chain attacks, which exposed thousands of companies to malware that had been injected into the company’s Orion network monitoring platform. 

U.S. District Court Judge Paul Engelmayer dismissed the vast majority of claims against SolarWinds, most importantly claims related to the company’s internal accounting practices. 

Despite the dismissal of most of the case, the judge upheld a central charge in the case related to the company’s pre-IPO security statement. 

“Ultimately the decision still means that whenever a public company makes representations about specific cybersecurity practices it still has to the public and customers, and those representations are not aligned with internal board and officer reporting, the SEC has a hook for a fraud claim,” said Sagar Ravi, a partner at McDermott, Will & Emery and a former federal prosecutor at the Southern District of New York. 

While some CISOs and public companies may think the ruling will create a slowdown in regulatory and legal risks over cyber risk practices, one legal expert called that assumption premature. 

“The SEC continues to remain very active in looking at cybersecurity generally and at companies incident response generally,” said Gerry Stegmaier, a partner at Reed Smith. “Between the SEC, other government agencies such as the FTC, state attorneys general and the class action bar, the likelihood of litigation has never been greater.”

Cyber enforcement

Violations of cybersecurity-related controls was an issue in a recent case involving R.R. Donnelley & Sons. The SEC reached a $2.1 million settlement agreement with the business communications and marketing services provider in June. 

The case involved a late November 2021 ransomware attack, where the hackers encrypted computer systems, stole data and held the business at bay until right before Christmas. 

The SEC said the company failed to design effective disclosure controls and procedures in order to report that information back up to management. 

The R.R. Donnelley case related to security incidents and alerts dating back to 2021. The company fully cooperated in the case and that cooperation helped shape the settlement deal. 

It remains unclear whether the SolarWinds ruling will have any impact on the R.R. Donnelley settlement or prior cases, but it will likely limit the ability of the SEC to bring forth actions involving internal controls in certain future circumstances. 

“The opinion also suggests the SEC may be limited to charging a disclosure controls violation where systemic deficiencies exist, such as when controls are deficient in design or yield frequent errors,” Shardul Desai, a partner at Holland & Knight, said via email. “Innocent errors that result in untimely disclosure of a material cybersecurity event may not be enough for an SEC action.”

Risk disclosures

Federal authorities have cracked down on firms for failing to properly disclose cyber risk and demonstrate transparency with investors and customers. 

In 2023, the SEC reached a $3 million settlement with educational software firm Blackbaud for making misleading disclosures about the scope of a 2020 ransomware attack. 

In 2022, the former chief security officer at Uber was convicted of covering up a ransomware attack while the company had been under a prior investigation by the Federal Trade Commission. 

Uber's former CSO Joseph Sullivan had paid off a pair of hackers and arranged a confidentiality agreement with them after the attackers gained access to 57 million customer records and 600,000 driver’s license numbers of Uber drivers. 

An initial pretrial conference is scheduled for Aug. 14 at the Thurgood Marshall Courthouse in Lower Manhattan. The court is seeking information on factual and legal basis for the case and defense, pretrial motions and the prospects of a settlement. 

“We look forward to the opportunity to present our own evidence and demonstrate why this remaining claim is factually inaccurate,” a SolarWinds spokesperson said via email. 

The SEC declined to comment.

Filed Under: Policy & Regulation

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Editors' picks
Latest in Policy & Regulation
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell