In a motion-to-dismiss filing with the US Southern District Court of New York, SolarWinds issued a complete denial of any internal mishandling of the 2020 Sunburst cyberattack, contesting an October 2023 US Securities and Exchange Commission (SEC) lawsuit against it for âinsufficient disclosure.â
The filing seeks dismissal of all SEC charges against SolarWinds and its chief information security officer, Timothy G. Brown which included misleading investors by not disclosing âknown risks,â violating rules on disclosure controls, and misrepresenting the companyâs cybersecurity measures during and before the Russian-backed cyber-espionage attack.
âThe SEC seeks to revictimize the victim, by bringing securities fraud and controls charges against the Company and its CISO, Tim Brown,â SolarWinds said in the court filing. âThe case is fundamentally flawed and should be dismissed in its entirety.â
Calling the charges completely âunfoundedâ, SolarWinds added that it had âpromptly and transparently disclosed the attack and continued to update investors as its investigation progressed.â
The motion calls SEC charges inexplicable
In the motion to dismiss the SEC charges, SolarWinds maintains that SEC allegations were flawed and outside of its area of expertise, calling it a trick to establish a mandate for security regulations it currently does not have.Â
âAs for the controls charges, the SEC fails to identify any disclosure controls that were unreasonably designed,â said SolarWinds. âAnd its theory of âinternal accounting controlsâ violations amounts to a wholesale rewriting of the law.â
âThe agency is seeking to twist the concept of accounting controls into a sweeping mandate for it to regulate public companiesâ cybersecurity controlsâa role for which the SEC lacks congressional authorization or substantive expertise,â the filing added.
In addition to lacking âmaterial evidenceâ for its fraud claims, the SECâs disclosure violation charges in the October filing were unrealistic and unlawful, according to SolarWinds. The company added that it had warned its stakeholders that its systems were âvulnerable to sophisticated nation-state actorsâ.
âThe SEC complains these disclosures were insufficient, asserting that companies must disclose detailed vulnerability information in their SEC filings,â the filing added. âBut that is not the law, and for good reason: disclosing such details would be unhelpful to investors, impractical for companies, and harmful to both, by providing roadmaps for attackers.â
CISO responsibilities in focus
The case has been closely followed within the industry as it is expected to set many precedents. This is the first time a company CISO has been named in SEC charges for non-disclosure. The proceedings stand to open the CISO role to additional scrutiny and responsibilities.
âSolarWinds, as expected, is defending this saying they adequately informed investors,â said Pareekh Jain, chief analyst at Pareekh Consulting. âThe question is, was the said disclosure enough, or should they have done more? This is a first-of-its-kind case where cybersecurity disclosure to the SEC is being investigated. The judgment here will act as guiding principles for CISOs for future cybersecurity disclosures to SEC.â
As Brown faces SEC charges based on his public statements and signature on internal security documents which, the federal agency alleges, helped mislead investors, SolarWinds calls the charges âunwarrantedâ and âinexplicable.â
âThe SEC fails to articulate any coherent theory of aiding-and-abetting liability against Mr. Brown,â the filing added. âMr. Brown is an experienced and well-respected professional who simply did his job during the events in question (and did it well). The SECâs gratuitous charges against him should be rejected.â
Before this official motion for dismissal of SEC charges, SolarWinds CEO, Sudhakar Ramakrishna had posted the companyâs responses on the same day as the SEC filing, calling the charges âmisguidedâ and representative of a âregressive set of views and actionsâ inconsistent with the progress the industry needs to make.