A U.S. District Court judge dismissed most of the charges Thursday in a civil fraud case filed against SolarWinds by the Securities and Exchange Commission.
The SEC filed suit in October alleging SolarWinds misled investors about the company’s cybersecurity practices leading up to the Sunburst supply chain hack, which was disclosed in December 2020. The attack that targeted SolarWinds Orion platform impacted thousands of customers, including major U.S. companies and government agencies that used the platform.
Judge Paul Engelmayer of the U.S. District Court Southern District of New York sustained the SEC’s claims of securities fraud based on SolarWinds' security statement. However, the court dismissed other claims, including all claims involving post-Sunburst disclosures.
The court also dismissed claims related to the company’s internal accounting and disclosure controls and procedures, as ill-pled.
Allegations related to a 2017 statement made about the company’s security capabilities on the “trust center” page of its website will continue to be litigated.
According to court filings, SolarWinds had more than 300,000 customers between October 2018 and January 2021, which covers the period related to the alleged activity.
The Orion platform was considered the “crown jewel” of the company’s product platform, accounting for about 45% of revenue during the first nine months of 2020, according to court filings.
The security statement was originally posted in late 2017, and court filings allege Tim Brown, who was hired as VP of security at the company and later became CISO, was primarily responsible for creating and approving that statement. SolarWinds later went public in October 2018.
An SEC spokesperson was not immediately aware of the decision and had no immediate comment.
SolarWinds said it is working on a response to the ruling, but was not immediately prepared to comment.