A judge has dismissed a majority of the SEC lawsuit against SolarWinds, apart from securities fraud claims prompted by a statement on SolarWinds's website that advertised the company’s security controls. The judge stated that SolarWinds previously acknowledged it had no obligation to disclose individual cyber incidents and no promised ability to prevent all cyber incidents. Furthermore, the judge asserted that anti-fraud laws do not obligate risk warnings to contain “maximum specificity.”

This lawsuit, which was filed last October, alleged that SolarWinds defrauded investors by hiding security vulnerabilities before and after a cyberattack targeted in the United States federal government. The SEC further alleged that SolarWinds downplayed the severity of the cyberattack’s impacts after it occurred. All claims against against SolarWinds and CISO Timothy Brown were dismissed for statements after the attack.  

In regard to the SolarWinds ruling, John Gunn, CEO of Token, provided the following commentary:

“The backdrop to this ruling is the recent SCOTUS decision in Loper that overturned the Chevron deference and placed a greater burden on regulatory agencies, including the SEC, to more clearly define regulatory requirements and to move decisions on penalties from agencies to the courts. 

“Anyone who sees this as SolarWinds being relieved from the consequences of their actions is overlooking the $26 million they paid to settle the shareholder class action lawsuit resulting from this incident and the staggering $2 billion loss in company value they have suffered since the incident was disclosed. These financial penalties have the biggest impact on other organizations’ motivation to pursue more stringent cybersecurity protections and disclosures.”