SEC to drop high-profile SolarWinds hack lawsuit

The Securities and Exchange Commission on Thursday said it will dismiss a lawsuit against SolarWinds that had accused the company of making fraudulent statements that misled investors about its cybersecurity posture.

The suit, initially filed in 2023, alleged that SolarWinds and its chief information security officer, Timothy Brown, defrauded investors over a two-year period by not disclosing cybersecurity weaknesses between the company’s initial public offering in October 2018 and December 2020. 

It was revealed in late 2020 that Kremlin-linked hackers leveraged what later became known as the Sunburst trojan that allowed them to access the SolarWinds Orion IT management software, letting the Russian operatives breach networks of multiple federal agencies, including the National Nuclear Security Administration.

The new dismissal notice was filed in the Southern District of New York, where the case was being litigated. 

The landmark lawsuit — in which the victim of a cyberattack faced prosecution from the government — garnered pushback from dozens of cybersecurity leaders last year, who argued that the lawsuit could set a precedent that would harm company efforts to boost their cyber posture and worsen cybersecurity leadership retention.

“We are clearly delighted with the dismissal of the case against SolarWinds and our CISO, Tim Brown. We fought with conviction, arguing that the facts demonstrated our team acted appropriately — this outcome is a welcome vindication of that position,” a SolarWinds spokesperson said.

“We hope this resolution eases the concerns many CISOs have voiced about this case and the potential chilling effect it threatened to impose on their work,” the spokesperson added. “With the case now resolved, we look forward to focusing without distraction on delivering exceptional value to our customers through our market-leading software and solutions, emphasizing security and innovation at every step.”

In July 2024, U.S. District Judge Paul Engelmayer in Manhattan dismissed most of the initial claims filed by the SEC, ruling that disclosures after the Sunburst discovery amounted to hindsight and that the SEC can only pursue fraud claims for actions taken before Sunburst was unearthed.

“As to pre-SUNBURST disclosures, the Court sustains the SEC’s claims of securities fraud based on the company’s Security Statement. That statement is viably pled as materially false and misleading in numerous respects,” Engelmayer wrote. “The Court, however, dismisses the claims of securities fraud and false filings based on other statements and filings.”

The SolarWinds compromise had far-reaching implications for federal networks, given the government’s extensive use of the company’s IT management software. The incident fueled a sweeping cybersecurity executive order issued under then-President Joe Biden in 2021.

The fallout also spurred the creation of the Cyber Safety Review Board, a DHS-hosted group established to study significant cybersecurity incidents. The CSRB was disbanded at the start of the second Trump administration.