“By the SEC’s logic, the law must be interpreted broadly to cover all systems used by public companies to safeguard valuable assets, which would have far-reaching effects,” Engelmeyer wrote. 107-page decision.
“The bill could give authorities the power to regulate the background checks used to hire nighttime security guards, the selection of padlocks for warehouses, security measures at water parks that rely on the asset of customer trust, and the length and composition of passwords needed to access company computers,” he wrote.
The Manhattan federal judge also rejected the SEC’s argument that SolarWinds’ disclosures after it learned its customers had been affected improperly concealed the severity of the breach, in which Russian operatives allegedly probed SolarWinds software for more than a year and infiltrated multiple federal agencies and major technology companies. U.S. authorities described the operation, which was revealed in December 2020, as one of the most serious in recent history. The impact is still ongoing For government and industry.
At a time when devastating hacking attacks are commonplace, the case has alarmed business executives, some security executives and even former government officials, as expressed in an amicus brief seeking to dismiss the case, who argued that imposing liability for false statements would discourage hacking victims from sharing what they know with customers, investors and security authorities.
Austin-based SolarWinds said it was pleased the judge “substantially granted our motion to dismiss the SEC’s claims,” adding in a statement that it “appreciates the support we have received so far from across the industry, our customers, cybersecurity experts and veteran government officials who share our concerns.”
The SEC did not respond to a request for comment.
Engelmeyer did not dismiss the case outright, instead allowing the SEC to attempt to prove that SolarWinds and its chief security officer, Timothy Brown, committed securities fraud by failing to warn in a “security statement” before the hack that they knew the company was highly vulnerable to attack.
“The SEC plausibly alleges that in its security statements, SolarWinds and Brown made continuing misrepresentations about the adequacy of its access controls, many of which were outright false,” Engelmayer wrote. “Because SolarWinds is a company that markets sophisticated software products to customers who make computer security a top priority, and because cybersecurity is central to SolarWinds’ business model, these misrepresentations were undoubtedly material.”
The judge praised the SEC for backing up its claims through an investigation that produced internal messages and presentations criticizing the company’s limited access controls, password policies and network monitoring capabilities.
In 2019, an outside security researcher notified the company that the password for a server used to send software updates had been leaked. The password was “solarwinds 123.”
A year ago, an engineer warned in an internal presentation that hackers could use the company’s virtual private network from unauthorized devices to upload malicious code — information Brown failed to share with executives, the judge wrote, and hackers later did just that.
