“The SEC’s rationale, under which the law should be construed broadly to cover all systems that public companies use to protect their valuable assets, would have broad consequences,” Engelmayer wrote. 107 page judgement,
“This could give the agency authority to regulate the background checks used in the hiring of night security guards, the selection of locks for storage sheds, security measures at water parks on whose reliability the asset of customer goodwill depends, and the length and configuration of passwords required to access company computers,” he wrote.
The federal judge in Manhattan also rejected the SEC’s claims that SolarWinds, which disclosed its customers after learning they were affected, falsely concealed the severity of the breach, which accused Russian intelligence agents of using SolarWinds software over more than a year to infiltrate multiple federal agencies and major tech companies. U.S. officials called the operation, disclosed in December 2020, one of the most severe in recent years, and its ramifications are still unfolding for the government and industry.
At a time when highly damaging hacking campaigns have become commonplace, the suit has alarmed business leaders, some security executives, and even former government officials, as expressed in friend-of-the-court briefs seeking to dismiss it. They argued that adding liability for false statements would discourage hacking victims from sharing their information with customers, investors, and security officials.
Austin-based SolarWinds said it was pleased that the judge “substantially granted our motion to dismiss the SEC’s claims,” adding in a statement that it was “grateful for the support we have received so far from our customers, cybersecurity professionals across the industry, and experienced government officials who reiterated our concerns.”
The SEC did not respond to a request for comment.
Engelmayer did not dismiss the case entirely, giving the SEC a chance to show that SolarWinds and top security executive Timothy Brown committed securities fraud by not warning in a public “security statement” before the hack because they knew they were highly vulnerable to attacks.
The SEC “potentially alleges that SolarWinds and Brown made persistent public misrepresentations about the adequacy of their access controls in security statements, in fact multiple falsehoods,” Engelmayer wrote. “Given the centrality of cybersecurity to SolarWinds’ business model as a company selling sophisticated software products to customers for whom computer security was paramount, these misrepresentations were unquestionably material.”
The judge gave credit for supporting that argument to the SEC, which produced internal messages and presentations through an investigation that criticized the company’s access controls, password policies and limited ability to monitor its networks.
In 2019, an external security researcher informed the company that the password for the server used to send software updates had been exposed: it was “solarwinds123”.
A year earlier, an engineer warned in an internal presentation that a hacker could access the company’s virtual private network from an unauthorized device and upload malicious code. Brown did not pass that information on to top executives, and hackers later used the same technique, the judge wrote.
Disclaimer : The content in this article is for educational and informational purposes only.
