Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial information, news and insight around the world.
Americas+1 212 318 2000
EMEA+44 20 7330 7500
Asia Pacific+65 6212 1000
Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial information, news and insight around the world.
Americas+1 212 318 2000
EMEA+44 20 7330 7500
Asia Pacific+65 6212 1000
By Skye Witley
SolarWinds Corp. issued a full-throated denial of wrongdoing in how it handled one of the worst cyberattacks in history in a Friday court filing seeking the dismissal of US Securities and Exchange Commission allegations that its software security representations defrauded investors and violated rules on controls.
SolarWinds argued that it disclosed risks with legally sound specificity prior to a Russian state hack of its Orion platform and correctly informed investors of the breach’s potential impact during the immediate aftermath, according to a dismissal motion and supporting memorandum filed in New York federal court. Cybercriminals breached about 100 organization networks that employed the software, including large corporations and federal agencies.
The public company and Chief Information Security Officer Tim Brown, which the SEC named as defendants, are pursuing a rare challenge to the agency’s first-of-its-kind enforcement action, which alleges securities fraud and controls violations. The defendants claim the SEC’s action, if successful, would broaden the agency’s powers and heighten the requirements for publicly disclosing an organization’s cybersecurity posture.
“SolarWinds made proper, accurate disclosures both before and after the unprecedented SUNBURST cyberattack, which is why this case should be dismissed,” said Serrin Turner, a Latham & Watkins LLP partner representing SolarWinds in the case, in a statement to Bloomberg Law. “The SEC is trying to move the goalposts and force companies to disclose internal details about their cybersecurity programs, which would be both impractical and dangerous.”
The SEC didn’t immediately return a request for comment. In a prior statement to Bloomberg Law, Director Gurbir S. Grewal of the agency’s enforcement division said cases like this “empower CISOs by giving them the credibility and traction they need to effectively advise their company leadership of the consequences of noncompliance.”
Charges that SolarWinds defrauded investors with falsified public statements should be dismissed because the company materially warned investors of a potential nation-state cyberattack before succumbing to the SUNBURST attack, according to the motion.
The securities regulator’s original complaint described risk disclosures to the agency as “hypothetical, generalized, and boilerplate,” citing flaws with the company’s virtual private network network and an internal cybersecurity assessment. But those represented “granular cybersecurity concerns” that SolarWinds need not disclose to investors, the motion said.
SolarWinds also contested the notion that it omitted crucial information from a Form 8-K filed publicly the first business day following the hack, alleging the agency was “nitpicking” rather than proving the company made materially misleading statements.
While the SEC’s complaint faulted the software maker for not disclosing that at least three organizations had already been impacted by the Orion vulnerability, the dismissal motion said SolarWinds was entitled to conduct a more thorough investigation “before reaching any definitive conclusions.”
The company also called for Judge Paul A. Engelmayer to dismiss charges that SolarWinds violated internal accounting controls rules by failing to adequately protect its network from attack. The SEC conflated controls used in financial accounting and auditing contexts with internal cybersecurity controls, the motion argued.
“If Congress had meant to authorize the SEC to serve as some sort of roving cybersecurity commissioner for public companies, it would have said so in plainer terms, and there would have been some discussion of it in the legislative history,” the filing said.
Brown is the first executive of a public company to face SEC charges related to cybersecurity, which the agency based on public statements and signatures on internal security attestations it alleges helped mislead investors.
But Brown didn’t aid and abet the alleged fraud or controls violations by signing documents about SolarWinds’ cybersecurity, the filing argued, because the statements in question weren’t intended for investors. Neither did he seek to knowingly violate the disclosure or internal account controls, it said.
The motion to dismiss called Brown’s involvement in the suit “not only unwarranted but inexplicable.”
The case is SEC v. SolarWinds Corp., S.D.N.Y., No. 1:23-cv-09518, motion to dismiss filed 1/26/24.
To contact the reporter on this story: Skye Witley at switley@bloombergindustry.com
To contact the editor responsible for this story: Tonia Moore at tmoore@bloombergindustry.com
AI-powered legal analytics, workflow tools and premium legal & business news.
Log in to keep reading or access research tools.

source