Government,
Industry Specific,
Leadership & Executive Communication
Proposed Settlement May Resolve Landmark SEC Case Over Cybersecurity Misstatements
The U.S. Securities and Exchange Commission (SEC) and SolarWinds have reached an agreement to settle a significant lawsuit concerning allegations of cyberfraud. This development follows changes in leadership at the SEC, which may influence the outcome of the case.
The proposed settlement is pending approval from the full commission, which has been predominantly led by Republicans since January. A judge has instructed both parties to submit a joint status report by September 12 if the final settlement paperwork is not submitted by that date. A previously scheduled oral argument for July 22 has been postponed due to the settlement discussions.
Judge Paul Engelmayer acknowledged the progress made in negotiations by praising the parties involved for their productive steps. His order to stay all deadlines and adjourn oral arguments reflects the ongoing settlement process.
Background of the SEC Allegations
The SEC’s case against SolarWinds dates back to October 2023, alleging the company and its executives made misleading statements about their cybersecurity posture during 2018 to 2020. While Engelmayer dismissed numerous claims in July 2024, he permitted one to move forward, focusing on a security claim made shortly before the Orion hack disclosure in December 2020.
Engelmayer emphasized the potential for a jury to find SolarWinds’ security claim misleading, especially given that internal records contradicted public assertions of secure access controls and password policies. Concerns raised by CISO Tim Brown about these deficiencies—while still allowing misleading statements to be published—may qualify as “highly unreasonable or extreme misconduct,” as suggested by the judge.
Negotiations for settlement began post-ruling, but SolarWinds’ legal counsel indicated resistance to the SEC’s terms, prompting calls for a third-party mediator. Despite efforts, discussions stalled, and the SEC moved to obtain testimony from a former SolarWinds employee regarding a documented network vulnerability associated with VPN access.
Implications of Political Changes
The political shift in the SEC has influenced its approach to settlements. New Republican commissioners have expressed skepticism towards previous actions taken under predominantly Democratic leadership, particularly regarding penalties for companies in cybersecurity litigation.
The SEC’s actions during the Biden administration focused on charging companies with securities fraud based on alleged cybersecurity mismanagement, marking a novel application of regulatory scrutiny. This scrutiny includes previous settlements with companies like Check Point and Mimecast that faced penalties for misleading disclosures regarding the Orion incident. In response to this evolving legal landscape, the current Republican majority at the SEC has signaled a preference for recognizing companies as victims of cyberattacks.
Lawyers for SolarWinds argue that internal operational shortcomings do not amount to intentional fraud and contend that the SEC is inappropriately attributing industry-wide cybersecurity issues solely to their practices. As negotiations proceed, both parties aim to mitigate the risks associated with a trial that could yield uncertain outcomes in a rapidly evolving legal environment.
