A judge dismissed most of the Securities and Exchange Commission's (SEC) fraud charges against software company SolarWinds related to statements made before and after a major Russian cyber espionage campaign in late 2020.
This ruling is a significant setback for the SEC, which has taken a more aggressive stance on holding companies accountable for their cybersecurity practices. This case marked the first time the SEC had pursued legal action against a company targeted by a nation-state attack over its investor communications about cybersecurity.
U.S. District Judge Paul Engelmayer ruled on Thursday to dismiss the charges that SolarWinds misled investors in public filings, including its IPO registration documents and 8-K filings. However, he allowed the SEC to pursue fraud charges over statements made on SolarWinds' website before the Russian attack regarding the company’s cybersecurity strategy.
The SEC filed fraud charges against SolarWinds in October, alleging that the company made misleading and false statements about its internal cybersecurity practices between October 2018 and January 2021. These statements included claims of compliance with government-recommended cybersecurity standards, strong password protections, and secure software development protocols.
The SEC's allegations are based on internal conversations suggesting that SolarWinds did not adhere to all the practices it claimed to follow when these statements were published online and shared with customers.
In response to the ruling, a SolarWinds spokesperson stated that the company intends to contest the remaining charge, which it claims is "factually inaccurate." The spokesperson also expressed gratitude for SolarWinds's industry support, including backing from customers, cybersecurity professionals, and veteran government officials.
An SEC spokesperson declined to comment on the ruling. According to court documents, SolarWinds now has 14 days to respond to the remaining charges.