SEC seeks SolarWinds settlement in reversal for agency under new leadership

The Securities and Exchange Commission has reached a settlement with SolarWinds and the company’s chief information security officer, Timothy Brown, to resolve charges stemming from the Russian-backed cyberattack on the company’s systems.

The parties “have reached a settlement in principle that would completely resolve this litigation,” the SEC said in a filing last week with the federal judge in New York who is overseeing the commission’s lawsuit against the company.

The judge quickly approved the SEC’s request to stay deadlines in the case, including oral arguments previously scheduled for July 22. “The Court congratulates counsel and the parties on this productive development,” the judge said. He gave SolarWinds, Brown and the SEC until Sept. 12 to either file settlement paperwork or provide a status update on the settlement process.

Russian state-linked hackers breached SolarWinds starting in late 2019 and injected malicious code into its Orion IT monitoring software as part of an operation to penetrate the networks of SolarWinds’ customers. The attack was not discovered and revealed to the public until December 2020.

The supply-chain attack led to one of the worst cyber espionage campaigns in history, compromising at least nine U.S. federal agencies and more than 100 private companies.

The SolarWinds attack prompted widespread government and private-sector reassessments of supply chain cyber risks, as well as new attention to the security of software development environments. 

In October 2023, the SEC sued SolarWinds and Brown, arguing that they “defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.” (A judge dismissed most of the original charges last year.) The commission also charged four SolarWinds customers for allegedly misleading investors about the extent of their exposure to the breach.

It is unclear why the SEC chose to settle the SolarWinds case, and an agency spokesperson declined to comment on its rationale. But when the then Democratic-led commission brought the charges, the two Republican appointees dissented, later criticizing the commission for “playing Monday morning quarterback” by second-guessing SolarWinds’ decisions. After President Donald Trump took office and appointed a new SEC chair, those two commissioners became part of the agency’s Republican majority.

SolarWinds declined to disclose the terms of the settlement. “We are pleased with the potential resolution and happy to focus on driving our business forward without distraction,” a spokesperson said.

Adam Hickey, a partner at Mayer Brown and a former federal prosecutor handling cyber and national security cases, said an examination of the eventual settlement terms would reveal “whether and to what extent the SEC is abandoning certain theories or allegations.”

“So far, the SEC has not moved to rescind the rule requiring cybersecurity disclosures in annual and periodic reports,” he said. “The settlement may or may not point in that direction.”