SolarWinds breach and the 2023 SEC lawsuit

SolarWinds breach and the 2023 SEC lawsuit

By John Bandler

This page has resources relating to this case, which I discuss in my book on Cyberlaw.

Looking to navigate to another place?

• Cyberlaw Book Resources (main resources page)
  • Cyberlaw Book Resources: Chapter 31
• Cyberlaw main book page
• Udemy course on cyberlaw

SolarWinds breach and the 2023 SEC lawsuit

This webpage is a way to make certain case documents and citations easily available for students, those reading my book, and anyone else researching this. This gets you started, now you can go further in your learning and research.

The Solar Winds case is a civil case (not a criminal case), brought by the U.S. Securities and Exchange Commission (SEC) in federal court.

My book discusses this case in Chapter 31 (Cybersecurity and data protection).

"In the Solar Winds case, the SEC took the position that false public statements about cybersecurity violated ... investor protection [laws and] regulations, and they brought a civil lawsuit against the company and their chief information security officer (CISO)." Cyberlaw: Law for Digital Spaces and Information Systems, (2025) p. 353 (Ch 31).

Major chronological steps and court document

• 2019-9 (estimated), cyber attackers (attributed by many to the Russian Foreign Intelligence Service) gain unauthorized access to SolarWinds network, and thus to SolarWinds client networks.
• 2020-12, FireEye discloses that they were a victim of the attack. Thousands of SolarWinds customers affected, including U.S. government (Department of Homeland Security, Department of State, Department of Commerce, Department of Treasury, etc.), all via SolarWinds platform.
• Side note: 2022-10-28, SolarWinds agrees to settle a shareholder class-action lawsuit for $26 million (final hearing and judgement issued on July 28, 2023)
  • Shareholders can sue the company they own stock in by alleging the corporation's management (directors, officers, etc.) breach their duties to serve and make decisions in the best interests of the company and owners. These suits can be a direct suit against the individuals or a derivative suit on behalf of the company. See Cornell LII link below.
  • A separate shareholder’s derivative lawsuit was dismissed on jurisdictional grounds, and that dismissal was upheld on appeal.
• 2022-10-28, Wells notice (intent to file an enforcement action) sent to SolarWinds by the SEC
• 2023-06-23, Wells notice sent to SolarWinds’ CEO and CISO by the SEC
• 2023-10-30, Civil complaint: SEC v. SolarWinds and CISO, 2023-10-30 SEC vs SolarWinds Complaint (hosted here) (the SEC's civil complaint against SolarWinds Corp and their CISO Timothy Brown alleging violations of civil laws that SEC enforces/regulates)
  • Find online: SEC Complaint, https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-227.pdf
• 2024-02-16, Amended complaint filed, SEC v. SolarWinds, 2024-02-16 SEC vs SolarWinds Amended Complaint (hosted here)
• 2024-03-22, SolarWinds and CISO make motion to dismiss, 2024-03-22 SolarWinds Motion-to-Dismiss
• 2024-07-18, Court decision, 2024-07-18 SEC vs SolarWinds Opinion Order (hosted here) (trial court decision by federal Judge Paul Engelmayer of the Southern District of New York which dismissed much of the SEC's case, but not all of it. It remains to be seen how this litigation will resolve)
  • Find online and cite as:  SEC v. SolarWinds Corp., 2024 WL 3461952 (SDNY, Jul 18, 2024) , https://www.nysd.uscourts.gov/sites/default/files/2024-07/SolarWinds%20Opinion%20%28Dkt.%20125%29.pdf
• 2025-2, Agreement for SolarWinds acquisition by Turn/River Capital
• Subsequent actions?
  • With a new administration, certain SEC regulatory actions will be affected.

Primary statutes

• Securities Act of 1933, Codified at 15 U.S. Code Chapter 2A, Securities and Trust Indentures, https://www.law.cornell.edu/uscode/text/15/chapter-2A, 15 U.S. Code § 77a et seq (and what follows), starting at https://www.law.cornell.edu/uscode/text/15/77a
  • Read the whole Securities Act of 1933 at https://www.govinfo.gov/content/pkg/COMPS-1884/pdf/COMPS-1884.pdf
• Exchange Act of 1934 (Securities Exchange Act of 1934), codified at 15 U.S. Code Chapter 2B, Securities Exchanges, https://www.law.cornell.edu/uscode/text/15/chapter-2B, 15 U.S. Code § 78a et seq (and what follows), https://www.law.cornell.edu/uscode/text/15/78a
  • Read the whole Exchange Act of 1934 at https://www.govinfo.gov/content/pkg/COMPS-1885/pdf/COMPS-1885.pdf

SEC information

The SEC is a regulator for public companies with an important goal of protecting investors and healthy markets. One aspect of investor protection is trying to ensure they have accurate information.

The SEC says, “We make markets work better. Founded to help our country respond to the Great Depression, we’re the agency that protects investors from misconduct, promotes fairness & efficiency in the securities markets, and facilitates capital formation for those looking to hire, innovate, and grow.”  See SEC homepage, https://www.sec.gov/

• Securities and Exchange Commission (SEC), https://www.sec.gov/
• SEC, Statutes and Regulations,  https://www.sec.gov/rules-regulations/statutes-regulations
  • Special attention for the SolarWinds case to the
    • Securities Act of 1933 ("Securities Act")
    • Securities Exchange Act of 1934 ("Exchange Act")
• SEC Press Release 10/30/2023 regarding SolarWinds complaint, https://www.sec.gov/news/press-release/2023-227
• SEC, Litigation Release, 10/31/2023, SolarWinds Corporation and Timothy G. Brown, https://www.sec.gov/enforcement-litigation/litigation-releases/lr-25887

SolarWinds and the breach

"SolarWinds Corporation offers a network monitoring software called Orion which was used by tens of thousands of companies to manage their own networks. SolarWinds was breached as early as January 2019 and then the cyber attackers compromised the Orion software around December 2020. This infected software was downloaded and used by SolarWinds customers giving attackers free roam of customer networks, a compromise not detected for many months." Bandler, SolarWinds and the SEC lawsuit, Reuters Legal News, 11/21/2023.

• SolarWinds, https://www.solarwinds.com/
• SolarWinds statement of 10/30/2023, https://orangematter.solarwinds.com/2023/10/30/transparency-information-sharing-and-collaboration/

Articles

• My Reuters Article, SolarWinds and the SEC lawsuit, clean PDF no ads hosted here at https://johnbandler.com/solarwinds-sec-lawsuit/Bandler ReutersLN SolarWinds SEC 2023-11-21
  • Or find it direct on Reuters at https://www.reuters.com/legal/legalindustry/solarwinds-sec-lawsuit-2023-11-21/
• Reuters news article of 10/30/2023, https://www.reuters.com/legal/us-sues-solarwinds-court-records-2023-10-30/
• Privacy + Security Academy, https://www.privacysecurityacademy.com/sec-v-solarwinds-corp-and-timothy-g-brown-implications-for-cybersecurity-professionals-companies-and-national-security/ (I found the amended complaint here and defendant's motion to dismiss here, thank you)

Other

• SolarWinds Securities Litigation, https://www.solarwindssecuritieslitigation.com/ (regarding a separate lawsuit by shareholders of SolarWinds, which settled for $26 million)
• I am speaking about the SolarWinds case at RSAC 2025, titled "The SolarWinds CISO Litigation and What It Means for Your InfoSec Program - [LAW-T02]", https://path.rsaconference.com/flow/rsac/us25/FullAgenda/page/catalog/session/1727552046840001CrGG

The claims (causes of action, claims for relief) in the SEC civil complaints

Both the original complaint (10/30/2023) and the amended complaint (2/16/2024) from the SEC have ten claims (causes of action) which are are the same in both the original complaint and the amended complaint.

Some claims are against both SolarWinds and Brown, some are against just one of them.

• First Claim for Relief (SolarWinds and Brown), violation of Securities Act Section 17(a),  15 U.S.C. §77(q)(a), alleging untrue statements of a material fact, or omitting material facts necessary... and transactions, practices, course of business which would be a fraud or deceit on purchasers of the stock.
• Second Claim for Relief (Brown), , violation of Securities Act Section 17(a),  15 U.S.C. §77(q)(a),
• Third Claim for Relief (SolarWinds and Brown), violation of Exchange Act Section 10(b), 15.U.S.C. §78(j-2),  untrue statements of a material fact or omitted to state one or more material facts necessary
• Fourth Claim for Relief (Brown) violation of Exchange Act Section 10(b), 15.U.S.C. §78(j)(2)
• Fifth Claim for Relief (SolarWinds), violation of Exchange Act Section 13(a), 15 U.S.C. §78(m-1)
• Sixth Claim for Relief (Brown), violation of Exchange Act Section 13(a), 15 U.S.C. §78(m-1)
• Seventh Claim for Relief (SolarWinds), violation of Exchange Act Section 13(b)(2)(B), 15 U.S.C. § 78m(b)(2)(B).
• Eighth Claim for Relief (Brown), violation of Exchange Act Section 13(b)(2)(B), 15 U.S.C. § 78m(b)(2)(B).
• Ninth Claim for Relief (SolarWinds), violation of Exchange Act Rule 13a-15(a), 17 C.F.R. § 240.13a-15(a)
• Tenth Claim for Relief (Brown), violation of Exchange Act Rule 13a-15(a), 17 C.F.R. § 240.13a-15(a)

Links to the statutes and regulations cited above

Someday I might link to each individual statute, but they are not pleasant reads. You are better off just reading the complaint which cites and quotes them.

Or find them online starting here:

• Securities Act of 1933, Codified at 15 U.S. Code Chapter 2A, Securities and Trust Indentures, https://www.law.cornell.edu/uscode/text/15/chapter-2A, 15 U.S. Code § 77a et seq (and what follows), starting at https://www.law.cornell.edu/uscode/text/15/77a
• Exchange Act of 1934 (Securities Exchange Act of 1934), codified at 15 U.S. Code Chapter 2B, Securities Exchanges, https://www.law.cornell.edu/uscode/text/15/chapter-2B, 15 U.S. Code § 78a et seq (and what follows), https://www.law.cornell.edu/uscode/text/15/78a
• U.S. Code of Federal Regulations (CFR)
  • 17 CFR § 240.13a-15, Controls and procedures, https://www.law.cornell.edu/cfr/text/17/240.13a-15

SEC Jurisdiction and venue authority

• 28 U.S.C. § 1331 (federal question jurisdiction), https://www.law.cornell.edu/uscode/text/28/1331
• Securities Act, 15 U.S. Code Chapter 2A, Securities and Trust Indentures, https://www.law.cornell.edu/uscode/text/15/chapter-2A
  • 15 U.S. Code § 77t, Injunctions and prosecution of offenses, https://www.law.cornell.edu/uscode/text/15/77t
  • 15 U.S. Code § 77v, Jurisdiction of offenses and suits, https://www.law.cornell.edu/uscode/text/15/77v
• Exchange Act, 15 U.S. Code Chapter 2B, Securities Exchanges, https://www.law.cornell.edu/uscode/text/15/chapter-2B
  • 15 U.S. Code § 78u, Investigations and actions, https://www.law.cornell.edu/uscode/text/15/78u
  • 15 U.S. Code § 78aa, Jurisdiction of offenses and suits, https://www.law.cornell.edu/uscode/text/15/78aa

Other links

• Cornell LII, Shareholder derivative suit, https://www.law.cornell.edu/wex/shareholder_derivative_suit

Cyberlaw book links and information

• The book: Cyberlaw: Law for Digital Spaces and Information Systems, by John Bandler
• Cyberlaw Book Resources (main resources page)
• Cyberlaw book FAQ
• Cyberlaw main book page
• Amazon - John's Author page
• Udemy online course on cyberlaw (other online courses too)
• Services
  • Cybersecurity Services

This page is hosted at https://johnbandler.com/solarwinds-breach-and-2023-sec-lawsuit, copyright John Bandler, all rights reserved. No claim to the public legal documents filed.