The much-discussed SEC vs SolarWinds cyber lawsuit has concluded
SEC and SolarWinds Reach Principle Agreement in 2020 Cyberattack Litigation
In a significant development, the U.S. Securities and Exchange Commission (SEC) and SolarWinds have reached a settlement in principle to resolve litigation stemming from the 2020 compromise of SolarWinds' Orion platform by Russian cyber operatives.
The settlement, if approved, will put an end to the ongoing legal proceedings against SolarWinds and its Chief Information Security Officer, Tim Brown. The approval for the temporary settlement agreement between the SEC and SolarWinds will be granted by the U.S. District Court.
The cyberattack, which involved hackers deploying malicious code into SolarWinds' Orion IT monitoring and management software, is believed to have affected approximately 20,000 SolarWinds customers. Among the likely primary targets of this cyberattack were U.S. government entities, including the Department of Energy (DoE) and the National Nuclear Safety Administration (NNSA), which is responsible for maintaining the U.S. nuclear weapons stockpile.
The SEC's settlement with SolarWinds comes after the SEC's recently publicized rules on security incident reporting, which became effective at the end of 2023, focus on actions taken by security leaders following an incident. The SEC's dismissal of claims against SolarWinds and Brown last year was predicated on the argument that they relied on hindsight and speculation. However, Judge Engelmayer did sustain several charges, including specific parts of the SEC's complaints that alleged public misrepresentations concerning the resilience of SolarWinds' access controls.
The compromised code was subsequently pushed to downstream targets as a legitimate software update, in what is known as the "Sunburst/Solorigate" supply chain incident. This incident involved the introduction of malicious code into the SolarWinds platform by the Russian state hacking group known as Cozy Bear.
A SolarWinds spokesperson has stated that the settlement is subject to approval by the Commission and they cannot discuss the terms at this time. Both parties have requested that all pending dates in the case be stayed in anticipation of a planned filing date for the final settlement, which is set for September 12. Judge Engelmayer has stayed all deadlines in the case and adjourned oral arguments that were scheduled for later in the month.
It is important to note that this settlement does not absolve SolarWinds or its executives of any criminal liability. The company and its executives continue to face separate criminal charges in relation to the 2020 cyberattack. The SEC's recently publicized rules on security incident reporting, which focus on actions taken by security leaders following an incident, may also have implications for SolarWinds' future compliance practices.
As the details of the settlement become clearer, it is hoped that this will provide some closure for the affected parties and help SolarWinds move forward in rebuilding trust and strengthening its security settings.
