A U.S. judge dismissed most of a Securities and Exchange Commission lawsuit accusing software company SolarWinds of defrauding investors by concealing its security weaknesses before and after a Russia-linked cyberattack targeting the U.S. government.
U.S. District Judge Paul Engelmayer in Manhattan dismissed all claims against SolarWinds and chief information security officer Timothy Brown over statements made after the attack, saying the claims were based on “hindsight and speculation.”
In a 107-page decision on Thursday, the judge also dismissed most SEC claims concerning statements predating the attack, apart from securities fraud claims based on a statement on SolarWinds’ website touting the company’s security controls.
The SEC declined to comment.
SolarWinds said it was pleased with the decision, and called the remaining claim against the company “factually inaccurate.” Brown’s lawyers did not immediately respond to requests for comment.
The nearly two-year cyberattack known as Sunburst targeted Austin, Texas-based SolarWinds by using its flagship Orion software platform to infiltrate U.S. government networks.
Several federal agencies including the Departments of Commerce, Energy, Homeland Security, State and Treasury were compromised before the attack was revealed in December 2020.
Its full consequences remain unknown, and the U.S. government has said Russia likely orchestrated the attack. Russia has denied responsibility.
The SEC case filed last October appeared to be the first targeting a company that fell victim to a cyberattack, where the regulator did not announce a simultaneous settlement.
Related: SEC Sues SolarWinds for Concealing Risks Before Massive Hack
It is also rare for the SEC to sue public company executives who, like Brown, are not closely involved in preparing financial statements.
The SEC alleged that SolarWinds hid the porous cybersecurity of its products before the attack, and downplayed the attack’s severity after it occurred.
It also said SolarWinds concealed how customers had warned about malicious activity involving Orion.
But the judge said anti-fraud laws do not require that risk warnings contain “maximum specificity,” a process that could backfire if the warnings armed cyberattackers with extra information to exploit.
Engelmayer also said SolarWinds acknowledged it could not be expected to prevent every cyberattack, and had no duty to disclose individual incidents.
“It has already disclosed the likelihood of these as, regrettably, a fact of life,” the judge wrote.
The case is SEC v. SolarWinds Corp et al, U.S. District Court, Southern District of New York, No. 23-09518.
Was this article valuable?
Here are more articles you may enjoy.
Wall Street Pushes Back After Activists Escalate Protests 
Study Urges Rethinking of Disaster Management in Era of Compounding Events 
What Happened to Reinsurance ‘Class of 2023’? Hard Market Defies Age-Old Patterns. 
Project 2025 Plan to End NFIP Welcomed by Some, Rejected by Others in Insurance 
