A U.S. District Court judge blew a sizeable hole in the federal government’s high-profile case against software maker SolarWinds, dismissing most of the charges against the company and CISO Tim Brown their actions before and after the high-profile supply chain attack that came to light in 2021.

The Securities and Exchange Commission (SEC) in October 2023 filed charges against both the company and Brown, accusing them of misleading investors about the strength of SolarWind’s cybersecurity measures and downplaying or not disclosing risks between 2017 and 2021.

The charges were seen as a significant step by the federal government in holding companies – and their top cybersecurity officers – liable for the security of their products and attacks on them.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company,” Gurbir Grewal, director of the SEC’s Division of Enforcement, said in a statement at the time. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

Grewal added that the case “underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

However, U.S. District Judge Paul Engelmayer in Manhattan disagreed with much of the SEC’s case, writing in his 107-page decision that the charges regarding disclosures made after the attack “do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack. They impermissibly rely on hindsight and speculation.”

Some Charges are Still Standing

That said, Engelmayer wrote that the SEC could move ahead with charges related to SolarWinds’ 2017 Security Statement, saying the claims of strong cybersecurity policies and practices “materially misleading and false.”

He wrote that “in essence, the Statement held out SolarWinds as having sophisticated cybersecurity controls in place and as heeding industry best practices. In reality, based on the pleadings, the company fell way short of even basic requirements of corporate cyber health.”

The SEC has two weeks to address the remaining charges, while SolarWinds executives in a statement to the media said the company planned to present evidence that even those charges are “factually inaccurate.”

“We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed,” they said.

Supply Chain Risks

The case stems from a two-year attack that government officials blamed on hackers supported by Russia’s foreign intelligence services. The bad actors were able to inject malicious code into SolarWind’s Orion network performance monitoring software, so many of the companies that installed the product were infected. Hundreds of companies and almost a dozen government agencies – including the Justice Department, Defense Department, Treasury Department, and Department for Homeland Security – were infected with malware, which allowed attackers to steal data.

The hack put a sharp focus on the growing cyber risks of software supply chain attacks, which allow bad actors to inject malware once into software and infect downstream customers and partners the install it.

A Setback for the Government

The SEC case against SolarWinds was part of the federal government’s efforts to shift the responsibility for security from users to vendors and to urge developers to integrate security earlier in the software development lifecycle.

SolarWinds in January filed a motion to dismiss the SEC charges and was in large part successful

Dave Lynn, is a partner in Goodwin Law Firm’s Capital Markets group and chair of the firm’s Public Company Advisory practice, wrote in a brief column that “there will no doubt be a lot of ink spilled over the coming days analyzing the potential implications of the decision for the SEC’s current Enforcement efforts with respect to cybersecurity disclosure and internal accounting controls, but suffice it to say that this decision pushes back on the some of the agency’s most aggressive enforcement theories in the cybersecurity space.”

John Gunn, CEO of cybersecurity firm Token, said that the recent Supreme Court ruling overturning the Chevron deference played a role on the judge’s decision, putting a greater burden on regulatory agencies to clearly define regulatory requirements and shifting the decision on penalties from agencies to the courts.

“Anyone who sees this as SolarWinds being relieved from the consequences of their actions is overlooking the $26 million they paid to settle the shareholder class action lawsuit resulting from this incident and the staggering $2 billion loss in company value they have suffered since the incident was disclosed,” Gunn said. “These financial penalties have the biggest impact on other organizations’ motivation to pursue more stringent cybersecurity protections and disclosures.”