The United States’ Securities and Exchange Commission (SEC) has reached a settlement in principle with SolarWinds in an ongoing case against the organisation and its chief information security officer, Tim Brown, over failings that led to the compromise of its IT performance management platform Orion by the Russian state hacking group known as Cozy Bear.
The so-called Sunburst/Solorigate supply chain incident that came to light in December 2020 saw malicious code introduced into the SolarWinds’ platform by the Russians, which was then unknowingly pushed to downstream targets as a legitimate update.
Almost 20,000 SolarWinds customers downloaded and installed the malicious updates, among them the likely true targets of the cyber attack, American government bodies, such as the Department of Energy (DoE) and the National Nuclear Safety Administration (NNSA) that maintains the US nuclear weapons stock.
In a letter to presiding judge Paul Engelmayer of the US District Court for the Southern District of New York, SEC and SolarWinds representatives said they had reached a settlement in principle “that would completely resolve this litigation”, subject to review and approval by the SEC’s commissioners. They requested all pending dates in the case be stayed ahead of a planned filing date for the final settlement, set for 12 September.
Engelmayer congratulated both parties on a “productive development” and has subsequently stayed all deadlines in the case, as well as adjourning oral arguments set for later this month.
A SolarWinds spokesperson said: “The settlement is subject to approval by the Commission and we cannot therefore discuss the terms at this time. We are pleased with the potential resolution and happy to focus on driving our business forward without distraction.”
Charges dropped
Last year, Engelmayer tossed out most of the SEC’s claims against SolarWinds and Brown, which had alleged that they had knowingly defrauded investors in overstating the resilience of the organisation’s security practices, and understating or not disclosing known risks.
Among other things, the SEC claimed that the defendants ignored, covered up or even outright lied to customers about links between different cyber attacks on various Orion users that were taking place over the course of 2020.
Engelmayer’s initial dismissal of many of the charges, including those that stemmed from SolarWinds disclosures made after news of the incident broke, was made on the basis that they relied on hindsight and speculation.
However, he did sustain a number of charges, including parts of the SEC’s complaints that alleged public misrepresentations about the resilience of SolarWinds’ access controls.
Given the SEC’s much-publicised and well-dissected rules on security incident reporting, which came into force at the end of 2023 and put the spotlight firmly on the actions security leaders take following an incident, the reasons why it has chosen to try to reach a full settlement will likely bear some analysis.
Computer Weekly’s sister title Cybersecurity Dive suggested that the Republican majority now in control at the SEC may have had some bearing on the regulator’s willingness to compromise – the initial case was brought by the Democrat-led body under former president Joe Biden.
Lending weight to the theory that the dramatic change in the US political landscape is behind the SolarWinds settlement, the SEC has also recently dropped a number of enforcement cases involving cryptocurrency firms including the likes of Binance, Coinbase and Crypto.com. This came following a 23 January Executive Order (EO) from president Trump’s White House, designed to support the crypto sector.
