Source: Maurice Norbert via Alamy Stock Photo
In a new filing with the US Southern District Court of New York, SolarWinds argued that the Securities and Exchange Commission was outside of its depth of expertise as well as its scope of authority in charging SolarWinds and its chief information security officer with mishandling the now-infamous, 2020, Russian-backed cyber espionage attack on its Orion platform.
In late October 2023, the SEC charged SolarWinds and its CISO Tim Brown of securities fraud and internal controls failures for their response to the sophisticated cyberattack campaign that ultimately led to the compromise of several US government agencies using SolarWinds software.
The SEC alleges the company knew it didn't have appropriate cybersecurity controls in place to protect their systems, yet failed to act. Further, the SEC asserted that although SolarWinds insiders including Brown were well aware of suspicious activity in the systems, they willfully misled customers about the possible threat. The SEC also accuses Brown of dumping SolarWinds stock, profiting around $170,000, thanks to his insider information before the cyberattack was made public and stock values went into freefall.
SolarWinds Offers Detailed Denial of SEC Charges
Immediately following the announcement of the charges, SolarWinds vowed to mount a defense in court. The new motion to dismiss offered a detailed denial of the SEC's accusations.
"SolarWinds made proper, accurate disclosures both before and after the unprecedented Sunburst cyberattack, which is why this case should be dismissed," Serrin Turner, an attorney at Latham & Watkins who is representing SolarWinds said in a statement to Bloomberg Law. "The SEC is trying to move the goalposts and force companies to disclose internal details about their cybersecurity programs, which would be both impractical and dangerous."
SolarWinds points out that the SEC was unable to specifically identify which SolarWinds security controls ran afoul of regulation.
"And its theory of 'internal accounting controls' violations amounts to a wholesale rewriting of the law," the company explained to the court. "The agency is seeking to twist the concept of accounting controls into a sweeping mandate for it to regulate public companies' cybersecurity controls — a role for which the SEC lacks congressional authorization or substantive expertise."
SolarWinds and Brown acted appropriately and maintained transparency throughout the response, the company said, adding it is SolarWinds which is being unfairly characterized by the SEC as a perpetrator, rather than the victim of a cybercrime.
"Nonetheless, more than three years later, the SEC seeks to revictimize the victim, by bringing securities fraud and controls charges against the company and its CISO, Tim Brown," the memorandum to the court said. "The charges are as unfounded as they are unprecedented."