NEW YORK — In a landmark decision, a federal judge in Manhattan ruled against the Securities and Exchange Commission’s (SEC) attempt to regulate corporate cybersecurity practices, settling a significant lawsuit centered around the extensive SolarWinds cyberattack. U.S. District Judge Paul A. Engelmayer concluded that the current statutory framework provides the SEC authority only over financial controls, not the broader scope of internal cybersecurity measures.
This ruling came amid fears from various business sectors concerned about potential penalties from the SEC following breaches, particularly those executed by sophisticated hacking groups. Companies worried that stringent regulatory oversight on cybersecurity could impose undue burdens, especially after experiencing attacks from highly capable intruders.
The case, which emerged from the 2020 SolarWinds incident, where Russian operatives allegedly penetrated the software firm’s systems, underscored the complex challenges organizations face in protecting digital assets. According to U.S. officials, the cyber operatives compromised systems across federal agencies and major tech firms over more than a year, exposing vulnerabilities in national and corporate cybersecurity defenses.
Judge Engelmayer’s 107-page decision expressed concerns that an expansive interpretation of the SEC’s regulatory authority could have far-reaching consequences. The judge illustrated his point by suggesting that such an interpretation might allow the SEC to regulate various non-financial security measures, from the selection of physical padlocks to the procedures for hiring security personnel.
Critics of the SEC’s expanded oversight argued that imposing liability for cybersecurity misstatements could deter companies from openly sharing information about security breaches. This sentiment was echoed in friend-of-the-court briefs submitted by business leaders, security professionals, and former government officials, who supported dismissing the lawsuit to foster better communication and transparency in cybersecurity matters.
SolarWinds, headquartered in Austin, Texas, responded positively to the court’s decision to dismiss most of the SEC’s claims. The company expressed gratitude for the backing it received from the industry and government veterans, emphasizing the support underscored concerns about the SEC’s proposed reach into cybersecurity regulation.
However, Judge Engelmayer did not dismiss the SEC’s case in its entirety. He allowed the agency to pursue allegations of securities fraud against SolarWinds and its top security executive, Timothy Brown. The judge pointed out that misleading statements about the company’s vulnerability to cyberattacks could be materially significant, given that cybersecurity is integral to SolarWinds’ business model and offerings.
The inquiry revealed that prior to the cyberattack, internal criticisms had been raised about the company’s security practices, including weak password policies and inadequate network monitoring capabilities. For instance, a security researcher had previously notified SolarWinds that a server password — astonishingly simple as “solarwinds123” — was publicly accessible online. Additionally, an engineer had highlighted vulnerabilities in SolarWinds’ virtual private network, which were reportedly not escalated to senior management and later exploited by hackers.
The outcome of this case may set a precedent for how cyber risk management is handled within publicly traded companies, particularly those whose operations heavily depend on secure information technologies. This decision delineates the boundaries of the SEC’s oversight capabilities, emphasizing the need for a clear legislative directive if further regulatory involvement in corporate cybersecurity is deemed necessary.