SolarWinds & SEC Move Toward Settlement in Cybersecurity Disclosure Case

Key Takeaways

• Preliminary Settlement Reached: The SEC, SolarWinds, and CISO Timothy Brown have reached a tentative agreement to settle the cybersecurity disclosure lawsuit, Reuters first reported.
• Litigation Stems from Sunburst Hack: The case was tied to the Russia-linked Sunburst cyberattack, which compromised SolarWinds software and affected U.S. government agencies and corporations.
• Judge Previously Dismissed Core Claims: U.S. District Judge Paul Engelmayer had earlier tossed much of the SEC’s case, criticizing it as relying on “hindsight and speculation.”
• Details Remain Confidential: While the terms are still under wraps, SolarWinds said it is “pleased with the potential resolution.”
• Deadline Set for Finalization: The parties must submit the settlement agreement or a joint status report by September 12.

Deep Dive

The U.S. Securities and Exchange Commission (SEC) and SolarWinds Corp. have reached a tentative agreement to settle the high-profile lawsuit stemming from the Russia-linked Sunburst cyberattack, Reuters first reported Wednesday.

The preliminary deal also includes SolarWinds’ Chief Information Security Officer (CISO) Timothy Brown, who had been named personally in the case. The parties have asked U.S. District Judge Paul Engelmayer to pause all proceedings while they finalize the paperwork for the settlement. The judge granted the motion, court records show.

The SEC originally filed suit against the Texas-based software company and Brown over their handling of the sprawling cyberattack that ran undetected for nearly two years. In what was seen as a watershed moment for cybersecurity enforcement, the agency accused the company and its CISO of defrauding investors by failing to disclose known security vulnerabilities in their public filings.

However, Judge Engelmayer dismissed significant portions of the SEC’s case last year, noting that the agency’s allegations leaned too heavily on “hindsight and speculation.”

While the details of the settlement remain under wraps, a SolarWinds spokesperson expressed cautious optimism, saying the company is “pleased with the potential resolution and happy to focus on driving our business forward without distraction.” The SEC declined to comment beyond its public filings.

The parties are expected to either submit formal settlement documentation or provide a status update to the court by September 12.

The Sunburst incident, one of the most sophisticated cyberattacks in recent U.S. history, highlighted growing regulatory scrutiny around how public companies handle and disclose cybersecurity risks. The SEC’s case against SolarWinds and its CISO was widely viewed as a test of how far federal regulators could go in holding executives personally liable for alleged disclosure failures related to cybersecurity.

If finalized, the settlement could set important precedent for future enforcement actions under the SEC’s expanding cybersecurity mandate.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.