Communications Litigation Today was a Warren News publication.
‘Revictimize the Victim’

SEC’s Notion ‘Absurd’ That SolarWinds Hid Scale of 2020 Attack, Says Motion to Dismiss

SolarWinds and Tim Brown, its chief information security officer, seek the dismissal of the SEC’s fraud complaint arising from the December 2020 Sunburst cyberattack waged by the Russian government. The case is “fundamentally flawed,” said their memorandum of law Friday (docket 1:23-cv-09518) in U.S. District Court for Southern New York in Manhattan in support of their motion to dismiss.

The SEC’s 10-count complaint alleges that SolarWinds and Brown were guilty of SEC Act violations for not alerting investors to the scale of the cyberattack and to the company’s security vulnerabilities leading up to it (see 2310310041). But when SolarWinds learned of the cyberattack, it responded “just as a public company should” by promptly and transparently disclosing the attack, said the memorandum. SolarWinds also “continued to update investors as its investigation progressed,” it said.

Nonetheless, more than three years later, the SEC “seeks to revictimize the victim” by bringing securities fraud and controls charges against SolarWinds and Brown, said the memorandum. The charges are “as unfounded as they are unprecedented,” it said.

The SEC is trying to unfairly “move the goalposts” for what companies must disclose about their cybersecurity programs, said the memorandum. With the controls charges, the SEC is trying claim a mandate for regulating those programs “that the agency does not have,” it said.

The SEC’s fraud claims fail because it doesn’t, and can’t, plausibly allege any “materially misleading statements” that SolarWinds made, said the memorandum. SolarWinds’ risk factors specifically warned that its systems were vulnerable to “sophisticated nation-state” actors -- “the very risk that materialized,” it said.

The SEC complains those disclosures were insufficient, asserting that companies “must disclose detailed vulnerability information in their SEC filings,” said the memorandum. But that’s “not the law, and for good reason,” it said. Disclosing such details “would be unhelpful to investors, impractical for companies, and harmful to both, by providing roadmaps for attackers.” it said.

When Sunburst occurred, SolarWinds “disclosed the key facts it knew about the attack and its severity, including that as many as 18,000 customers were at risk of compromise,” said the memorandum. In light of those “candid” disclosures, the notion that SolarWinds concealed the seriousness of the attack is “absurd,” it said.

The SEC also alleges nothing “that would render SolarWinds’ statements about its security policies misleading,” said the memorandum. The agency points to documents “supposedly reflecting gaps in the implementation of those policies,” it said. But no “reasonable investor” would have understood SolarWinds’ statements “to imply a standard of perfection,” especially when its risk factors warned that it was vulnerable to attack “despite its security measures,” it said.