“The SEC’s reasoning that the law should be interpreted to broadly cover all systems that publicly traded companies use to protect their valuable assets would have far-reaching consequences,” Engelmayer wrote in a 107-page decision.
“It could give the agency the authority to regulate background checks used in hiring nighttime security guards, the selection of padlocks for storage areas, security measures at water parks whose reliability made customer goodwill dependent, and the length and configuration of passwords required to access company computers,” he wrote.
The federal judge in Manhattan also rejected the SEC’s claims that SolarWinds’ disclosures after the company learned its customers had been affected improperly covered up the severity of the breach, which accused Russian intelligence agents of sneaking through SolarWinds software for more than a year to infiltrate multiple federal agencies and major technology companies. U.S. authorities described the operation, revealed in December 2020, as one of the most serious in recent years, and its fallout is still playing out for the government and industry.
In an era when highly damaging hacking campaigns have become commonplace, the lawsuit alarmed business leaders, some security executives and even former government officials, as evidenced by friend-of-the-court briefs asking for the lawsuit to be dismissed. They argued that adding liability for misrepresentation would discourage hacking victims from sharing their knowledge with customers, investors and security authorities.
Austin-based SolarWinds said it was pleased that the judge “largely granted our motion to dismiss the SEC’s claims,” adding in a statement that it is “grateful for the support we have received to date from across the industry, from our customers, from cybersecurity professionals, and from experienced government officials who shared our concerns.”
The SEC did not respond to a request for comment.
Engelmayer did not dismiss the case outright, allowing the SEC to attempt to prove that SolarWinds and top security director Timothy Brown committed securities fraud by failing to warn in a public “security statement” before the hack that the company knew it was highly vulnerable to attack.
The SEC “plausibly alleges that SolarWinds and Brown made persistent public misrepresentations, many of which amounted to outright lies, in the Security Statement about the adequacy of access controls,” Engelmayer wrote. “Given the centrality of cybersecurity to SolarWinds’ business model as a company that markets sophisticated software products to customers for whom computer security was of paramount importance, these misrepresentations were undeniably material.”
The judge commended the SEC for supporting this argument through an investigation that yielded internal communications and presentations criticizing the company’s access controls, password policies and limited ability to monitor its networks.
In 2019, an outside security researcher notified the company that a password for a server used to send software updates had been exposed: it was “solarwinds 123.”
A year earlier, an engineer warned in an internal presentation that a hacker could access the company’s virtual private network from an unauthorized device and upload malicious code. Brown failed to share that information with top executives, the judge wrote, and hackers later used that exact technique.