In a new filing in the U.S. Southern District Court in New York, SolarWinds argued that the Securities and Exchange Commission was outside its depth of jurisdiction and scope of authority in charging SolarWinds and its chief security officer IT has mishandled the infamous 2020 Russian-backed cyber espionage attack on its Orion platform.
At the end of October 2023, the The SEC takes SolarWinds to task and its CISO Tim Brown regarding securities fraud and internal control failures for their response to the sophisticated cyber attack campaign this ultimately led to the compromise of several US government agencies that were using SolarWinds software.
THE The SEC supports the company knew it did not have adequate cybersecurity controls in place to protect its systems, but failed to take action. Additionally, the SEC said that although SolarWinds insiders, including Brown, were well aware of the suspicious activity in the systems, they intentionally misled customers about the possible threat. The SEC also accuses Brown of selling SolarWinds shares, making about $170,000, on his inside information before the cyberattack was made public and the stock price went into free fall.
SolarWinds offers a detailed denial of SEC charges
Immediately after the allegations were published, SolarWinds has promised to mount a defense in court. THE new motion to dismiss offered a detailed denial The accusations of the SEC.
“SolarWinds provided fair and accurate information both before and after the unprecedented Sunburst cyber attack, which is why this case should be dismissed,” Serrin Turner, a Latham & Watkins attorney representing SolarWinds, said in a statement to Bloomberg Law . “The SEC is trying to move the goalposts and force companies to reveal internal details about their cybersecurity programs, which would be impractical and dangerous.”
SolarWinds points out that the SEC was unable to specifically identify which SolarWinds security controls conflicted with regulation.
“And his theory of ‘internal accounting controls’ violations amounts to a total rewriting of the law,” the company told the court. “The agency is seeking to transform the concept of accounting controls into a broad mandate to regulate cybersecurity controls of public companies, a role for which the SEC does not have congressional authorization or substantive expertise.”
SolarWinds and Brown acted appropriately and maintained transparency throughout the response, the company said, adding that it is SolarWinds that is unfairly characterized by the SEC as the perpetrator, rather than the victim of a cybercrime.
“However, more than three years later, the SEC seeks to revictimize the victim by pursuing securities fraud and control charges against the company and its CISO, Tim Brown,” the memorandum to the court reads. “The allegations are as unfounded as they are unprecedented.”