The Securities and Exchange Commission settled its lawsuit against SolarWinds and the company's former head of cybersecurity over allegations that the company had misled investors about its security posture and filed false and misleading disclosures.
These allegations hinged on claims by the SEC that Timothy G. Brown, the former chief information security officer at SolarWinds who had been in charge prior to the massive so-called Sunburst attack in December 2020 that compromised SolarWinds and numerous customers, had privately expressed concerns about the company's cybersecurity practices and posture even as the company made public statements that the SEC alleged contradicted these concerns.
The settlement comes a year after a judge dismissed many of the SEC's claims against SolarWinds while sustaining a few key claims, and amid legal jockeying between the SEC and SolarWinds over what evidence and testimonies would be presented at trial.
The details of the settlement, which the SEC and SolarWinds are still finalizing, were not disclosed. The parties said they would provide an update to the court on the settlement terms no later than Sept. 12.
The specifics of the settlement, once disclosed, could indicate how strong a case the SEC believes it had and how likely it is to pursue individual executives over cybersecurity breaches in the future.
Why it matters to financial institutions
During its prosecution of the case against SolarWinds, the SEC responded to briefs from interested parties (including software and cybersecurity organizations) that the lawsuit was unprecedented, would chill internal communications and would lead to companies effectively providing roadmaps to threat actors through SEC filings about security insufficiencies.
The SEC said in its court filings that "once a company speaks on an issue or topic, it has the obligation to tell the whole truth." In other words: General, boilerplate disclosures about cybersecurity risks that the SEC had accused SolarWinds of making are insufficient if internal documents reveal specific, material, unremediated vulnerabilities.
The judge in the case dismissed claims the SEC had made against SolarWinds related to this so-called "boilerplate" language, and the SEC clarified it does not seek "granular information" that creates a "roadmap" for attackers, but rather a "categorical assessment" of significant risks.
This provides public companies, including banks, a clearer idea of what kinds of disclosures are and are not sufficient for informing investors about potential cybersecurity shortcomings.
The case also included claims about individual accountability for executives in the wake of cyberattacks — a key concern of many observers in the cybersecurity realm.
The SEC alleged Brown helped create the security statement, holding him ultimately responsible for its content. He also signed sub-certifications for internal controls over financial reporting.
The judge ruled in the case that Brown could indeed be tried for his role in misleading investors about the security posture of SolarWinds, because of his involvement in making and responsibility for the security statement.
This prosecution and the judge's order indicate that executives, particularly those in leadership roles over security and architecture, can face individual liability for misstatements and omissions, even if they do not directly sign SEC filings.
The judge sustained key claims by the SEC against SolarWinds
The judge in the case, Paul Engelmayer of the Southern District of New York, had ruled in July 2024 that Brown had been "primarily responsible for creating and approving" a security statement that SolarWinds published on its website, which included specific claims about the company's security practices, including password policies and access controls.
Engelmayer ruled at the time that the SEC could move forward with claims against Brown that he and SolarWinds had committed securities fraud by making allegedly false statements in this security statement.
The New York City-based specialty finance company must pay $3 million as part of a settlement with the SEC for allegedly inflating its stock price. Its president must pay a separate $1 million fine.
This included a ruling that the SEC had adequately questioned Brown's motivations regarding the security statement. Specifically, the SEC alleged Brown had misrepresented the security practices of SolarWinds to help the company gain favor with investors.
The court's ruling last year did not constitute a finding that Brown was guilty or that he harbored fraudulent motivations.
Rather, the ruling permitted the SEC to continue arguing its case on these claims rather than dismissing them out of hand because claims SolarWinds had made in its security statement about its password policies and access controls "were materially misleading by a wide margin."
The specific claims the judge's ruling concerned related to password policies and access controls. As an example, SolarWinds had claimed in its security statement that it required "authorized users be provisioned with unique account IDs" and that the password policy "covers all applicable information systems, applications, and databases."
The SEC alleged that SolarWinds did not enforce strong password requirements across all its systems, applications and databases.
In one instance, an outside security researcher discovered in November 2019 that SolarWinds used the password "solarwinds123" to secure a publicly available server for distributing software updates. Brown acknowledged in a subsequent email that this was a "very weak password."
Engelmayer expressed skepticism about some of the SEC's other claims about misleading statements. For example, the SEC complained that SolarWinds misleadingly said it followed NIST's Cybersecurity Framework — an industry standard for self-evaluating the security posture of a company.
Brown said this claim by the SEC was "not their strongest one."
Many other claims against Brown and the company were dismissed
While sustaining some key claims about SolarWinds and Brown making misleading statements, the court had dismissed many of the SEC's other claims.
For example, the court dismissed claims that Brown had made public statements in blog posts, podcasts and press releases that constituted securities fraud. The judge deemed these statements "non-actionable corporate puffery" (i.e., mere marketing) that was "too general to cause a reasonable investor" to be misled.
The SEC had originally complained that Brown and SolarWinds made insufficient filings in December 2020 and January 2021 following the Sunburst event. The judge ruled that these claims by the SEC "impermissibly rely on hindsight and speculation," and dismissed them.
The court also found that the SEC failed to sufficiently claim that SolarWinds had insufficient incident response plans, and it said that two instances of misclassifying the severity of security incidents were an "inadequate basis" on which to impeach the response plans.
