NEW YORK (Reuters) – A U.S. judge dismissed much of the Securities and Exchange Commission’s lawsuit accusing software company SolarWinds of defrauding investors by hiding security weaknesses before and after a massive cyberattack targeting the U.S. government.
U.S. District Judge Paul Engelmayer in Manhattan said the SEC can pursue securities fraud claims based on a statement on SolarWinds’ website prior to the so-called Sunburst attack about the company’s cybersecurity practices.
He dismissed other claims of securities fraud and false filings, based on pre-Sunburst disclosures, and said all claims regarding post-Sunburst disclosures were based on “hindsight and speculation” and also required dismissal.
SolarWinds could not immediately be reached for comment, and the SEC did not immediately respond to a request for comment.
The lawsuit filed last October appeared to be the first where the SEC sued a company that was a victim of a cyberattack, rather than charging and simultaneously settling.
Discovered in December 2020, Sunburst was a nearly two-year cyberattack where hackers used SolarWinds’ flagship network management software, Orion, as a springboard into U.S. government networks and international targets.
Several federal agencies were compromised, including the Departments of Commerce, Energy, Homeland Security, State and Treasury. The full consequences of the attack remain unknown.
(This story has been refiled to say request, not requests, in paragraph 4)
(Reporting by Jonathan Stempel in New York; Additional reporting by Chris Prentice; editing by Philippa Fletcher)
