In an opinion last week, Judge Engelmayer dismissed most of the SEC’s fraud claims against the software company SolarWinds over the so-called “SUNBURST” cyberattack in 2020 that is generally attributed to state-sponsored Russian hackers.
Judge Engelmayer allowed the SEC’s claims to proceed as to certain pre-SUNBURST statements on SolarWinds’ website touting its cybersecurity practices, but dismissed the SEC’s claims based on statements the company made after the fact, finding that those claims “impermissibly rel[ied] on hindsight and speculation.” For example, a Form 8-K filed after the attack allegedly left out certain details about the extent of the harm, but Judge Engelmayer noted that “perspective and context are critical,” including that the filing was made as the facts were evolving and that, overall, the Form 8-K “by any measure bluntly reported brutally bad news for SolarWinds.”
Judge Engelmayer rejected a novel theory advanced by the SEC that SolarWinds’ cybersecurity failures violated a provision of the Securities Exchange Act requiring issuers to maintain “internal account controls sufficient” to prevent unauthorized “access to assets,” finding that the language concerned “financial accounting,” not cybersecurity:Continue Reading Judge Engelmayer: Securities Law Requiring “Internal Accounting Controls” Does Not Reach Cybersecurity Deficiencies