SolarWinds calls SEC charges unfounded and inexplicable, files for dismissal

In a motion-to-dismiss filing with the US Southern District Court of New York, SolarWinds issued a complete denial of any internal mishandling of the 2020 Sunburst cyberattack, contesting an October 2023 US Securities and Exchange Commission (SEC) lawsuit against it for “insufficient disclosure.”

The filing seeks dismissal of all SEC charges against SolarWinds and its chief information security officer, Timothy G. Brown which included misleading investors by not disclosing “known risks,” violating rules on disclosure controls, and misrepresenting the company’s cybersecurity measures during and before the Russian-backed cyber-espionage attack.

“The SEC seeks to revictimize the victim, by bringing securities fraud and controls charges against the Company and its CISO, Tim Brown,” SolarWinds said in the court filing. “The case is fundamentally flawed and should be dismissed in its entirety.”

Calling the charges completely “unfounded”, SolarWinds added that it had “promptly and transparently disclosed the attack and continued to update investors as its investigation progressed.”

The motion calls SEC charges inexplicable

In the motion to dismiss the SEC charges, SolarWinds maintains that SEC allegations were flawed and outside of its area of expertise, calling it a trick to establish a mandate for security regulations it currently does not have. 

“As for the controls charges, the SEC fails to identify any disclosure controls that were unreasonably designed,” said SolarWinds. “And its theory of “internal accounting controls” violations amounts to a wholesale rewriting of the law.”

“The agency is seeking to twist the concept of accounting controls into a sweeping mandate for it to regulate public companies’ cybersecurity controls—a role for which the SEC lacks congressional authorization or substantive expertise,” the filing added.

In addition to lacking “material evidence” for its fraud claims, the SEC’s disclosure violation charges in the October filing were unrealistic and unlawful, according to SolarWinds. The company added that it had warned its stakeholders that its systems were “vulnerable to sophisticated nation-state actors”.

“The SEC complains these disclosures were insufficient, asserting that companies must disclose detailed vulnerability information in their SEC filings,” the filing added. “But that is not the law, and for good reason: disclosing such details would be unhelpful to investors, impractical for companies, and harmful to both, by providing roadmaps for attackers.”

CISO responsibilities in focus

The case has been closely followed within the industry as it is expected to set many precedents. This is the first time a company CISO has been named in SEC charges for non-disclosure. The proceedings stand to open the CISO role to additional scrutiny and responsibilities.

“SolarWinds, as expected, is defending this saying they adequately informed investors,” said Pareekh Jain, chief analyst at Pareekh Consulting. “The question is, was the said disclosure enough, or should they have done more? This is a first-of-its-kind case where cybersecurity disclosure to the SEC is being investigated. The judgment here will act as guiding principles for CISOs for future cybersecurity disclosures to SEC.”

As Brown faces SEC charges based on his public statements and signature on internal security documents which, the federal agency alleges, helped mislead investors, SolarWinds calls the charges “unwarranted” and “inexplicable.”

“The SEC fails to articulate any coherent theory of aiding-and-abetting liability against Mr. Brown,” the filing added. “Mr. Brown is an experienced and well-respected professional who simply did his job during the events in question (and did it well). The SEC’s gratuitous charges against him should be rejected.”

Before this official motion for dismissal of SEC charges, SolarWinds CEO, Sudhakar Ramakrishna had posted the company’s responses on the same day as the SEC filing, calling the charges “misguided” and representative of a “regressive set of views and actions” inconsistent with the progress the industry needs to make.


Go to Source