US stock market regulator drops lawsuit against SolarWinds after big cyberattack

After two years, the US stock market regulator has dropped its lawsuit against the US software provider Solarwinds and its Chief Information Security Officer (CISO), which concerned a far-reaching cyberattack. This is reported by the news agency Reuters, citing the Securities and Exchange Commission (SEC). This marks the end of a closely watched proceeding concerning the far-reaching allegation that SolarWinds knowingly had deficient IT before the attack with potent malware. The company hopes that this decision will help allay the concerns of other security chiefs, Reuters quotes the company. The action had a deterrent effect.

Relief at Solarwinds

In the lawsuit, the SEC accused Solarwinds and CISO Timothy G. Brown personally of “defrauding investors.” Solarwinds' public statements about its cybersecurity practices and risks were contrary to internal assessments, and the fraud had lasted for two years. Brown was aware of SolarWinds' cybersecurity risks and vulnerabilities but failed to address the problems or even partially address them internally. The company has vehemently rejected this, stating that the action would endanger the national security of the USA. The lawsuit was intended to alert companies and cybersecurity experts, Solarwinds warned at the time.

In 2019, numerous government agencies and corporations were affected by the cyberattack on Solarwinds' software for IT and network management. Cybercriminals had stealthily injected malicious code into their systems. The attackers did not need to steal code-signing certificates or keys, as they inserted malicious code during the build process that the company signed itself at the end of development. The impact of the attack was severe; Microsoft President Brad Smith, for example, called it “the most sophisticated and widespread attack the world has ever seen.”

Read also

Solarwinds downplayed: penalties for Check Point, Unisys, Avaya, Mimecast

(mho)