Friday, November 21, 2025
Latest:

Threatshub.org sponsored-Post

The Register

SEC drops SolarWinds lawsuit that painted a target on CISOs everywhere

TH Author

The US Securities and Exchange Commission (SEC) has abandoned the lawsuit it pursued against SolarWinds and its chief infosec officer for misleading investors about security practices that led to the 2020 SUNBURST attack.

In a joint motion filed Thursday, the SEC along with SolarWinds and its Chief Information Security Officer Timothy G. Brown, asked the court dismiss [PDF] the commission’s ongoing civil enforcement action.

The SEC did note that its decision to seek dismissal is “in the exercise of its discretion” and “does not necessarily reflect the Commission’s position on any other case.”

A SolarWinds spokesperson told The Register that the company is “clearly delighted” with the outcome.

“We fought with conviction, arguing that the facts demonstrated our team acted appropriately,” the spokesperson said, adding that the SEC’s decision “is a welcome vindication of that position.”

“We hope this resolution eases the concerns many CISOs have voiced about this case and the potential chilling effect it threatened to impose on their work.”

In a subsequent blog about the dismissal of the case, SolarWinds CEO Sudhakar Ramakrishna said the SEC decision “marks the end of a transformative chapter for SolarWinds and the beginning of our next.” Ramakrishna said the attack – which saw Russian spies backdoor the vendor’s Orion network monitoring suite after gaining access to the company’s internal infrastructure – “shaped a new SolarWinds.”

Around 18,000 organizations downloaded the poisoned software, and about 100 were later hacked by Russia’s Cozy Bear crew. Victims included Microsoft, Intel, FireEye and Cisco, plus the USA’s departments of Treasury, Justice, Defense, and Energy.

“[SUNBURST] pushed us to think even more deeply about newer, emerging threats, resulting in Secure by Design, our pledge to set a new standard for trustworthy and secure software development across the industry,” Ramakrishna wrote.

The SEC’s 2023 lawsuit alleged SolarWinds and its CISO misled investors about its security practices as far back as October 2018, and later intentionally downplayed the scope and severity of the cyberattack.

At the time, SolarWinds accused America’s financial watchdog of seeking to “revictimise the victim” with its lawsuit, which was a rare example of a regulator targeting a CISO after a cyber-incident.

In July 2024, a judge mostly set aside the SEC’s allegations – so it’s possible the commission was reading the writing on the wall in agreeing to drop the case. We have asked the SEC for comment, and will update this story if we receive any response. ®

READ MORE HERE