A New York federal district judge handed down a significant decision dismissing much of the SEC’s securities fraud enforcement action against SolarWinds arising from its claims relating to SolarWinds’ cybersecurity policies, and disclosure of a significant cyberattack against the SolarWinds’ network.

In an unprecedented case, the SEC alleged that SolarWinds, which went public in 2018, mislead the public as to the effectiveness of its cybersecurity practices and products, including its flagship “Orion” software platform.  In a “Security Statement” on its website, and in a variety of other public statements, including securities filings, the SEC argued that SolarWinds filings were misleading because SolarWinds failed to disclose that its products and practices were defective in protecting against cyberattacks.  The SEC contended that the company’s hype misled the investing public to believe that SolarWinds’ central software product had minimal vulnerability to cyberattacks.

Also, the SEC alleged that SolarWinds misled the investing public about a series of cyberattacks, which culminated in the revelation, in December 2020, that the company and its customers had been victims of a large-scale cyberattack, known as Sunburst, conducted by Russian hackers. The SEC claimed that, in the aftermath of the Sunburst’s immediate aftermath, SolarWinds minimized the scope and severity of the attack, including by omitting that customers had previously reported similarly malicious activity involving the Orion product.