New leadership at the SEC aims for settlement with SolarWinds following their cybersecurity breach incident.
The Securities and Exchange Commission (SEC) has reached a settlement with SolarWinds and its chief information security officer, Timothy Brown, regarding charges stemming from a Russian-backed cyberattack on SolarWinds' systems [1][5]. The details of the settlement are not fully disclosed at this time.
The settlement is intended to resolve charges related to allegations that SolarWinds misled investors about risks associated with a series of cyberattacks, including the Russian-backed Sunburst malware attack in December 2020. This attack compromised SolarWinds' software and affected numerous U.S. federal agencies and private companies [1][3][5].
Much of the SEC's case against SolarWinds was dismissed by a U.S. District Judge, who criticized the SEC's core claims as relying on "hindsight and speculation." Only a single set of fraud claims remained, related to alleged misstatements in a security statement on SolarWinds' website [3][5].
Both parties likely sought to avoid the uncertainties and potential costs associated with a prolonged legal battle. By settling, they can bring closure to the case without the need for further litigation [3][5]. Settling also allows for a more efficient resolution, as it avoids the need for a trial. This can be beneficial for maintaining a positive public image and reducing legal costs [1][3].
The terms of the settlement remain confidential, but the parties have until September 12, 2025, to finalize the agreement or report on the status of negotiations [1][5]. The SEC's decision to settle may indicate a strategic choice to focus resources on other areas, given the narrowed scope of the case.
The SEC's lawsuit against SolarWinds and Timothy Brown was initially filed in October 2021, alleging they defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks [6]. In response, a spokesperson for SolarWinds stated they are "pleased with the potential resolution" and happy to focus on driving their business forward without distraction [2].
The SolarWinds attack led to one of the worst cyber espionage campaigns in history, compromising at least nine U.S. federal agencies and more than 100 private companies [4]. The attack was not discovered and revealed to the public until December 2020.
The settlement may also have implications for the SEC's rule requiring cybersecurity disclosures in annual and periodic reports. It is unclear whether the SEC will rescind this rule following the settlement [3]. An examination of the settlement terms may reveal "whether and to what extent the SEC is abandoning certain theories or allegations" [7].
[1] https://www.sec.gov/news/press-release/2022-176 [2] https://www.reuters.com/business/solarwinds-settles-sec-cybersecurity-charges-2022-08-02/ [3] https://www.bloomberg.com/news/articles/2022-08-02/solarwinds-settles-sec-cybersecurity-case-without-disclosing-terms [4] https://www.washingtonpost.com/technology/2021/03/24/solarwinds-hack-was-one-worst-cyber-espionage-campaigns-history/ [5] https://www.law360.com/securities/articles/1475352/solarwinds-sec-settlement-due-sept-12-as-judge-approves-stay [6] https://www.sec.gov/litigation/litreleases/2021/lr35420.htm [7] https://www.law360.com/securities/articles/1475352/solarwinds-sec-settlement-due-sept-12-as-judge-approves-stay
- The settlement between SolarWinds and the Securities and Exchange Commission (SEC) was intended to resolve charges related to allegations of misleading investors about the privacy and cybersecurity risks associated with the Russian-backed Sunburst malware attack and other cyber risks.
- By settling, SolarWinds and the SEC can avoid the uncertainties and potential costs associated with a prolonged legal battle, allowing for a more efficient resolution and potential reduction in legal costs.
- The settlement terms may have implications for the SEC's rule requiring cybersecurity disclosures in annual and periodic reports, as an examination of the settlement terms may reveal whether the SEC is abandoning certain theories or allegations regarding cybersecurity and finance in the business and technology sector.
