Security executives, former US government officials, tech groups and the US Chamber of Commerce, filed amicus briefs backing a motion to dismiss the US Securities and Exchange Commission's (SEC) civil fraud lawsuit against SolarWinds.
The SEC is suing SolarWinds over a 2020 cyberattack, alleging that SolarWinds and its Chief Information Security Officer, Timothy G. Brown, defrauded investors by misrepresenting the company's cybersecurity practices and understating known cybersecurity risks. Last week, SolarWinds filed a case with the US Southern District Court of New York to dismiss the suit, citing that it is outside the SEC's expertise, scope and authority to charge SolarWinds.
SolarWinds lawyers stated, 'We remain confident that SolarWinds' disclosures at all times were appropriate, and the SEC's assertions otherwise are fundamentally flawed.'
The briefs cautioned that the SEC interprets its enforcement authority too broadly by including unrelated cybersecurity policies and procedures under the statutory term' internal accounting controls.' This means the SEC can find a company in violation of the federal securities laws when the company does not follow an internal policy, or even when it is a victim of crime.
Additionally, companies could be exposed to the risk of cyber attacks, particularly if they were compelled to disclose their security vulnerabilities publicly.
This case could also result in hindered internal communications between CISOs and other employees, as the SEC is using internal communications by the SolarWinds CISO as a basis for Brown's personal liability.
The SEC's response to SolarWinds' dismissal motion is due 8 March.
The case could potentially cast a chilling effect on the industry. According to the SEC's rules implemented in July 2023, publicly traded companies are required to disclose cyber incidents in a public filing within four business days. This might create concerns among executives, fearing that such disclosures could result in legal repercussions down the line. Consequently, this reluctance might deter companies from promptly sharing crucial threat intelligence essential for an effective response.