A US judge dismissed most of a Securities and Exchange Commission lawsuit accusing software company SolarWinds of defrauding investors by concealing its security weaknesses before and after a Russia-linked cyberattack targeting the US government.
US District Judge Paul Engelmayer in Manhattan dismissed all claims against SolarWinds and chief information security officer Timothy Brown over statements made after the attack, saying the claims were based on “hindsight and speculation.”
In a 107-page decision, the judge also dismissed most SEC claims concerning statements predating the attack, apart from securities fraud claims based on a statement on SolarWinds’ website touting the company’s security controls.
The SEC declined to comment.
SolarWinds said it was pleased with the decision and called the remaining claim against the company “factually inaccurate.”
Brown’s lawyers did not immediately respond to requests for comment.
The nearly two-year cyberattack known as Sunburst targeted Austin, Texas-based SolarWinds by using its flagship Orion software platform to infiltrate U.S. government networks.
Several US agencies including the Departments of Commerce, Energy, Homeland Security, State and Treasury were compromised before the attack was revealed in December 2020.
Its full consequences remain unknown, and the US government has said Russia likely orchestrated the attack. Russia has denied responsibility.
The SEC case filed last October appeared to be the first targeting a company that fell victim to a cyberattack, where the regulator did not announce a simultaneous settlement.
It is also rare for the SEC to sue public company executives who, like Brown, are not closely involved in preparing financial statements.
The SEC alleged that SolarWinds hid the porous cybersecurity of its products before the attack, and downplayed the attack’s severity after it occurred.
It also said SolarWinds concealed how customers had warned about malicious activity involving Orion.
But the judge said anti-fraud laws do not require that risk warnings contain “maximum specificity,” a process that could backfire if the warnings armed cyber attackers with extra information to exploit.
Engelmayer also said SolarWinds acknowledged it could not be expected to prevent every cyberattack and had no duty to disclose individual incidents.
“It has already disclosed the likelihood of these as, regrettably, a fact of life,” the judge wrote.