In a case stemming from one of the worst known cyberattacks, a federal judge has rejected the Securities and Exchange Commission’s bid to oversee corporate cybersecurity controls, easing concerns among companies about potential penalties from regulators following breaches by well-resourced hackers.
In a closely watched case brought by the SEC against 2020 hacking victim SolarWinds, U.S. District Judge Paul A. Engelmayer on Thursday granted most of the company’s motion to dismiss. He ruled that current laws grant the SEC authority only over financial controls, not all internal controls.
“The SEC’s rationale, under which the statute must be construed to broadly cover all systems public companies use to safeguard their valuable assets, would have sweeping ramifications,” Engelmayer wrote in a 107-page decision. He explained that this could extend to regulating background checks for security guards, padlocks for storage sheds, safety measures at water parks, and password configurations for company computers.
The Manhattan judge also dismissed SEC claims that SolarWinds’ disclosures improperly downplayed the severity of the breach, in which Russian intelligence agents allegedly infiltrated SolarWinds software for more than a year, accessing multiple federal agencies and major tech companies. The operation, revealed in December 2020, was described by U.S. authorities as one of the most serious cyberattacks in recent years, with ongoing ramifications for the government and industry.
The suit had alarmed business leaders, security executives, and former government officials, who argued in friend-of-the-court briefs that adding liability for misstatements would discourage hacking victims from sharing information with customers, investors, and safety authorities.
Austin-based SolarWinds expressed satisfaction with the ruling, stating it was “grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns.”
The SEC did not respond to a request for comment.
Engelmayer did not dismiss the case entirely, allowing the SEC to attempt to prove that SolarWinds and top security executive Timothy Brown committed securities fraud by not warning, in a public “security statement” before the hack, that they knew the company was highly vulnerable to attacks.
The SEC “plausibly alleges that SolarWinds and Brown made sustained public misrepresentations, indeed many amounting to flat falsehoods, in the Security Statement about the adequacy of its access controls,” Engelmayer wrote. He noted the centrality of cybersecurity to SolarWinds’ business model, given their pitch of sophisticated software products to customers for whom computer security was paramount, making these misrepresentations undeniably material.
The judge acknowledged that the SEC’s investigation produced internal messages and presentations criticizing the company’s access controls, password policies, and limited network monitoring abilities. In 2019, an outside security researcher had notified the company that a server password used for software updates was exposed: “solarwinds123.” A year earlier, an engineer warned in an internal presentation that a hacker could use the company’s virtual private network from an unauthorized device to upload malicious code. Brown did not relay this information to top executives, the judge noted, and hackers later exploited this exact technique.