Most of the SEC lawsuit against SolarWinds has been thrown out

A judge has dismissed a majority of the SEC lawsuit against SolarWinds, except for securities fraud claims related to a statement on SolarWinds’s website about the company’s security controls. The judge noted that SolarWinds had previously stated it was not obligated to disclose individual cyber incidents or ensure complete prevention of all cyber incidents. Additionally, the judge emphasized that anti-fraud laws do not require risk warnings to be excessively specific.

The lawsuit, filed in October, alleged that SolarWinds deceived investors by concealing security vulnerabilities before and after a cyberattack targeting the U.S. federal government. The SEC also claimed that SolarWinds minimized the impact of the cyberattack post-incident. All claims against SolarWinds and CISO Timothy Brown were dismissed for statements made after the attack.

Regarding the SolarWinds ruling, John Gunn, CEO of Token, offered the following insight:

“In light of the recent SCOTUS decision in Loper, which eliminated Chevron deference and placed more responsibility on regulatory bodies like the SEC to clearly define regulatory requirements and shift penalty decisions from agencies to the courts.

“Those who view this as SolarWinds escaping accountability overlook the $26 million settlement they paid in a shareholder class action lawsuit and the significant $2 billion decline in company value following the incident disclosure. These financial repercussions have a significant impact on other organizations’ commitment to enhancing cybersecurity measures and disclosures.”