On July 18, US District Judge Paul Engelmayer dismissed part of a landmark Securities and Exchange Commission lawsuit against Austin, Texas-based SolarWinds and its chief information security officer, Tim Brown, over how it presented the risk of a cyberattack before a breach and what it told investors after the hack occurred.
Bracewell’s David Shargel told The Wall Street Journal that the dismissal of part of the SEC’s claims was a victory for SolarWinds “by any measure” since companies rarely defeat an SEC lawsuit so early in the litigation process.
Judge Engelmayer did allow the SEC to move forward with claims that a security statement posted on SolarWinds’ website as early as 2017 was fraudulent because it misled the public about the company’s lax access control and password protection practices.
“It’s definitely a serious charge that remains, and it serves as a reminder that, as with any public-facing statement, companies need to ensure that their disclosures are accurate and not misleading,” added Shargel.
The case marked the first time securities regulators went to court with civil-fraud claims—the most serious charge at the agency’s disposal—against a public company that suffered a cyberattack.
“I think that might give some compliance departments some comfort going forward in terms of the parameters of the disclosure requirements,” Shargel said.
